ntop · IvanNardi · Mar 27, 2026 · Mar 27, 2026
diff --git a/doc/configuration_parameters.rst b/doc/configuration_parameters.rst
@@ -32,6 +32,14 @@ List of the supported configuration options:
 +--------------+---------------------------------------------------------------+-----------------+------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | NULL         | "metadata.tcp_fingerprint_format"                             | 0               | 0          | 1          | Format of the TCP fingerprint. 0 = native nDPI format, 1 = MuonOF (see: https://github.com/sundruid/muonfp).                                                      |
 +--------------+---------------------------------------------------------------+-----------------+------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+| NULL         | "metadata.ndpi_server_fingerprint"                            | enable          | NULL       | NULL       | Enable/disable computation and export of nDPI server fingerprint.                                                                                                 |
++--------------+---------------------------------------------------------------+-----------------+------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+| NULL         | "metadata.ndpi_fingerprint"                                   | enable          | NULL       | NULL       | Enable/disable computation and export of nDPI fingerprint. See https://www.ntop.org/beyond-ja3-ja4-introducing-ndpi-traffic-fingerprint                           |
++--------------+---------------------------------------------------------------+-----------------+------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+| NULL         | "metadata.ndpi_fingerprint_format"                            | 0               | 0          | 1          | Format of the nDPI fingerprint ((i.e. metadata.ndpi_fingerprint)). 0 = client only, 1 = client and server.                                                        |
++--------------+---------------------------------------------------------------+-----------------+------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+| NULL         | "metadata.ndpi_fingerprint_ignore_tcp_fp"                     | disable         | NULL       | NULL       | Configure if TCP fingerprint is used or not for nDPI fingerprint (i.e. for metadata.ndpi_fingerprint) calculation.                                                |
++--------------+---------------------------------------------------------------+-----------------+------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | NULL         | "dpi.guess_on_giveup"                                         | 0x03            | 0x00       | 0x03       | Guess flow classification if DPI fails. Bitmask: 0x0 = disabled; 0x01 = port; 0x02 = IP.                                                                          |
 +--------------+---------------------------------------------------------------+-----------------+------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | NULL         | "dpi.guess_ip_before_port"                                    | disable         | NULL       | NULL       | Enable/disable guessing by IP first when guessing flow classifcation. Disabled = guess by port first.                                                             |

diff --git a/example/config_only_classification.txt b/example/config_only_classification.txt
@@ -7,6 +7,7 @@ flow_risk.all,0
 #General metadata
 metadata.tcp_fingerprint,0
 metadata.ndpi_fingerprint,0
+metadata.ndpi_server_fingerprint,0
 dpi.compute_entropy,0
 #BITTORRENT
 bittorrent,metadata.hash,0

diff --git a/example/only_classification.conf b/example/only_classification.conf
@@ -7,6 +7,7 @@
 #General metadata
 --cfg=metadata.tcp_fingerprint,0
 --cfg=metadata.ndpi_fingerprint,0 #Note that you can't use custom rules based on fingerprints!
+--cfg=metadata.ndpi_server_fingerprint,0
 --cfg=dpi.compute_entropy,0
 #BITTORRENT
 --cfg=bittorrent,metadata.hash,0

diff --git a/example/perf.conf b/example/perf.conf
@@ -9,3 +9,4 @@
 --cfg=openvpn,dpi.heuristics,0x01
 --cfg=stun,max_packets_extra_dissection,4
 --cfg=tcp_ack_payload_heuristic,0
+--cfg=metadata.ndpi_server_fingerprint,0
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
@@ -234,6 +234,7 @@ struct ndpi_detection_module_config_struct {
   int tcp_fingerprint_enabled;
   int tcp_fingerprint_raw_enabled;
   int ndpi_fingerprint_enabled;
+  int ndpi_server_fingerprint_enabled;
   ndpi_fingerprint_format ndpi_fingerprint_format;
 
   char filename_config[CFG_MAX_LEN];

diff --git a/src/lib/ndpi_config.c b/src/lib/ndpi_config.c
@@ -218,6 +218,7 @@ const struct cfg_param cfg_params[] = {
   { NULL,            "metadata.tcp_fingerprint_raw",            "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tcp_fingerprint_raw_enabled), NULL },
   { NULL,            "metadata.tcp_fingerprint_format",         "0", "0" /* min */, "1" /* max */, CFG_PARAM_INT, __OFF(tcp_fingerprint_format), NULL },
 
+  { NULL,            "metadata.ndpi_server_fingerprint",        "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(ndpi_server_fingerprint_enabled), NULL },
   { NULL,            "metadata.ndpi_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(ndpi_fingerprint_enabled), NULL },
   { NULL,            "metadata.ndpi_fingerprint_format",         "0", "0" /* client-only */, "1" /* client+server only */, CFG_PARAM_INT, __OFF(ndpi_fingerprint_format), NULL },
   { NULL,            "metadata.ndpi_fingerprint_ignore_tcp_fp", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ndpifp_ignore_tcp_fingerprint), NULL },

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
@@ -2457,10 +2457,10 @@ static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct,
 
 /* **************************************** */
 
-void ndpi_compute_tls_server_fingerprint(struct ndpi_flow_struct *flow,
-					 bool is_dtls,
-					 u_int32_t quic_version,
-					 ndpi_tls_server_info *s) {
+static void ndpi_compute_tls_server_fingerprint(struct ndpi_flow_struct *flow,
+                                                bool is_dtls,
+                                                u_int32_t quic_version,
+                                                ndpi_tls_server_info *s) {
   char tls_s[128], fp_buf[13];
   u_int tls_s_len, i;
   u_int8_t sha_hash[NDPI_SHA256_BLOCK_SIZE];
@@ -2788,7 +2788,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
       if(flow->protos.tls_quic.ssl_version == 0)
         flow->protos.tls_quic.ssl_version = tls_version;
 
-      if(ndpi_struct->cfg.ndpi_fingerprint_enabled
+      if(ndpi_struct->cfg.ndpi_server_fingerprint_enabled
 	 && (flow->ndpi.server_fingerprint == NULL))
 	ndpi_compute_tls_server_fingerprint(flow, is_dtls, quic_version, s);