Is All DPI Created Equal?

Deep Dive

Is All DPI Created Equal?

By Ken Osowski, Director of Solutions Marketing  |  July 29, 2013

The main function of deep packet inspection platforms is to classify data traffic so that network activity can be monitored or acted upon. Basic network monitoring enables owners to analyze throughput levels to manage traffic. However, the first measure of DPI equality is: What level of awareness is possible when reporting on throughput conditions? In other words, can the platform understand traffic from the perspective of a subscriber/user, location, or device; or application usage, property, QoE, and category? This is important in understanding how both mobile and fixed broadband subscribers are using a service provider’s network.

DPI platforms analyze network traffic in different ways, much like a fingerprint or DNA database where patterns of classification are pre-established. This information is referenced against a criminal suspect to determine if there’s a match. If you think of a data traffic session as a lineup of suspects, a fingerprint-like mechanism called signatures is used to help identify and classify traffic in real time by examining Layer 7 packet information. Just as with fingerprint/DNA classification schemes, signatures need to be updated constantly to improve classification success rates. Just-in-time signature database updates improve accuracy, thereby increasing cost savings or revenue capture for subscriber-based network services.

It is not enough to classify traffic by website URLs alone, since the mechanics of the access are the most important aspect to classify. Traffic flowing through a DPI platform needs to be continuously analyzed in multiple ways with minimal impact on latency. All packets contain information regarding source and destination IP address, VLAN ID, port and protocol. To create a context of usage, packets are associated with user-initiated sessions that occur over time that can help signature mechanisms understand a pattern of access. Analyzing these session connections in the context of protocol behaviors determines the type of traffic, which can include HTTP, FTP, BitTorrent (News - Alert), SIP and hundreds of other protocols. Other properties of classification are established by examining the information within these packets, such as the SIP calling, IRC channel, or FTP file transfer name.

Advanced traffic classification functions include the ability to detect and classify session flow behavior as random looking protocol behavior, downloads, streaming, or interactive. Session analysis logic that identifies connection patterns such as authentication and login sequences is also possible, and can detect intentionally evasive traffic behavior by identifying varying packet size, distribution, and patterns over time. All of this combines to help network operators achieve a very high percentage of accurate classifications for all traffic monitored.

The second key question is: How do DPI platforms enforce policies based on traffic classification? Policy platforms formulate actions that need to be enforced, and DPI identifies the traffic for enforcement mechanism. In the example of a mobile family service plan, DPI tracks data usage in real time across multiple devices, enabling policy platforms to determine when a subscriber has reached his or her data limit. Without DPI, this would be impossible. Once limits are reached, the DPI platform can notify the policy platform for the subscriber to be warned or presented with a data quota upgrade option in real time. The policy platform’s role is to interface to OSS/BSS systems in a service provider network to get information about the service plan, identifying each device and its associated data quota to create policies that establish the boundaries of the service. Acting on the conditions met by classifying the traffic can result in limiting bandwidth, packet rate, or connection rate when users surpass limits. It can also prioritize traffic where certain usage is favored or filter traffic, selectively accepting, rejecting, dropping, re-writing, or diverting (steering) it. All of these policies and actions in concert are the basis for DPI-based policy management monetization.

In mobile and converged networks, 3GPP network policy and charging control components include the policy and charging rules function, policy and charging enforcement function, online charging system, and offline charging system. In this ecosystem, the DPI platform interacts with these network elements as the PCEF – the enforcement function.

All DPI platforms are not created equal. In fact, DPI is typically designed to handle specific network applications, especially DPI functions integrated in a dedicated network element such as a router or GGSN. This narrows its classification abilities, since performing unnecessary actions would steal compute cycles from the component’s main function. For stand-alone DPI platforms, all classification schemes are not the same. You wouldn’t want people driving through traffic lights on a red signal and stopping on green. Getting traffic classification wrong can mean enforcing a policy at the wrong time and living with either the increasing network costs of addressing congestion, or the service revenue leakage that could be avoided.

Ken Osowski (News - Alert) is director of solutions marketing at Procera Networks (

Ken Osowski is director of solutions marketing at Procera Networks (News - Alert) (

Edited by Stefania Viscusi