With the proliferation of networks and devices in our society, the need for operators and enterprises to monitor the traffic traversing the data domains they manage increases. Deep packet inspection (DPI) has long been the preferred tool for conducting deep network analytics. Its ability to detect and classify IP traffic in real time and down to the level of protocols, applications and service types makes it an invaluable tool to filter traffic at any point along the network.
The many flavors of DPI
As a traffic classification technology, DPI can be deployed physically as well as virtually. In the former shape, it can be deployed as a standalone appliance or embedded into other networking devices. In the latter, it is deployed as a software, taking the form of a virtual network function (VNF) that runs on virtual machines. Deep packet inspection software is also often integrated into other software-based network functions such as firewalls and routers.
DPI can be deployed on premise or operated in the cloud. In the latter case, the engine analyzes various types of network traffic on demand from remote data centers. DPI can be produced in-house by software vendors or manufacturers of network equipment, such as routers, themselves. Alternatively, DPI can be bought from a specialist provider like ipoque.
Why not open source?
A key consideration when planning a DPI deployment is open-source vs. commercial DPI. Open-source software is licensed along with the source code, enabling users to modify and distribute it as per their custom interest. Open source is on the rise. Between 2020 and 2026, open-source services are expected to grow at a CAGR of ~21.75 %.1 This trend also applies to the telecommunication industry. The Linux Foundation’s networking branch, for example, currently has over 100 members who make up about 70 % of the subscriber base of the global telecom industry.2
DPI is also available open-source. However, this model involves upkeep and innovation by a number of parties. Traffic patterns indicative of suspicious traffic or malware are fast-changing and in open-source DPI projects, maintaining the libraries through which pattern-matching takes place is a collaborative effort. Similarly, the code of open-source DPI engines is updated and improved through collaboration extending beyond individual companies.
The DPI market offers a number of open-source DPI tools. nDPI is one of them. It inherits the base code from OpenDPI, the first ever open-source DPI project in the market, introduced by ipoque back in 2009. The code base covers signatures for common protocols, providing the market with a simplified DPI technology that can be deployed for basic use cases. Other open-source DPI projects include Linux’s L7-Filter, and Hippie, which was also built on a Linux kernel. The code behind these DPI engines can be viewed freely, often on GitHub, where the projects maintain their repositories that any enterprise can download and run locally for their own needs.
A question of reliability
When it comes to choosing between open-source DPI and commercial DPI, the latter offers some advantages for which its open-source cousins cannot compensate. Commercial solutions such as our own OEM DPI engine R&S®PACE 2 have proven themselves more reliable than their open-source counterparts. A study that tested several DPI tools against a large database of network traffic found that a commercial solution was the most accurate in classifying traffic at various layers of the OSI model.3 More precisely, this means that commercial DPI engines such as R&S®PACE 2 are able to detect and classify data packets coming from messaging apps such as Whatsapp or Signal more accurately, including application attributes such as text, audio and video to provide real-time, in-depth visibility of the traffic.
A key factor that determines the reliability of a DPI technology is the frequency at which its libraries are updated. Our R&S®PACE 2 library, for example, is updated on new applications and protocols on a weekly basis. Given that the details for most protocol and application changes are not publicly announced, a sophisticated automated testing infrastructure is needed to ensure accurate classification. Open-source DPI does not offer this security. Commercial DPI solutions such as R&S®PACE 2 run frequent automated tests to validate identified traffic patterns and ensure that existing classifications are free from false positives. Ensuring the DPI engine is up to date guarantees higher reliability and ensures no application remains undetected.
Commercial DPI takes traffic detection a notch higher with its ability to detect encrypted and obfuscated traffic. This inherently requires advanced methods such as statistical and behavioral analysis and machine learning, technologies which are not available in the open-source versions. These technologies, combined with the frequency with which new signatures are added to its libraries, ensure that commercial deep packet inspection detects new security protocols such as Transport Layer Security (TLS) 1.3, which has seen a surge in its use over the past year, and classifies the underlying traffic accordingly.
More importantly, compared to open-source solutions, commercial DPI provides an unrivalled breadth in terms of coverage of applications and protocols. R&S®PACE 2 boasts thousands of signatures, while open-source DPI often offers just a fraction of those, which results in many packets not being identified. Commercial DPI is also enriched with insights on localized versions of major applications and protocols received from clients globally, increasing its overall reliability and classification accuracy.
Security beyond static codes
Reliability plays a critical role in safeguarding network security. In this regard, commercial DPI solutions also outperform open-source solutions. DPI is often deployed by enterprises managing critical applications which, if compromised, can lead to severe productivity and financial losses. Consistent updates to their libraries on patterns of suspicious and malicious traffic enable commercial DPI solutions such as R&S®PACE 2 to provide reliable and highly accurate data for onward processing by network security tools such as IPS, IDS and firewalls. Commercial DPI solutions are often built to integrate seamlessly with these tools, lending them an added advantage in delivering network security, including insights hidden in encrypted and obfuscated data packets, over their open-source counterparts.
Commercial DPI offers another key advantage in terms of security. Open-source DPI code is developed in joint efforts and is thus accessible to all. More parties, including threat actors, can easily familiarize themselves with the codes, filters, database and libraries, enabling them to bypass traffic filtering more successfully.
The speed with which deep packet inspection tools process traffic is another key aspect. DPI inherently adds a small degree of latency to any network. Without adequate optimization, this can significantly impair latency-sensitive applications such as remote surgeries and cloud gaming. Commercial DPI engines, often dictated by strict SLAs and driven by deployments in specialized environments such as 5G networks, are highly optimized to reduce latency and improve network performance. This contrasts with open-source deep packet inspection tools, which are developed for general traffic filtering without adequate emphasis on network performance and related SLAs.
More specifically, open-source DPI, which purportedly saves on licensing costs, actually incurs various financial outlays. These include the cost of training in-house teams and the cost of hiring third-party vendors for further customization. These costs escalate as new features are developed for specific use cases. The scenario is vastly different for commercial DPI software that comes with a readily available set of added features including protocol decoders, dissectors, operating system detection, voice over IP (VoIP) extraction, performance KPIs and many more.
Finally, in case problems arise, commercial DPI is likely to offer much better customer support. Open-source projects rely on voluntary participation in troubleshooting. As a result, issues often take a long time to be resolved, and updates to mitigate future issues are slow to follow. Commercial software, on the other hand, typically comes with dedicated customer support taking care of these needs.
Customers looking to speed up their product cycles in a competitive marketplace are best served by a commercial DPI solution that offers a feature-rich DPI with an extensive library, which would otherwise take them many man-years to build, not to mention the enormous development costs. Choosing to license a commercial DPI solution frees up internal resources, which allows the customer to focus on their core competencies. Commercial DPI also comes with fast and easy integration facilitated by DPI experts who are well-versed on potential errors, risks and integration complexities.
Overall, commercial DPI is more likely to fulfill the needs of most clients in most circumstances. Open-source technology has its place in the software market, but DPI is a different story — one of critical, complex and rapidly growing traffic environments. In such a setting, customers are well-advised to use services and products that are provided by vendors that have a brand to protect and develop. These motivations are more likely to lead to the best responses in code updates, patching and issue resolution. As a result, high-stakes companies will face less hassle in tending to the performance and security of their networks, freeing up resources to create the value that is their mission.
Download the R&S®PACE 2 service and support brochure and discover our individual customer service portfolio that helps you to innovate and transform your business with DPI faster and more securely.