Skip to content Skip to navigation Skip to footer

What Is Deep Packet Inspection (DPI)?


Deep Packet Inspection (DPI) Definition

Deep packet inspection (DPI), also known as packet sniffing, is a method of examining the content of data packets as they pass by a checkpoint on the network. With normal types of stateful packet inspection, the device only checks the information in the packet’s header, like the destination Internet Protocol (IP) address, source IP address, and port number. DPI examines a larger range of metadata and data connected with each packet the device interfaces with. In this DPI meaning, the inspection process includes examining both the header and the data the packet is carrying. 

As a result, DPI provides a more effective mechanism for executing network packet filtering. In addition to the inspection capabilities of regular packet-sniffing technologies, DPI can find otherwise hidden threats within the data stream, such as attempts at data exfiltration, violations of content policies, malware, and more.

How DPI Works

DPI examines the contents of data packets using specific rules preprogrammed by the user, an administrator, or an internet service provider (ISP). Then, it decides how to handle the threats it discovers. Not only can DPI identify the existence of threats but, using the contents of the packet and its header, it can also figure out where it came from. In this way, DPI can pinpoint the application or service that launched the threat. 

DPI can also be set up to work with filters that enable it to identify and reroute network traffic that comes from a specific online service or IP address.

Deep Packet Inspection vs. Conventional Packet Filtering

Conventional packet filtering is only able to read what is inside the header information that comes with each packet of data. This is a basic, less sophisticated approach necessitated by early technological limits. Because firewalls were not capable of processing a lot of data quickly, they only focused on the header information because anything more would require more work and time, inordinately sacrificing network performance. 

However, with new technologies came the potential for deeper packet inspections and in real-time.


How Deep Packet Inspection (DPI) Works

Use Cases for Deep Packet Inspection

There are a variety of different ways of using a deep packet sniffer. DPI can provide intrusion detection systems (IDS) alone or work as both an intrusion prevention system (IPS) and IDS. It also enables users to spot specific kinds of attacks that a regular firewall may not be able to detect.

If your company has workers that either bring their own laptops to work or use them to connect to a virtual private network (VPN), DPI can be used to prevent them from accidentally spreading spyware, worms, and viruses into your organization’s network.

Also, with DPI, you can set your own rules. This gives you the option of deciding which applications workers can interact with. If there are applications that may either threaten your network or hamper productivity, you can use DPI to determine if they are being accessed, as well as reroute their incoming traffic.

DPI is also a helpful tool for managers who want to better handle network traffic, easing the burden on the system. If there is a high-priority message, DPI can be used to ensure that it passes through right away. In this way, the most important messages can be given preference.

It is also possible to decide which packets are the most business-critical and make sure they are given priority over other, less crucial packets, such as regular browsing packets. Further, if the organization is trying to overcome the burden of peer-to-peer downloading, DPI can be used to identify this specific type of transmission and throttle the data.

ISPs can use DPI to prevent attackers from exploiting Internet-of-Things (IoT) devices by preventing malicious requests. In this way, an ISP can leverage DPI to stop distributed denial-of-service attacks (DDoS) on IoT devices.

Blocking Malware

DPI can be combined with algorithms for threat detection and then used for blocking malware. In the case of a next-generation firewall (NGFW) at your network’s edge, DPI will catch the malware before it enters the network and endangers its assets.

In addition, DPI can give administrators visibility over the entire network, analyzing activity using heuristics to identify anything abnormal. Heuristics involves the examination of data packets in an effort to spot anything out of the ordinary that may signal a potential threat.

Stopping Data Leaks

DPI can also be used to inspect outbound traffic as it attempts to exit the network. Businesses therefore can set up filters designed to prevent data exfiltration. You can also use DPI to figure out where your data is going. With UniFi deep packet inspection, for example, data regarding where data was sent is kept in the gateway for you to examine until you delete it manually. 

To find out how to check DPI in this way, you can consult the manufacturer of your specific device.

Content Policy Enforcement

With DPI, you get enhanced application visibility, which enables you to throttle access to or block unauthorized or suspicious applications. You can also use the analytical capabilities of DPI to block usage patterns that violate company policy. DPI can also be used to block unauthorized access to data specific to applications approved by the company.

Techniques of Deep Packet Inspection (DPI)

Both firewalls with IDS features and IDS systems intended for network protection use DPI. The techniques they employ include protocol anomaly, IPS solutions, and pattern or signature matching.

Protocol Anomaly

Protocol anomaly uses an approach referred to as “default deny.” With default deny, content is allowed to pass according to preset protocols. Only content that fits the acceptable profile can go through. This is different from allowing everything that is not identified as malicious to pass through, which may still allow unknown attacks to penetrate the network.

IPS Solutions

IPS solutions can block threats in real time, and some of them use DPI. One challenge, however, is that IPS solutions may, at times, issue false positives. Using conservative policies can reduce the impact of an IPS that tends to indicate false-positive alerts.

Pattern or Signature Matching

With pattern or signature matching, the contents of a data packet are analyzed and compared against a database of previously identified threats. If the system is constantly updated with threat intelligence, this can be a very effective defense against attacks. However, if the attack is new, the system may miss it.

Benefits of DPI

Because DPI gives you better application visibility and protections, there are several benefits to incorporating it into your system.

You are better able to manage your network with DPI. As data passes through your network, it carries with it a vast amount of information regarding its nature, where it came from, and where it is going. With DPI, you can program a firewall to inspect data moving through your network and manage how certain data flows, where it is routed, and how it gets processed.

DPI can also be used to enhance security. Hackers may use certain websites or applications to launch their attacks. With DPI, you can completely block all data coming from certain sites or applications, thereby shielding your network from their associated threats. You can also benefit from seeing not just where a data packet is coming from but also what is inside its payload. DPI can identify dangerous data packets that may slip by regular firewalls.

DPI also gives you advanced options when it comes to controlling the traffic flowing through your network. For example, if your organization uses Voice over Internet Protocol (VoIP) or Zoom, DPI can be used to prioritize that traffic. Instead of wondering whether your calls and conferences will be interrupted by other traffic, you can use DPI to send that data through first.

DPI is also used for activities other than security and data management. Governments can use DPI to execute an internet censorship initiative. In this scenario, DPI scans traffic, blocking transmissions that come from unapproved sources, particularly those from outside the country or that stem from sites the government deems a threat to its people. Further, DPI can be used for eavesdropping on internet communications and internet data mining.

How Fortinet Can Help

The Fortinet NGFW, FortiGate, uses DPI to analyze data attempting to enter your network, exit it, or move across it. FortiGate is armed with anti-malware algorithms that look inside the contents of a data packet, see malware, and automatically dispense of the packet. 

In addition, Fortinet DPI can be used to examine the data flowing out of your system to identify data leaks. As it examines outgoing traffic, it can spot and stop threats that may have been launched from within the network. In this way, FortiGate uses DPI to prevent assets inside your network from being used to infect other systems. FortiGate also includes pathways for future updates that allow it to take advantage of constantly updating threat intelligence that helps it identify the newest cyberattacks on the landscape.

More Resources Available

Explore how three customers leveraged Fortinet's dynamic cloud security to secure VPN connections and gain the necessary visibility and control across their cloud environments as they continue to work remotely.