Traditionally nDPI was used by ntopng to detect flows L7 protocol. With the advent of more and more protocols, speaking about single protocols is often too difficult. Users usually are not interested in the specific protocol but rathen on a whole group of protocols. For example, it’s easier to reason about VPN traffic as a whole rather than a particular VPN implementation.
For these reasons, nDPI (and ntopng) has been extended to provide a logical grouping of protocols, called Categories. With Categories it’s possible, for example, to get an idea of the network traffic of a host:
Some use cases solved by the Categories include:
Block all advertisement sites (nEdge)
Trigger an alert whenever my employees access a malware site (ntopng, whereas in nEdge there is the ability to block this traffic)
Prevent clients from accessing the WiFi sites of competitors as they are using them for comparing prices (nEdge)
The picture above shows the Collaborative category being reported on the flow details of a Github/DNS flow.