Deep packet inspection, or DPI, is a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point, searching for defined criteria to decide what, if any, action should be taken by the network on that packet.
A classified packet may be redirected, marked/tagged, blocked, rate limited, or reported to a reporting agent in the network. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.
Typical identification parameters include source and destination IP and ports. Some devices support far deeper inspection of packets to examine the metadata of protocols used and may use these for reporting and classification.
DPI enables a range of network services including network optimization, flow inspection, data flow management, security and application monitoring. These services may be called many things - such as user experience optimization, policy definition and enforcement, quality of service, tiered services, or lawful intercept, but can be fundamentally grouped into classes of application with similar requirements.
Use Cases There are many different application models where DPI can be used to improve overall application usability and security.
Figure 1. The primary use cases for deep packet inspectionNetwork Optimization
Unmonitored and uncontrolled traffic flow through a network operator’s network can result in undesired interruption of service due to overload conditions at various places in the network. This can be caused by peer-to-peer (P2P) traffic, distributed denial of service (DDoS) attacks and other events.
As a result, the undesired interruption of service can endanger customer loyalty by impairing the operator’s quality of service (QoS). In order to avoid such events, operators use a variety of techniques that can all be summarized as DPI applications, and that can all be brought together in the deployment of a common kind of DPI system.
Flow inspection analyzes the network traffic based on flows (connection between a given client and a given server). This connection is analyzed and classified in order to align with carrier policies and requirements, thus allowing the carrier to monitor network usage by both application and total load. This, in turn, enables network operators to review their policies and take appropriate steps to ensure data flow and network integrity.
Improved Data Flow
Deep packet inspection can also be used to optimize the data flow inside a network. Knowing which flows are dominant at what time of day (and what day), allows dynamic configuration of the network to the respective load factors, thus improving user experience.
This knowledge additionally allows network operators to throttle traffic that is not preferred at a given time, adding headroom to priority traffic. Depending on the level of background information available in the operator’s network, this capability can be used to manage service levels.
Security and Application Monitoring
Finally, an area where DPI is used extensively is the intelligent application monitoring and security arena. DPI techniques can be used to understand and interpret network messages between web server, application server, and actual applications in high-load applications.
DPI can be adapted to find the right messages, analyze the content and remove malformed or malicious content that was injected in order to break into the application. Similar techniques are applicable for security applications, where, in this case, the traffic is being monitored to protect the inside of the network, keeping out malicious content.
Another potential application is filtering content based on parameters such as in a consumer application, parental controls for adult material. DPI enables a deep understanding of the connections taking place and allows operators to apply policies to these.