Skip to main content


Splunk Lantern

Deep packet inspection data


Deep Packet Inspection (DPI) is a fundamental technique used by firewalls to inspect headers and the payload of network packets before passing them down the network subject to security rules. DPI provides information about the source and destination of the packet, the protocol, other IP and TCP/UDP header information, and the actual data. In the Common Information Model, deep packet inspection data is typically mapped to the Network Traffic Data model

DPI provides raw information of everything transmitted over a network, including things that aren’t necessarily part of or difficult to extract from a log, such as database query results. PCAP data can also be used to provide and identify:

  • DNS session analysis for malicious domain communications from each endpoint
  • Abnormal amounts of traffic or sessions
  • Abnormal amounts of domain and host communications
  • Known malicious traffic from a host
  • Expired SSL certification analysis
  • Abnormal host communications (internal and external)

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: