What is a Deep Packet Inspection?

Deep packet inspection (DPI) is a method of inspecting and analyzing data on a computer network. DPI looks inside packets for information about the type, source, and destination of the data. This type of network monitoring can be used to detect malicious software before it reaches a target computer, as well as to prioritize certain types of traffic. Governments, large corporations, Internet Service Providers (ISPs), and security firms all use deep packet inspection for a variety of purposes.

Computer networks split data into small chunks called packets, which are tiny chunks of data used on the Internet and other computer networks. A packet is much like a piece of mail in an envelope; it contains headers that specify a destination and return address, with useful data inside the packet itself. As packets travel across a network, they may be routed through many different devices, just like a piece of mail traveling through different post office locations. Normally, these devices only look at the packet headers. In devices using deep packet inspection, however, the entire packet is examined.

Packets can either be analyzed in realtime, or might be captured and analyzed later, a practice known as deep packet capture or DPC. Both techniques can reveal a wealth of data about network traffic. Applications may leave telltale signatures or patterns in packets they generate, allowing for accurate detection of program use across a network in realtime. Deep packet inspection is often used in large corporate networks to detect worms, viruses, and trojans that can’t be seen by other security software like firewalls. DPI can also be used to limit or prioritize certain types of network traffic, a practice known as traffic shaping.

ISPs around the world use DPI technology in a variety of ways. Some use it to generate statistical information about the traffic that flows across their network, while others use network appliances — purpose-built hardware that sits on an ISP’s network — to perform comprehensive monitoring of user traffic. The most advanced of these network appliances have the ability to act on this data in realtime. Some broadband providers, for example, use DPI to block or slow down file-sharing services. Network neutrality advocates fear this could lead to a multi-tiered Internet, a system in which the programs and services a customer is able to use online is dependent upon how much the customer pays.

By intercepting a large number of packets, ISPs and governments can reconstruct e-mails, listen in on voice over Internet Protocol (VoIP) calls, or even track users across different websites in order to display targeted advertising. Several ISPs in both the U.S. and U.K. have used this more advanced version of deep packet inspection to inject targeted advertising into websites their customers visit. Governments sometimes use DPI for surveillance and censorship purposes on the Internet. For example, China’s Golden Shield Project, also known as “The Great Firewall of China," is believed to use DPI. The U.S. National Security Agency has used commercial network appliances with deep packet inspection to monitor e-mails and VoIP calls.