What Is Deep Packet Inspection?

Marc DahanWhat Is Deep Packet Inspection?
Artwork by: Maureen de Vries

Deep packet inspection (DPI), as the name implies, is a kind of data processing technology that enables detailed inspection of network traffic. You may have heard the expression before. 

But did you know that DPI is used by many ISPs. And that DPI can enable them to see everything you do online, in detail - including which apps you use? 

What is deep packet inspection? How does it work? And what is it used for? Read on, as we answer these questions and more, below.

Packet Filtering Vs. Deep Packet Inspection​

Deep packet inspection is a type of packet filtering

Packet filtering works by analyzing the headers of the various requests going over the network. It references that information against a filtering list/ruleset. It then makes filtering decisions, based on the ruleset, to allow, deny our reroute the packets.

So, with packet filtering, it goes something like this: 

  1. Someone on the network uses their browser to access Facebook. 
  2. The packet filter examines the header and sees facebook.com as the destination. 
  3. The packet filter references facebook.com against the ruleset. 
  4. The packet filter allows or blocks the request, based on those rules.

A common analogy for this would be the addressing information on (snail) mail letters. 

By reading the information written on the outside of the envelope, you know who the sender and the receiver are. Based on that information, in a packet filtering scenario, you could choose to trash the letter or send it on its way. 

Yet, without DPI, you couldn’t open the letter and read it. And that is the benefit of deep packet inspection.

With deep packet inspection, you can open the envelope. Using DPI, you can view the actual content of the packets being transmitted. You gain insights into the applications or the services from which the packets originated. 

And with all this extra information (as opposed to only analyzing the headers), the filtering decisions can be much more granular.

DPI can, for example, use filters to locate and redirect traffic originating from specific services (i.e. Facebook or WhatsApp) or from specific IP addresses.

What about HTTPS/SSL?​

Today, almost every website you visit offers an encrypted connection (HTTPS) to their server(s). 

But in the early days of the Internet, the overwhelming majority of sites used plain, unencrypted HTTP (except for logins, payments, and banking). 

Envelopes & Postcards​

Using HTTP instead of HTTPS means that the content of your traffic is visible in plain text.

Using HTTP makes DPI available to all. 

Going back to our mail analogies, using HTTP is like sending a postcard rather than a letter inside an envelope. Anyone who stumbles across your postcard can read its contents.

The reason why you likely didn’t hear about deep packet inspection back then is that it wasn’t feasible to perform DPI. This was because of bandwidth limitations at the time. 

As advances in network infrastructure afforded networks more bandwidth and throughput, the use of DPI grew.


So what about the fact that the Internet is now largely using HTTPS? Shouldn't HTTPS specifically protect against this? 

HTTPS is definitely an obstacle to DPI, but not a showstopper. 

HTTPS works by having Certificate Authorities (CA) distribute certificates to Web sites. Those same CAs are built into your browser. 

Certificate Authorities validate the certificate, and hence the identity, of each website you visit. Your connection to the website is also encrypted using the validated certificate.

Breaking HTTPS​

SSL filtering is a deep packet inspection technique that spoofs a valid SSL certificate. 

SSL filtering is achieved by bouncing your traffic over a proxy server. 

The proxy server intercepts and replaces the SSL certificate presented by the website with its own certificate. The proxy server then validates the fake certificate.

Once the connection is validated with the fake certificate, the traffic can be decrypted and read. And from there, it can be dropped, rerouted or sent on its merry way. 

This technique is also known as a man-in-the-middle attack.

Your browser normally displays a warning if presented with a bogus certificate. Click “Visit Site Anyway” and you could have your traffic intercepted

Does that mean that you just need to be on the look-out for certificate warnings in your browser and you’re good? Nope.

Corporate Networks​

Are you on an enterprise network with a company-provided device? 

Many organizations install their own Certificate Authority on company-issued devices. 

This can be done for many reasons other than spying on their employees web browsing, as we'll see below. Though some, of course, do.

The point is that, in this scenario, your device will validate a bogus (self-signed) certificate and enable the decryption of your traffic. 

And you won’t even get a warning message. Your browser will consider the certificate as being valid.

The Two Sides of the Coin​

Hand with coin

Nobody wants their Internet traffic spied on. That’s a given. But aside from enabling the Great Firewall of China, DPI is used for many other “nobler” reasons.

DPI helps in:​

  • Blocking malware & viruses.
  • Blocking access to malicious sites.
  • Performing Quality of Service (QoS) - prioritizing certain types of traffic over others, commonly VOIP.
  • Analyzing traffic patterns for malicious behaviour.
  • Traffic logging to gain insights for network management.
  • Enforcing network permissions systems.
  • Intrusion detection.

But most of the time, you won’t be in a position to know if DPI is happening or for what purpose… 

So What Can You Do About It?​

Many, many locks

The solution is as simple as it is effective. Use a VPN.

By using a VPN, all your online activities are encrypted inside the VPN tunnel. Your ISP and any third-parties cannot view or decrypt your traffic. There is, however, one important caveat:

You are putting a huge amount of trust in the hands of your VPN provider. Stay away from free VPN services. And choose a provider that has a strict no-logging policy. 

Your VPN provider has the ability to see everything you do online while on their servers. And they have the ability to deploy DPI on your connection. Make sure you don’t adopt a solution that's worse than your problem.

Our 5, 9 & 14 Eyes: What Does It All Mean For VPN Users? and our Is NordVPN Safe? articles may help you in your research. As always, be sharp and stay safe!

What Is Deep Packet Inspection?

By Marc Dahan

Last updated: April 9, 2020

Further Reading

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram