What is Deep Packet Inspection and Why is it Important?

If you’re in the networking industry, you’ve probably heard about DPI. If you’re also a designer or have worked with graphics, you’ve probably been confused as to what Dots Per Inch has to do with networks. In this case, however, we’re talking about “Deep Packet Inspection.” So what is that?

What is a packet?

Let’s break it down. “Deep” and “inspection” aren’t too hard to figure out, so let’s look at “packet.” What is a packet?

A packet is a small package; a little bit of stuff. In a network, a packet is a little chunk of data. How big is an average packet? It depends. Packets can be anywhere from 64 to 1518 bytes. Every production network is different and no network does the same thing all the time because the traffic is always changing. On average, a text-only email is around 4 packets.

Think of a network packet like an envelope from the post office. Personally, I like to imagine the Old West Pony Express, when a cowboy rode his horse while carrying a bunch of messages from one outpost to the next. That image reminds me why there can be so much latency for packets “riding” around the world. Now, back to the envelope.

An envelope has two addresses on it: the receiver’s address and the sender’s return address. You can think of these as a destination address (the receiver) and a source address (the sender). Every packet on a network has a source and destination address, too.

How does deep packet inspection work?

On the first layer of DPI, it’s like we are looking at the return addresses on the envelopes. I took a few envelopes out of my mailbox. Based on the return addresses, I can see:

  • From Dr. Landers Optometry. Trash. I mean, recycle.
  • My favorite Mexican restaurant! Probably a coupon, keep that.
  • Visa. Yuck, my credit card bill. Better hide that from my wife.
  • Uh-oh, a letter from the IRS… Open that one right away.

DPI also looks at the destination addresses of the packets. It’s possible to use these destinations to infer what the sender is doing, which is why some people prefer to that their network administrators not implement DPI at all, even though it has many useful applications.

Checking through the destinations of a fictional user, I see there’s YouTube, Facebook, Office 365, etc. If there’s a bunch of network packets coming from a YouTube address, what’s happening? Somebody’s watching videos! What if there’s a bunch of packets going to a YouTube address? Somebody’s uploading a video. Pretty easy, right?

Looking at the addresses alone is not very “deep” – that’s what your network devices have to do anyway to get packets where they need to go, albeit without the analysis. So what else is there? Let’s say we don’t recognize the sender’s address. You ever get one of those mysterious envelopes that comes from someone you don’t know? The ones that kinda look like a bill but you can’t be sure? The envelopes you have to open up to figure out? Yeah, they get me every time. Well, opening that envelope is deep packet inspection!

For the second layer of DPI, we look deeper than the addresses. For example, what port are they using? We can match the port up with the listings from the IANA database. What does that port normally do? Oh, that port is for email, that one is usually Skype, hmm, port 6889? Oh, that’s usually used for peer-to-peer downloads. Yikes, someone might be downloading pirated movies on my network!

Uses for deep packet inspection

There are many uses for deep packet inspection. Some of them are, bluntly, not uses most people are comfortable with, like spying or censorship. However, there are many quite useful applications that any user would welcome on their network. A big one is security.

Security companies don’t just look at the individual packets, they look at the traffic patterns. These companies use algorithms, heuristics, and pattern matching to detect probable malicious behavior. For example, if they notice a computer is pinging every device on the network, they might determine that computer is scanning the entire network to look for security vulnerabilities and shut off its access.

Application Visibility

Another good use for DPI is application visibility. This is usually implemented by corporate networks or businesses, not individual home users. Application visibility is available from Zenlayer for businesses and carriers with SD-WAN solutions. Because our implementation only looks at the source and destination addresses – information gathered anyway when routing packets across a network – and handles analysis separately, it does not create additional latency on networks.

There are many benefits to implementing application visibility on a corporate network. These include utilization reporting, security, and improved quality of service.

Better bandwidth utilization reporting

Better reporting allows you to answer questions like “What are my users doing the most?”, “Which user is using the most bandwidth?”, and “Why is my low-priority database backup traffic going over the expensive MPLS circuit instead of the IPsec tunnel?”

Better security

As with the security example above, application visibility allows your network to keep an eye out for potentially dangerous websites and applications along with suspicious traffic behavior.

Better traffic control/quality of service

With application visibility, you can choose to have your network prioritize uses like VoIP and Microsoft Teams, making sure meetings go smoothly. Meanwhile, you might conclude YouTube and Facebook live-streaming are less critical to your business and direct the network to treat them as second priorities.

Like most technologies, there are both good and bad uses for deep packet inspection. We consider Zenlayer’s implementation to be firmly on the “good” side. If you’re interested in adding application visibility to your network, contact a representative today.

Background vector created by –

Share article :


Zenlayer is coming to a city near you! Grab a bite and drink with the team as we celebrate our 10-year anniversary. Save your spot today!