Deep Packet Inspection


Deep packet inspection (DPI) is a technology that allows packet-inspecting devices – such as firewalls and IPS – to deeply analyse packet contents. DPI functionality is invoked when a device utilises information beyond Layer 3 ( and up to all seven layers) of the OSI model. In other words, DPI examines the entire contents of the packet, not just the header and protocol metadata.

This analysis is also broader than common technologies because it combines techniques such as protocol anomaly detection and signature scanning, traditionally available in IDS and anti-virus solutions.

Deep packet inspection (DPI) technologies may take actions such as alerting, blocking, re-routing, or logging anomalous packets.


DPI is used in a wide range of applications, at the so-called “enterprise” level (corporations and larger institutions), in telecommunications service providers, and in governments.

Deep Packet Inspection (and filtering) enables advanced network management, user service, and security functions as well as internet data mining, eavesdropping, and internet censorship. DPI is often used to baseline application behaviour, analyse network usage, troubleshoot network performance, ensure that data is in the correct format, check for malicious code, detect eavesdropping and data exfiltration, identify criminal command and control communications and perform internet censorship, among other purposes.

A classified packet may be redirected, marked/tagged (see quality of service), blocked, rate limited, and of course, reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.

Acquiring Packets

There are multiple ways to acquire packets for deep packet inspection. Using port mirroring (sometimes called Span Port) is a very common way, as well physically inserting a network tap which duplicates and sends the data stream to an analyzer tool for inspection.

DPI Methodology & Hardware

DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information.

DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model. In some cases, DPI can be invoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the payload of the message.

Some security solutions that offer DPI combine the functionality of an intrusion detection system (IDS) and an Intrusion prevention system (IPS) with a traditional stateful firewall. This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own.

Stateful firewalls, while able to see the beginning and end of a packet flow, cannot catch events on their own that would be out of bounds for a particular application.

While IDSs are able to detect intrusions, they have very little capability in blocking such an attack.

DPIs are used to prevent attacks from viruses and worms at wire speeds. They can also be effective against buffer overflow attacks, denial-of-service attacks (DoS), sophisticated intrusions, and worms that fit within a single packet.


Although DPI has been used for Internet management for many years, some advocates of net neutrality fear that the technique may be used anticompetitively or to reduce the openness of the Internet. People and organizations concerned about privacy or network neutrality find inspection of the content layers of the Internet protocol to be offensive, as the Internet was originally built on the concept of open access and non-discrimination (of packets).

Defeating DPI

Traditional deep packet inspection technologies can be defeated by VPN tunnelling and HTTPS. In response, many web application firewalls now offer HTTPS inspection, where they decrypt HTTPS traffic to analyse it. The WAF can either terminate the encryption, so the connection between WAF and client browser uses plain HTTP, or re-encrypt the data using its own HTTPS certificate, which must be distributed to clients beforehand. The techniques used in HTTPS / SSL Inspection (also known as HTTPS / SSL Interception) are the same used by man-in-the-middle (MiTM) attacks.

Image Sources

Wireshark capture

OSI Model