Life of DPI

Deep Dive

Life of DPI

By Ken Osowski, Director of Solutions Marketing  |  May 20, 2013

Here we go with another magazine article about dots per inch, otherwise known as dpi. I’m joking, of course.

Fortunately, for you the reader I will be tackling another acronym with the same letters, but it stands for deep packet inspection, or DPI, and has much more meat on the bone as far as technologies go. 

Acronyms are everywhere in high tech, and this is yet another example of the confusion they can create regarding which technology they are referring to. Dots per inch is a lowercase acronym, and deep packet inspection is an uppercase one, so this should help to eliminate any confusion. In this monthly column I will attempt to demystify DPI and show by example how useful this technology is for both private network owners and public network operators.

Packet inspection is the process by which network data traffic flows or sessions are examined. It can take the form of a network appliance that performs a specific function like a firewall or residential gateway, or it can be implemented as a purpose-built platform whose only role is to examine network data traffic for the sake of monitoring it and classifying it. In the appliance case, specific actions are taken based on what the DPI is looking for and what it finds. In the purpose-built case, traffic statistics are gathered in real-time and then reported on later. If policy management is associated with DPI to provide intelligent enforcement, then custom actions can be taken that help service providers to define specific subscriber services. Carrier-grade, purpose-built DPI platforms deployed in large service provider networks may in fact report on network traffic in real time, opening up a dynamic new view to what their network and subscribers are doing.

What makes deep packet inspection deep? Is there shallow packet inspection? These questions can be answered by looking at what packet is referring to. Packets can be described at the mile-high view as representing either header or payload data. The header includes the senders and recipient’s Internet protocol address for network routing, protocol usage, and information to re-assemble packets at the destination. Payload packets represent the data, what format it is in, whether it is encrypted or not, and the application used to interpret the data. So the word deep in DPI refers to examining the payload data packets and not just the headers. Shallow packet inspection refers to the processing of packet headers. The ironic part of this is that DPI is processed at the upper layers of the OSI 7-layer model, in layers 5, 6, and 7. Payload packets represent content, and as we all know content is king on the Internet.

So how do DPI platforms examine and classify traffic? To classify traffic in real-time, DPI platforms compare the traffic they see with a database including thousands of known traffic signatures. These signatures are syntactically unambiguous definitions of how protocols and services are recognized – like SMTP or HTTP – and how they are used in the context of application usage such as Flash Video over HTTP. Creating and maintaining signatures requires constant vigilance on the part of a DPI vendor to understand how emerging protocol usage should be classified to create an accurate, fine-grained picture of network usage. And just like ongoing efforts to combat new Internet viruses, developing relevant signatures can involve employing network forensics when creating new signatures for recognition. For example, network users can mask their traffic to avoid classification of their lengthy P2P file transfers by using protocols that are not usually associated with P2P file transfers such as SIP or RTP.

There are a few DPI analogies that can be made with the recent movie “Life of Pi”. The first is that one needs to get the signatures right, because, like the characters in the movie, they may not be who they appear to be. If signatures are not recognized properly, then the network analysis will suffer with inconsistencies or errors. Second, staying alive in a lifeboat and analyzing network traffic are both real-time activities. Real-time statistics reporting brings immediate clarity to what the network is doing by identifying who and what are consuming the bandwidth. When that information is used properly it can directly translate into improved network QoS and survivability. For enterprises and service providers utilizing DPI, it is not all about avoiding storms that may or may not bring down the ship, but it will certainly make for smoother sailing and a better balance sheet.

Ken Osowski (News - Alert) is director of solutions marketing at Procera Networks (

Edited by Stefania Viscusi