deep packet inspection (DPI)

Deep packet inspection (DPI) is an advanced method of examining and managing network traffic. It is a form of packet filtering that locates, identifies, classifies, reroutes or blocks packets with specific data or code payloads that conventional packet filtering, which examines only packet headers, cannot detect.

Usually performed as a firewall feature, deep packet inspection functions at the application layer of the Open Systems Interconnection (OSI) reference model.

How deep packet inspection works

Deep packet inspection examines the contents of packets passing through a given checkpoint and makes real-time decisions based on rules assigned by an enterprise, internet service provider (ISP) or network manager, depending on what a packet contains.

Previous forms of packet filtering only looked at header information, which, to use an analogy, is the equivalent of reading addresses printed on the outside of an envelope. This was due partly to the limitations of technology. Until recently, firewalls did not have the processing power necessary to perform deeper inspections on large volumes of traffic in real time. Technological advancements have enabled DPI to perform more advanced inspections that are more like opening an envelope and reading its contents.

Deep packet inspection

Deep packet inspection can examine the content of messages and identify the specific application or service it comes from. In addition, filters can be programmed to look for and reroute network traffic from a specific Internet Protocol (IP) address range or a certain online service like Facebook.

Common uses of deep packet inspection

DPI can be used for benevolent purposes as a network security tool: for the detection and interception of viruses and other forms of malicious traffic. But it can also be used for more nefarious activities like eavesdropping.

Deep packet inspection can also be used in network management to streamline the flow of network traffic. For example, a message tagged as high priority can be routed to its destination ahead of less important or low-priority messages or packets involved in casual Internet browsing. DPI can also be used for throttled data transfer to prevent peer-to-peer abuse, therefore, improving network performance.

Because deep packet inspection makes it possible to identify the originator or recipient of content containing specific packets, it has sparked concern among privacy advocates and opponents of net neutrality.

Limitations of deep packet inspection

Deep packet inspection has at least three significant limitations.

First, it can create new vulnerabilities in addition to protecting against existing ones. While effective against buffer overflow attacks, denial-of-service (DoS) attacks and certain types of malware, DPI can also be exploited to facilitate attacks in those same categories.

Second, deep packet inspection adds to the complexity and unwieldy nature of existing firewalls and other security-related software. Deep packet inspection requires its own periodic updates and revisions to remain optimally effective.

Third, DPI can reduce network speed because it increases the burden on firewall processors.

Despite these limitations, many network administrators have embraced deep packet inspection technology in an attempt to cope with a perceived increase in the complexity and widespread nature of internet-related perils.

This was last updated in September 2017

Next Steps

Deep packet inspection is an integral security feature of next-generation firewalls. Learn about the basics of next-generation firewalls and discover the three factors to consider before purchasing a NGFW for your organization.

Continue Reading About deep packet inspection (DPI)

Dig Deeper on Network management and monitoring