Skip to main content
Want the ultimate Splunk learning experience? Head to Boston a few days before .Conf25 to attend Splunk University!

 

Splunk Lantern

Deep packet inspection data

 

Deep packet inspection (DPI) data refers to the detailed information extracted from the payload (the actual content) of network data packets, in addition to their headers. Unlike traditional packet filtering, which only examines basic header information like source/destination IP addresses and port numbers, DPI software delves deeper into the packet to analyze the data itself. This allows for a much more granular understanding of network traffic, enabling various advanced functions in cybersecurity, network management, and content control.

DPI software operates by intercepting and analyzing data packets as they traverse a network. It can inspect data across multiple layers of the OSI model, from Layer 3 (Network Layer) up to Layer 7 (Application Layer), where the actual data payload and application-specific protocols reside. This detailed analysis allows DPI to identify specific applications, protocols (even if they use non-standard ports), content types, and even specific keywords or behaviors within the data stream.

The data extracted by DPI software goes beyond simple metadata and includes:

  • Application and protocol identification: The specific application generating the traffic (for example, WhatsApp, Netflix, BitTorrent, Skype) and the underlying protocols being used (for example, HTTP, HTTPS, DNS, VoIP).
  • Content signatures: Patterns or signatures within the payload that indicate specific types of content, such as malware, viruses, spam, or unauthorized data.
  • Behavioral and heuristic data: Information about traffic behavior, anomalies, and deviations from normal patterns, which can indicate suspicious activities or zero-day threats.
  • Metadata from payload: Attributes like bandwidth used, traffic speed, latency, jitter, user locations, and types of devices.
  • Specific keywords or data patterns: In some cases, DPI can identify specific text strings, file types, or sensitive data (for example, credit card numbers, Social Security Numbers) within the payload.

Examples of how deep packet inspection data is used include the following:

  • Network security software:
    • Malware detection and blocking: DPI software analyzes packet payloads for known malware signatures or suspicious code, blocking malicious traffic before it can infect systems.
    • Intrusion detection: It identifies and flags anomalous traffic patterns or protocol non-compliance that could indicate a network intrusion or attack.
    • Data loss prevention (DLP): DPI tools inspect outbound traffic to prevent sensitive information (for example, intellectual property, personal identifiable information, financial data) from leaving the network without authorization.
    • Botnet detection: By analyzing communication patterns within the payload, DPI can identify traffic associated with botnets.
  • Network performance management and optimization software:
    • Traffic shaping and quality of service (QoS): DPI data allows network administrators to identify different types of traffic (for example, VoIP, video streaming, peer-to-peer) and prioritize or throttle bandwidth accordingly to ensure optimal performance for critical applications.
    • Application performance monitoring: By understanding which applications are consuming bandwidth and how they are performing, DPI helps troubleshoot network issues and optimize resource allocation.
  • Content filtering and policy enforcement software:
    • Internet censorship and content blocking: Governments and organizations use DPI to block access to specific websites, applications, or types of content based on predefined policies.
    • Compliance monitoring: DPI can ensure adherence to regulatory policies by monitoring and logging network traffic for specific activities or data types.
  • Cybersecurity analytics and forensics software:
    • Threat hunting: Security analysts use DPI data to proactively search for indicators of compromise and uncover hidden threats within network traffic.
    • Incident response: In the event of a security incident, DPI logs provide detailed insights into the nature of the attack, the data involved, and the attacker's methods, aiding in investigation and remediation.
  • Internet service provider (ISP) management software:
    • Lawful intercept: ISPs use DPI to comply with legal requirements for intercepting and monitoring communications.
    • Tiered services: DPI can differentiate traffic to offer varying levels of service based on user subscriptions or data plans.
    • Copyright enforcement: Identifying and potentially throttling or blocking traffic related to illegal file sharing.
       

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: