DPI-driven application and protocol classification

Christine Lorenz portrait

By Christine Lorenz
Published on: 05.11.2021

Deep packet inspection (DPI) is a method of inspecting data passing through a network. IP traffic in a network consists of packets, which in turn consist of a header and a payload. The header, divided into the packet and segment header, contains basic information about the source and destination IP address, etc., while the payload is the actual message being transmitted. While shallow types of packet inspection only look at the packet header, DPI examines the payload to garner deeper insights into the traffic.

The art of traffic classification

These insights provided by DPI include information on protocols, applications and service types associated with an IP traffic flow. DPI engines such as R&S®PACE 2 are embedded in network equipment deployed by network managers, security solution providers and mobile operators to enable real-time identification and classification of IP traffic. This is done through a variety of techniques, namely port-based matching, pattern matching and encrypted traffic intelligence. Port-based matching makes use of the fact that each IP address is assigned a port number that can be tied to a particular protocol. Each data packet contains information about the source and destination port that, if inspected, yields information about the protocol of the traffic. For example, data associated with the transmission control protocol (TCP) or the user datagram protocol (UDP), as part of layer 4 of the OSI stack, can be identified by their port numbers.

Pattern matching uses a comprehensive library of known signatures or data strings that are reflective of a certain protocol, application or service type. R&S®PACE 2 takes this to the extent of covering VPN and anonymizing signatures and allows to add signatures. Matching the signatures of the payload of the present traffic with the signature library thus provides another means of identifying IP traffic in real time.

Lastly, encrypted traffic intelligence methods are used for detecting encrypted, obfuscated and anonymized traffic where pattern matching cannot work. They include behavioral analysis, statistical/heuristic analysis and machine learning. The behavioral analysis looks for patterns in communication behavior, such as absolute and relative packet sizes, data and packet rates per flow, the number of flows and new-flow rate per application. The statistical analysis calculates statistical indicators, such as the mean, median and variation of values and the entropy of a flow. These processes also yield application awareness and traffic insights and, furthermore, can be automated through machine learning and deep learning.

Classify, filter and manage

Such capacity for traffic management opens up a range of use cases for network providers and their consumers. Most directly, deep packet inspection can be used to enhance network security. Any data packets with malicious intent, whether in the form of cyberattacks or data theft, can be identified with the IP traffic visibility enabled by DPI, protecting network operators and users alike. For example, if a data packet has a signature also typical of malware, operators or corporate IT managers could shut down incoming traffic from that address, take steps to secure servers, devices or applications that could be infected and design policies to prevent such attacks.

This overlaps with another possibility enhanced by DPI, which is mobile traffic management. As companies allow workers to connect to the corporate network remotely or bring their own devices to work, it is crucial to monitor network usage to ensure that unauthorized devices are not connecting or tethering to the network and that authorized devices are not misusing it. This can be ensured by incorporating DPI into the broader network management, with the ability to identify applications and protocols bolstering IT management.

Overall, the total flow visibility that DPI provides is a valuable complement for companies to approaches that have accelerated as a result of the COVID-19 pandemic, such as software-defined wide-area networks (SD-WAN) and secure access service edge (SASE). Software-defined network functions and cloud-based security tools are enabling the post-pandemic economy, but they come with their vulnerabilities. These can be remediated and filtered out through DPI-enabled protocol and app classification, which provides SASE setups with the input needed to carry out their security functions, such as zero-trust network access (ZTNA), secure web gateway (SWG) and web API protection as a service (WAPaaS). As network as a service and security as a service blend together, deep packet inspection may prove to be the mediator needed to concretize and fortify this blend.

Traffic classification is useful not only for the security aspects of cloud-based and software-defined networking but also for digital experience monitoring (DEM) in general even when there are no security concerns. Users interact with public and private companies using an ever-increasing plethora of devices and applications that interact differently with further applications and services. With packet-level analytics and classification, IT managers are able to quickly diagnose application performance issues. For example, application-specific performance metrics, such as bandwidth consumption, transmission control protocol (TCP), round-trip time (RTT), out-of-order and retransmission counters, etc., can identify bottlenecks where various users who bring diverse digital habits to the network may encounter problems.

Better service for customers

Mobile and fixed operators would also benefit from the insights brought by deep packet analysis to improve customer experience. By identifying which customers in which areas are using which applications and services on a network at what times, operators can offer custom plans and tiers suited to the usage patterns of all types of customers. For example, by identifying port numbers for file transfer (20, 21, 22, 989, 990) or VoIP (5060) and other features of their specific network usage, an operator might better understand a user group's needs and devise plans best suited to their needs.1

These insights can also be used by providers of public or private internet hotspots to offer similar service classification schemes for in-house customers. Whether through usage-based or premium passes, such packages could offer the best bundles for usages in high demand. By knowing which usages are most popular or require prioritization, operators could offer priority spots to premium customers when bandwidth is more congested.

Last but not the least, DPI is also useful in domestic networks. Parents can use the real-time traffic identification capacities of R&S®PACE 2 to make sure that their children are not exposing themselves to dangerous or inappropriate content. With the visibility provided by deep packet inspection, traffic can be filtered based on protocol, application or service for family-appropriate needs. The classification capabilities provided by DPI thus allow for context-aware traffic management in settings outside of standard corporate network operations.

Classifying the future

It is universally accepted that network and computing technologies are only going to proliferate in the coming decades. Already, there are more mobile and computing devices than people in the world. The iOS app store, which launched with 500 apps in 2008, now offers almost 2 million apps and Google Play Store for Android offers over 2.5 million apps.2 This does not even capture the growth in corporate software and cloud services. Overall, traffic management and security procedures will have to get more effective and complex. Extensive application signature libraries are expected and classifying traffic through the cloud and in real time will be even more critical for managing new applications. R&S®PACE 2 is in the vanguard of fulfilling these needs, already offering weekly updates, having thousands of signatures in its library and a dedicated team of experts who continuously test traffic captures for new versions of applications.

As the internet is at the center of more and more business, application awareness will be needed even more to enable an optimal distribution of network content. New and intensified security threats will emerge as business and commerce virtualize. Ransomware, in particular, is becoming "the single biggest threat" in organized crime.3 This naturally calls for commensurate security responses. The basis for such responses is the kind of traffic filtering and total flow visibility offered by DPI. Without being able to know what type of data is behind any dynamics — whether good or bad — in the new economy, it is impossible to meaningfully control or increase it. DPI provides the bedrock for such insights and classification.


[1] https://www.pcmag.com/encyclopedia/term/well-known-port
[2] https://www.businessofapps.com/data/app-statistics
[3] https://www.economist.com/international/2021/05/06/new-technology-has-enabled-cyber-crime-on-an-industrial-scale

Christine Lorenz portrait

Christine Lorenz

Contact me on LinkedIn

Christine is DPI marketing expert at ipoque, joining the company in 2013. With her background in marketing communications, she is passionate about making people aware of the capabilities of traffic analytics and DPI use cases. Christine is a lover of Vietnamese food and spends most of her spare time running and cycling, exploring nature and the outdoors and dreaming of becoming a ranger in a national park.

Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility