Blog Post

A Guide to Deep Packet Inspection

Published
July 19, 2017
#
 mins read
By 

in this blog post

Deep Packet Inspection (DPI) is used for in-depth analysis of the packets sent over the internet. All the communication that happens over the internet makes use of ‘packets’ to transfer data.  It includes our VOIP calls (like Skype), websites we visit, and the emails we send.

We can compare a data packet with our traditional mailing system where a letter contains information like name and address of the sender and receiver along with the content for the intended receiver. The postal service will be able to make use of the address mentioned on the cover to deliver the letter and does not check the content inside it. The packets sent over the Internet are routed similarly; each packet contains the source and destination IP address which is used to successfully deliver packets to the intended recipients. Different hops present in the path will not look at the body/content of a packet. It makes use of the destination address to route it. Packet Inspection is not a new concept; DPI is an addition to this existing technique, which takes the packet inspection game to another level.

Types of Packet Inspections:

  • Shallow Packet Inspection (SPI)
  • Medium Packet Inspection (MPI)
  • Deep Packet Inspection (DPI)

Shallow Packet Inspection

SPI inspects the packet’s header to identify the source and destination IP address. The information obtained is used for routing the packet to the destination address. Its scope is limited to the layer 2 and 3 of the OSI model. Generic firewalls make use of this type of inspection methodology to block the unwanted connections from the blacklisted IPs.

Medium Packet Inspection

MPI points to application proxies/device which acts as an intermediary service between the end user and the Internet gateways. The sole purpose of these proxies is to analyze the packet headers, including the type of the packet based on its data format and compare it with the loaded parse-list to allow or refuse its transmission. The pre-loaded parse list can be updated anytime by the administrator. Instead of making a decision based on IP address, MPI takes into consideration the packet type to perform the action.

What is Deep Packet Inspection?

DPI allows us to inspect the packets beyond header and footer. It can dig deeper and get some granular information like the application to which the packet belongs and the packet content.

The introduction of the DPI brings analysis of the packet content into the picture, which can be used for several purposes. It can help in identifying malicious packets, intrusions, and while performing traffic management as well.

DPI strips down the header and footer from the packet and inspects the payload to perform signature matching, looking for specific string and other details.

Application of DPI on a large scale requires high-end computing resources for the analysis of collected data. The analysis can also introduce latency in the transmission of the packets. DPI can be applied through a physical device or software application.

There are several methods that are used by DPI to perform the inspection. Some of the popular methods used include port-based, statistical, and automation-based approaches. Port-based is the standard protocol identification approach which inspects the port fields in the TCP/UDP headers for the commonly assigned port numbers to the respective protocol. In statistical analysis, the focus is on the classification of the traffic rather than payload and gathering generic information like packet length, port numbers to classify the traffic. The automation based approach is the widely preferred pattern/regular expression matching technique which uses a finite state machine for the pattern matching. It includes the following state: initial state, acceptance state for matching the patterns and intermediate states for partial matching cases. Matching begins with the initial state when a payload string enters the automation engine, and if the process reaches the final state, it means that the match is found.

Importance of DPI

Optimization of network traffic by ISP:

It can be used by the ISPs to prioritize the traffic on their network and provide better service to the consumer. They will be able to identify the VoIP traffic and can prioritize it to reduce the latency in the communication. It also helps in network bandwidth management by reducing the priority of the P2P connections like torrent clients. It allows the ISPs to provide additional performance options to their enterprise clients for traffic prioritization.

Keeping IOT devices in check:

As we know that currently, IOT is a booming technology, more and more devices are getting connected to the internet every day, which increases concern regarding the repeated exploitation of them for DDOS attacks. Use of DPI will help the ISPs to block these kinds of malicious requests from the IOT devices.

Enterprise security enhancement:

Use of DPI by enterprises helps in securing the company’s network with more capable alternative than the traditional Stateful Packet Inspection firewall. It does the job of both an IDS and IPS system and allows the company’s security auditors to enforce rules for preventing confidential information from being sent outside the organization’s network. DPI helps monitor internal traffic as well as block malicious requests from entering the internal network. It enables user notification, in case a user is trying to send a restricted document outside the company’s network via email. A user can be notified about obtaining the required permission before sending the data outside the company.

How does DPI affect consumers?

ISPs are making use of DPI to analyze consumer behavior on the Internet and selling their personal browsing data to marketing and advertising companies. This practice raises concern regarding consumer privacy.

It can also be used to provide security agencies unauthorized surveillance of a user’s activity, and governments can restrict users from accessing certain contents which are against their agenda.

DPI: When and What to Monitor

You may not be able to control all the events that happen, but you can mitigate security threats by implementing the strategies mentioned below along with our digital monitoring platform.

1. To avoid malicious content from being injected into your websites and to save end users from a man in the middle attack, monitoring plays a crucial role. To understand the impact of Man in the Middle attack, you can read this detailed blog post.

The Catchpoint portal triggers an alert if there is an IP mismatch; this helps you identify potential risks on the web application before it impacts the user.

2. High latency can be observed in China due to filtering by the Great Firewall of China. The filtering causes increased DNS response time due to the redirect to a different domain and connection failures for hosts like google.com, which is actively blocked by the firewall.

We need to implement a better strategy when we are serving the content from China and overcome the firewall by avoiding the tags that might skew the performance of your application in that region. Adapting your application to local realities in China and monitoring from end user perspective will have a positive impact on the brand.

Catchpoint nodes in China enable clients to monitor their customer experience from 45 locations.

3. Enterprises who use DPI for their internal infrastructure monitoring can make use of Catchpoint’s Onprem nodes to compare the performance when traffic goes through DPI and when it doesn’t. This will help the organization in monitoring the effectiveness and efficiency of their DPI solution.

4. ISPs can be using DPI for different purposes. However, use of DPI can cause network congestion and packet loss due to the amount of computation power required. They can make use of CP OnPrem nodes to identify the congestion points and allocate more resources to their DPI system.

They can setup traceroute tests to identify the packet loss and fine tune their settings.

5. Catchpoint provides the option of setting TCP test which can help in analyzing the effectiveness of load balancing at the gateways and it can help in monitoring the efficiency of the content filtering by specifying the desired payload for inspection.

Learn more about Catchpoint with a Guided Test Drive.

Deep Packet Inspection (DPI) is used for in-depth analysis of the packets sent over the internet. All the communication that happens over the internet makes use of ‘packets’ to transfer data.  It includes our VOIP calls (like Skype), websites we visit, and the emails we send.

We can compare a data packet with our traditional mailing system where a letter contains information like name and address of the sender and receiver along with the content for the intended receiver. The postal service will be able to make use of the address mentioned on the cover to deliver the letter and does not check the content inside it. The packets sent over the Internet are routed similarly; each packet contains the source and destination IP address which is used to successfully deliver packets to the intended recipients. Different hops present in the path will not look at the body/content of a packet. It makes use of the destination address to route it. Packet Inspection is not a new concept; DPI is an addition to this existing technique, which takes the packet inspection game to another level.

Types of Packet Inspections:

  • Shallow Packet Inspection (SPI)
  • Medium Packet Inspection (MPI)
  • Deep Packet Inspection (DPI)

Shallow Packet Inspection

SPI inspects the packet’s header to identify the source and destination IP address. The information obtained is used for routing the packet to the destination address. Its scope is limited to the layer 2 and 3 of the OSI model. Generic firewalls make use of this type of inspection methodology to block the unwanted connections from the blacklisted IPs.

Medium Packet Inspection

MPI points to application proxies/device which acts as an intermediary service between the end user and the Internet gateways. The sole purpose of these proxies is to analyze the packet headers, including the type of the packet based on its data format and compare it with the loaded parse-list to allow or refuse its transmission. The pre-loaded parse list can be updated anytime by the administrator. Instead of making a decision based on IP address, MPI takes into consideration the packet type to perform the action.

What is Deep Packet Inspection?

DPI allows us to inspect the packets beyond header and footer. It can dig deeper and get some granular information like the application to which the packet belongs and the packet content.

The introduction of the DPI brings analysis of the packet content into the picture, which can be used for several purposes. It can help in identifying malicious packets, intrusions, and while performing traffic management as well.

DPI strips down the header and footer from the packet and inspects the payload to perform signature matching, looking for specific string and other details.

Application of DPI on a large scale requires high-end computing resources for the analysis of collected data. The analysis can also introduce latency in the transmission of the packets. DPI can be applied through a physical device or software application.

There are several methods that are used by DPI to perform the inspection. Some of the popular methods used include port-based, statistical, and automation-based approaches. Port-based is the standard protocol identification approach which inspects the port fields in the TCP/UDP headers for the commonly assigned port numbers to the respective protocol. In statistical analysis, the focus is on the classification of the traffic rather than payload and gathering generic information like packet length, port numbers to classify the traffic. The automation based approach is the widely preferred pattern/regular expression matching technique which uses a finite state machine for the pattern matching. It includes the following state: initial state, acceptance state for matching the patterns and intermediate states for partial matching cases. Matching begins with the initial state when a payload string enters the automation engine, and if the process reaches the final state, it means that the match is found.

Importance of DPI

Optimization of network traffic by ISP:

It can be used by the ISPs to prioritize the traffic on their network and provide better service to the consumer. They will be able to identify the VoIP traffic and can prioritize it to reduce the latency in the communication. It also helps in network bandwidth management by reducing the priority of the P2P connections like torrent clients. It allows the ISPs to provide additional performance options to their enterprise clients for traffic prioritization.

Keeping IOT devices in check:

As we know that currently, IOT is a booming technology, more and more devices are getting connected to the internet every day, which increases concern regarding the repeated exploitation of them for DDOS attacks. Use of DPI will help the ISPs to block these kinds of malicious requests from the IOT devices.

Enterprise security enhancement:

Use of DPI by enterprises helps in securing the company’s network with more capable alternative than the traditional Stateful Packet Inspection firewall. It does the job of both an IDS and IPS system and allows the company’s security auditors to enforce rules for preventing confidential information from being sent outside the organization’s network. DPI helps monitor internal traffic as well as block malicious requests from entering the internal network. It enables user notification, in case a user is trying to send a restricted document outside the company’s network via email. A user can be notified about obtaining the required permission before sending the data outside the company.

How does DPI affect consumers?

ISPs are making use of DPI to analyze consumer behavior on the Internet and selling their personal browsing data to marketing and advertising companies. This practice raises concern regarding consumer privacy.

It can also be used to provide security agencies unauthorized surveillance of a user’s activity, and governments can restrict users from accessing certain contents which are against their agenda.

DPI: When and What to Monitor

You may not be able to control all the events that happen, but you can mitigate security threats by implementing the strategies mentioned below along with our digital monitoring platform.

1. To avoid malicious content from being injected into your websites and to save end users from a man in the middle attack, monitoring plays a crucial role. To understand the impact of Man in the Middle attack, you can read this detailed blog post.

The Catchpoint portal triggers an alert if there is an IP mismatch; this helps you identify potential risks on the web application before it impacts the user.

2. High latency can be observed in China due to filtering by the Great Firewall of China. The filtering causes increased DNS response time due to the redirect to a different domain and connection failures for hosts like google.com, which is actively blocked by the firewall.

We need to implement a better strategy when we are serving the content from China and overcome the firewall by avoiding the tags that might skew the performance of your application in that region. Adapting your application to local realities in China and monitoring from end user perspective will have a positive impact on the brand.

Catchpoint nodes in China enable clients to monitor their customer experience from 45 locations.

3. Enterprises who use DPI for their internal infrastructure monitoring can make use of Catchpoint’s Onprem nodes to compare the performance when traffic goes through DPI and when it doesn’t. This will help the organization in monitoring the effectiveness and efficiency of their DPI solution.

4. ISPs can be using DPI for different purposes. However, use of DPI can cause network congestion and packet loss due to the amount of computation power required. They can make use of CP OnPrem nodes to identify the congestion points and allocate more resources to their DPI system.

They can setup traceroute tests to identify the packet loss and fine tune their settings.

5. Catchpoint provides the option of setting TCP test which can help in analyzing the effectiveness of load balancing at the gateways and it can help in monitoring the efficiency of the content filtering by specifying the desired payload for inspection.

Learn more about Catchpoint with a Guided Test Drive.

This is some text inside of a div block.

You might also like

Blog post

Lessons from Microsoft’s office 365 Outage: The Importance of third-party monitoring

Blog post

When SSL Issues aren’t just about SSL: A deep dive into the TIBCO Mashery outage

Blog post

Preparing for the unexpected: Lessons from the AJIO and Jio Outage