If routing can be compared to the post-mailing system, then Deep Packet Inspection “DPI” should be equal to the Airport Security.
Just like a postman that looks at the package recipient label— the job of a networking device (or router) is only to look at the header of the IP packet, look at the destination address, make a decision, and route as fast as possible. Looking at just one portion of the packet makes routing much more efficient and fast.
But in the post-mailing system, a mail carrier cannot open the package to inspect its contents. You can leave this to the Transportation Security Airport “TSA.” They are the ones with the technology, resources, and permission to check every single passenger, bag, and package.
In the networking space, a router can do a lot more than just checking the destination address. With the DPI technology, a router can look deep into the contents of the package and make decisions accordingly.
What is DPI and How it Works?
Deep Packet Inspection “DPI” is a sophisticated method to examine the contents of network traffic. It can filter packets based on in-depth analysis at all layers of the OSI model.
As mentioned before, a router would typically only look at the IP header of a packet. In the case of a stateless firewall (also known as an ACL “Access Control List”), it would only check connections based on source and destination IP addresses.
To help clarify this, use the picture below. An L3 router or stateless firewall would only work in the Network layer and below.
But routing and firewalling methods are evolving over the years.
The firewall technology had to evolve and adapt the “shallow packet inspection technology” to protect the network from the increasing variation of attacks. In the same case, to route based on the transport layer, the L4 switch was born. The stateful firewall would watch the traffic from end to end, by digging “shallowly” into the TCP/UDP connection.
In other words, a stateful firewall performs a superficial inspection to the transport layer and can identify the using ports whether is HTTP, SMTP, SNMP, DNS, etc.
Reverse Engineering DPI
To understand shallow/deep inspection, you need to know how a network package is encapsulated.
Refer to the picture below. An application, such as DropBox, Skype, or BitTorrent creates data. This data is encapsulated in the Transport layer into a TCP segment with a UDP/TCP header. The segment is then encapsulated into an IP datagram on the Internet layer, with an IP header. Finally, it is turned into a datagram in the layer 2 with a frame header and sent over to the physical media.
A stateful firewall can find out which application protocol was used by looking into the TCP segment of the transport layer, but it is not able to see the data itself.
DPI technology takes a step forward.
It can open the packet and look through Layer 2-7 of the OSI model. In other words, the DPI technology can look into:
- Layer 2 frames.
- Layer 3 IP headers.
- Data protocol structures
- But most importantly, the Payload of the message
The payload is the actual data that is not supposed to be discarded or opened until it reaches the final destination.
If you capture traffic flow and open a single packet from the specific source/destination in Wireshark, you could open it and view its payload (just like DPI would). The problem here is that the results are too verbose. To make some sense out of this, you might need to do a lot of conversions on Hexadecimal to Decimal; it would be too time-consuming for only one packet.
A DPI-enabled router or firewall has access to all information in the payload and uses libraries to make sense out of this data. A device with DPI can be configured with policies and can make decisions based on layer 7 data, and block, re-route or keep logs of the traffic.
What's The Importance of DPI?
DPI is so important because it can help large corporations improve their security standpoint by shaping its traffic.
But not every router (or firewall) can handle deep packet inspection. The technology requires substantial resources to work, so it is not common in SMBs (Small-to-Medium-Businesses), and if not configured correctly, it can be a real traffic bottleneck.
A router with DPI needs to be powerful to be able to open every packet, inspect it, wrap it, and send it again. Only large enterprises, governments, and telecom service providers have the resources to put this technology to work.
DPI can is used in a Wide Variety of Applications.
It can help a corporation guarantee that the data sent and received does not contain malicious code and detect advanced cyber-attacks. On the other hand, DPI can also be used for other motives, such as eavesdropping, re-directing, or block specific traffic.
An example of DPI in action is when an ISP wants to shape the traffic. If there is traffic that is too demanding on their networks, such as streaming media or torrents, they might want to open such packets and shape the traffic accordingly. ISPs might also use it to drop packets coming from specific websites, such as competitors, adult content, piracy, etc.
IPS/IDS Systems Using DPI Analysis.
An Intrusion Detection System “IDS” is capable of detecting intrusions, but it cannot block an attack. An IDS can employ Deep Packet Intrusion technology to help it:
- Collect more information on the attack.
- Identify some attack signatures and patterns.
- Controls network traffic such as FTP root access, Telnet, or specific HTTP content.
IDS that rely on DPI can inspect the content of packets and get more information. With this technology, an IDS can identify an attack faster and even control it. The IDS compares the attack to a database to match it against attacks signatures and lets DPI act according to its policies.
On the other hand, an Intrusion Detection Systems “IPS” can detect and block attacks in real-time. Some “IPS” solutions also implement DPI technologies to help prevent attacks. It can:
- Prevent certain attacks signatures.
- Protect against certain vulnerabilities and exploits.
In most cases, a DPI can improve the security standpoint of conventional solutions. DPI incorporates the capabilities of IDS/IPS with a traditional stateful firewall, making it capable of finding attack variations that these devices cannot identify by themselves.
Here's the Best Software for Deep Packet Inspection of 2019:
DPI usually comes as a feature in security appliances or as a virtual DPI deployed in a server. Although a proper implementation is to employ a dedicated security/DPI appliance, you might also want to implement DPI as a service or through software.
Below we’ll mention some popular tools/software for DPI:
- SolarWinds Network Performance Monitor
- nDPI with NTopng
- Paessler Packet Sniffing with PRTG
- ManageEngine OpManager
Below you'll find a quick description of each product as well
1. SolarWinds Network Performance Monitor
Network Performance Monitor “NPM” from SolarWinds can perform DPI and analysis on your network traffic. With it, you can measure network path latency, estimate the application response time for over 1,200 apps (such as Skype, Facebook, Youtube, etc.), and categorize network traffic based on destination IP, port, total traffic volume, etc.
With a DPI analysis from SolarWinds, you can calculate times and receive alerts about problems. For example, you can find why the file sync applications like Dropbox or Google Drive are taking too long.
You can also identify higher levels of traffic within your corporation that is not related to business, such as social media, dark web browsing, etc. You can either filter this traffic or block it altogether.
30 Day Free Trial to Test in your Network! (FREE)
A free functional trial for 30 days.
2. Paessler Packet Sniffing with PRTG
A packet sniffer analyzes network traffic similar to DPI. PRTG employes a packet sniffer sensor to capture every packet that is transmitted on the network and digs deep into its content. To achieve this, PRTG uses different technology, such as SNMP, Netflow, WMI, REST APIs, and packet sniffing.
Network admins use PRTG mainly for troubleshooting network problems or collecting detailed statistics. Just like DPI, it can also help identify bandwidth consumption trends, for example, a File Sync or Cloud App that is consuming too much bandwidth. PRTG’s packet sniffer can also help improve the security standpoint, by identifying different types of traffic, such as P2P or possible attacks.
With PRTG you can choose a license based on sensors. To give you an idea of the pricing and their predefined packages of sensors: PRTG500 (500 sensors for $1365.00), PRTG2500 ( 2500 sensors for $5100), PRTG XL1 (Unlimited sensors for $11,500)
An unlimited version of PRTG for 30 days.
3. ManageEngine OpManager
OpManager by ManageEngine offers DPI functionality for monitoring bandwidth, improving security, and troubleshooting bandwidth-related issues. With DPI, OpManager can provide the most precise information about bandwidth in real time. It inspects a packet and offers valuable information with parameters like Network Response Time (NRT) or Application Response Time (ART).
OpManager’s DPI feature captures a packet and analyses it entirely to identify issues with applications on the network. It can also help find the top bandwidth consumers and categorize them based on source, destination, and the number of conversations. All this gives full control to the network admins and allows them to shape traffic and prioritize bandwidth the business-critical apps.
The price is not published, but you can request a price quote.
Entirely free trial for 30 days can be Downloaded here: https://www.manageengine.com/network-monitoring/
4. nDPI with NTopng
NTop is a network monitoring suite. It has a variety of products for Packet Capture, Traffic Recording, Network Probe, Traffic Analysis, and DPI. DPI from NTop is performed by nDPI with the help of NTopng.
nDPI is an open source and extensible DPI library, based on the popular OpenDPI. A network admin can use this tool to block specific traffic flows, hosts, or network protocols. But since nDPI is only a library, it must be used with other apps such as ntopng and nProbe cento to perform the rules. NTopng is the web interface monitoring tool that can passively collect traffic from a network interface to show status and performance.
With ntopng and ndpi you can apply L7 policies, such as shaping the traffic of specific applications within a network subnet.
It is a free and open source software.
Find the source code, here.
The Netify Agent or Netifyd is a DPI engine based on the open source nDPI. The software is capable of categorizing traffic patterns and identifying protocols such as Skype, P2P, Plex Media Server, etc. Netifyd empowers from the DPI technology to open packets on the application layer, look at HTTPS certificates and detect websites/apps such as Youtube, Facebook, Netflix, etc.
Netifyd captures traffic passively which means that it does not blocks, filters, or manipulates traffic. Netifyd just provides DPI services to other tools. These traffic packets are then scanned through the nDPI protocol to detect packet flows.
Some features of Netifyd include some of the following:
- DPI through nDPI.
- Detects over 160 protocols.
- Runs on bare metal and embedded systems.
- Detects hostname traffic.
- Provides firewalling and QoS hooks.
- Detect apps.
- Identifies SSL/TLS cipher versions.
- Provides Netflow and bandwidth data.
15 day trial of Netify for free.
Conclusion, What’s Next?
DPI can help improve a network security standpoint, by enhancing the functionalities of firewalls, IDS, and IPS. It can also shape the traffic to solve problems faster and improve bandwidth consumption.
Some DPI solutions can also develop the limitations of IDS/IPS. Some of these services that rely on DPI offer additional functionalities such as, malware analysis, anti-spam filtering, buffer overflow, DoS attack prevention, VPNs, URL filtering, etc.
But DIP is a high resource consumption technology, so it is reserved for large enterprises, ISPs, and even governments. It has always been state-of-the-art network management and now it is used in different scenarios other than security and routing. It is helping companies with Internet data mining, block traffic to competition, eavesdropping, and even Internet censorship.
If you have a powerful server or want to test the DPI functionality on a small scale, download one of the tools shown above and give them a try!