Deep packet inspection (DPI) is a technology for the detailed analysis of network traffic from the data link layer (L2) to the application layer (L7) of the OSI ISO model. It identifies data transfer protocols, applications, and software. It understands what is transmitted in connections and transactions, and it extracts objects from traffic using network protocol parsers and decoders.
/products/ngfwPT NGFW
/products/sandboxPT Sandbox
/products/isim/PT ISIM
/products/af/PT Application Firewall
Deep packet inspection
Deep packet inspection (DPI) is the foundation for network security systems and an indispensable source of data for detecting network threats, sophisticated targeted attacks, and anomalies.
01
What is deep packet inspection?
02
What problems does it solve?
DPI is used to solve both classical and non-classical tasks. Classical tasks performed by DPI are most common in telecommunications and among service providers. Classical tasks include the following functions:
- Traffic prioritization
- Network node profiling
- Access control
- Network attack detection
- Node inventory
- Policy compliance monitoring
Learn how we'll protect endpoints tomorrow
03
DPI from Positive Technologies
Positive Technologies has been developing its own DPI technology since 2015 and continuously improves it for security and IT tasks. Beyond the functions common to all existing DPI solutions, our technology has broader capabilities:
- Captures network packets
- Defragments IP packets
- Parses tunnels of arbitrary nesting (VLAN, GRE, IP-to-IP, VXLAN)
- Protects against flooding
- Identifies sessions
- Stores captured packets in storage and assigns session IDs for quick data access
- Reassembles TCP sessions
- Identifies and parses application protocols (L7)
- Identifies and parses proxy protocols (such as HTTP-proxy and SOCKS5)
- Identifies applications running over the L7 protocol (for example, Telegram)
- Extracts transferred files
- Detects attacks using signature-based methods
All these functions operate at speeds of up to 10 Gbps, and in extreme cases, our DPI can process up to 14 million packets per second. For large traffic volumes, horizontal scaling is provided. The technology maintains maximum throughput, and it reassembles and restores sessions even with packet reordering.
Network packet capture
One of the key tasks of DPI is capturing traffic at the required speeds. To solve this, we used specialized guaranteed capture network cards (Napatech, AF_PACKET, PFRING), but this complicated hardware selection. DPDK, a set of libraries and drivers for network packet processing, solved this problem, allowing DPI to work with regular network cards (Intel, Broadcom, Melanox).
Tunnel parsing
The technology supports a wide range of tunneling protocols, even arbitrarily nested ones. Regardless of the protocol, DPI removes tunnels to access the original network session between the client and the server. This allows deployment on various network nodes to analyze traffic from both physical taps (TAP) and equipment supporting traffic mirroring protocols (SPAN, RSPAN, ERSPAN, TZSP).
Application protocol identification (L7)
DPI supports identification of the most popular protocols using signature-based methods. For protocols without explicit signatures (such as Telegram or encrypted protocols), we use machine learning. ML algorithms analyze side channels, including transmitted data fragment sizes, delays, and character frequency.
Application identification
Today's application protocols are called "application" only nominally. The HTTPS protocol can actually transport millions of different applications (including webmail, social networks, audio/video streaming, and VPNs). Since DPI analyzes traffic without decryption, it sees the TLS protocol, not HTTPS.
Understanding what's inside the protocol requires the app_detect mechanism, which uses unencrypted session parts to identify applications. This may use the SNI field from TLS or JA3, which is TLS fingerprinting. ML algorithms also help identify applications via side channels.
Application protocol parsing
To detect attacks in network traffic, especially internal networks, knowing the protocol or application is not enough. Specific requests and transmitted data must be analyzed. DPI supports the detailed parsing of most protocols widely used in corporate networks, including Windows-specific protocols (DCE/RPC, SMB, LDAP, Kerberos, NTLM).
DPI extracts over 1,200 different fields from traffic for attack detection. Operators use these for session filtering during retrospective analysis, incident investigation, or proactive threat hunting.
DPI also supports file extraction from HTTP, SMTP, POP3, IMAP, SMB, NFS, FTP, and TFTP protocols. All files receive checksums for IoC‑based malware detection. DPI extracts files in-stream and can send them to PT Sandbox for behavioral analysis. For cyberattack investigations, extracted files can be manually retrieved.
Signature-based attack detection
DPI supports Suricata rule syntax, enabling the use of both PT ESC expertise and community-supported rules (ETOpen, ETPro), plus custom rules. While maintaining backward compatibility with the original syntax, DPI extends the engine with new keywords that accelerate and simplify rule creation.
Traffic copy storage
DPI moves all original traffic to specialized storage in near real‑time. The storage provides quick access to the original connection packets, which are searchable by ID and timestamp. Finding a session in the PT NAD interface allows instant download of original packets from petabyte-scale storage, which is an ideal data source for incident investigations and is sometimes used as evidence.
04
Advantages of Positive Technologies DPI
05
DPI in Positive Technologies products
Thinking about the best way to protect your company?
Contact us.
During the consultation we'll propose a solution precisely tailored to your organization.