OPPapers.com

Deep Packet Inspection

Deep packet inspection
DPI is next-generation technology that's capable of inspecting every byte of every packet that passes through the DPI device. That means packet headers, types of applications and actual packet content.
Up until now, this wasn't possible with intrusion-detection or intrusion-prevention systems (IDS/IPS) or stateful firewalls. The difference is that DPI has the ability to inspect traffic at layers 2 through to 7 — hence the 'deep' in DPI.
A simple analogy would be that of snail mail. IDS/IPS firewalls would be the mail sorters who just read the letter's address, knowing nothing about the letter's content. Inspecting internet traffic from layers 2 through to 7 would correspond to the person who actually reads the letter and understands the contents.
To recap, DPI allows the people controlling the device to know everything, including the payload of each packet in the data stream. For example, if an unencrypted email is scanned, the actual body of the email can be reassembled and read.
Nate Anderson wrote an excellent Ars Technica article, Deep packet inspection meets net neutrality, Calea, in which the following quote appears:
"Deep packet inspection refers to the fact that these boxes don't simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user."
Anderson also explained what happens at layer 7:
"Layer 7 is the application layer, the actual messages sent across the internet by programs like Firefox or Skype or Azureus. By stripping off the headers,...