Deep Packet Inspection – A Data Insight

Deep Packet Inspection (DPI) is a technology that allows software/hardware to access, analyze and modify payload (data) portions of network packets. Traditionally network operations like filtering, routing, accounting were based on L3/L4 layer (Network/Transport Layer) headers of the packet. But with advancement in computing techniques, restricting the scope only to packet headers is not enough as actual data can provide much more information like application, service, the system being used and above all user’s preferences.

Most of the time inspection is done on real time traffic but it is not always required. Real time inspection can be done in 2 ways; actively or passively. Active inspection involves, capturing the packet inline with network that is capturing packet directly from packet’s network traversal path whereas passive inspection is about mirroring or copying a packet from its path and then inspecting it offline. Active inspection is mainly used for filtering and policing purposes whereas passive one is for monitoring and analytics purposes.

Deep Packet Inspection softwares take expressions as inputs for pattern matching with payloads of packets to derive an identification. Each application/malware/service/protocol has its traits embedded in every packet that it generates. Sometimes these traits are spread across multiple packets; in such cases reassembly is required. DPI applications use predefined expressions/signature databases for pattern matching against these traits for identifying that particular application et al.

Many people relate DPI technology mostly with only filtering applications like IDS/IPS or application firewalls; this is similar to saying “Sachin Tendulkar can only bat well”. DPI applications are not limited to security domain alone but to traffic management, analytics, accounting, QoS, WAN optimization and the list goes on.

There are couple of difficulties with Deep Packet Inspection technology as well. Pattern matching is very CPU intensive operation so it can bring down overall throughput of the device and hence the network as well if deployed in active inline mode. Encrypted traffic is another problem for DPI as packet payload is not available for plaintext inspection and the DPI device being somewhere in the network cannot decrypt client-server specific encrypted traffic. Though there are some solutions available to deal with these issues, none is a fully proved.