IT Operations Management (ITOM)

Deep packet inspection fills gaps in network management

Deep packet inspection fills gaps in network management


Guest post by Balaji Venkatraman Director of Product Management, Network Management

Deep-Packet Inspection (DPI) refers to technologies that capture network conversations from the network transmission infrastructure, and make them visible to a network administrator to troubleshoot application performance or connectivity issues. These technologies require the interception of traffic as it passes through the network infrastructure, capture of conversations between two nodes, and the breakdown or decoding of the conversation to understand the data passing back and forth.

You need information from your infrastructure in order to understand how the network is behaving under steady state or transient conditions.  In some cases, information from SNMP agents which are instrumented in network elements is not sufficient.  SNMP can only provide the metrics that it has pre-collected and modeled through this agent interface.  Command Line Interfaces (CLI) and log files also have gaps. DPI can fill-in these gaps.



Balaji blog 1b IP header.jpg

Figure 1 – Simplified IP packet.

A complementary and closely related technology which is relatively easy to implement is the collection of network flow data. Flow data is provided through embedded instrumentation implemented throughout the network infrastructure. Flows are summarized and exported from network devices, or sampled randomly from network traffic. Flow data provides “meta-data” for network conversations – the information that typically located in the packet headers that provide addressing and a description of the data in the packet. Flow information is available from flow export technologies like IPFIX, and NetFlow, or sampling technologies like sFlow. Flow analysis tools typically don’t provide information about the packet payload – the application data exchanged between nodes. But flow can provide valuable information about which nodes are communicating, what protocols they are using, and what kinds of applications are in use. This information can help determine where in the network you may want to utilize DPI solutions to collect a more detailed view of the application conversation.

With this context, DPI solutions can provide us detailed information for an individual conversation between two nodes on the network which includes (see figure 1):

  • where the packets are coming from – IP source address
  • where they are headed – IP destination address
  • packet size distribution – length field
  • packet arrival distribution – from measurement timestamp
  • complex application traffic patterns – by using multiple DPI probes
  • Application transaction or data transfer information - payload

Probes and multiple probes

DPI collection is most commonly implemented in dedicated hardware based probes. Significant processing power is required to capture data at increasing media speeds, and filter relevant traffic from more complex datacenter environments.

Complementary flow information can also provide some insight into the path that network conversations are taking between clients and servers. DPI alone provides a very detailed capture of a conversation at a single point in the network, including it’s payload. Using flow data, you can map the conversation between the endpoints as it transits the network, and more effectively deploy your DPI solution to capture and compare the packet headers and payload to troubleshoot issues through firewalls, load balancers, WAN accelerators, or other types of Application Data Controllers.


Balai blog 1d TCP header.jpg


Figure 2 – Simplified TCP packet

Examining the TCP headers encapsulated within an IP packet allows us to determine information about destination application port to which the conversation data will be delivered. In general, destination ports are well-defined, or well-known within a network and associated with specific applications. The TCP headers can also provide us some information about the overall health of the conversation.

Often, payload information within a packet is encrypted. If your DPI solution has access to the encryption keys, it can decrypt and display that data. But if decryption is not possible, then then information that’s available to work with is only the flow meta-data in headers. Using flow as a complementary technology still supports many aspects of critical traffic troubleshooting.

With DPI probes you can filter and alert on specific payload data. For example, if you just want to look at email from or to me you tell the probe search for “Balaji”; the probe can then filter and present only the relevant data.

There are over 1500 well known or registered ports and there are a large range of open ports available for clients to use. By using DPI you can track all of these applications and more.


Balaji NMC blog 1a Probe.jpg

Figure 3 – Network with DPI probe

Benefits of deep packet inspection

Let’s look at some of the benefits of DPI.

  • Malware costs organizations millions of dollars per year. By inspecting the headers and payloads of packets a probe can identify the signature or behavior of malware.
  • Security threats can be even worse than malware. Imaging your workstations have been infected by a bot. The bot is later used for a distributed denial of service attack. This can be detected by noticing that there are an overly larger number of workstations sending data to the same uncommon site.
  • Intrusion detection uses DPI to find pre-described threats.
  • DPI can find applications you don’t want on your network, for example traffic from gaming sites which can be hard to detect by other means because of the tricks it uses to avoid detection such as variable high order port numbers.
  • By using the data from DPI and other flow data you have the information you need to reroute for optimal network flow.
  • You can also use this information for provisioning and fine tuning the placement of resources in the network.

DPI used in conjunction with flow information enables us to do more advanced network management, and enables you to locate and collect packets for faster fault resolution. The insight that traffic analytics provides helps us to provision or fine tune the network so that traffic is flowing as desired, resulting in our users having a good user experience and enabling our IT organization to fulfill its SLAs.

Join me and my team at Discover to see Network Node Manager i and Network Automation demonstrated live on the demo floor.

We will have a number of sessions and we’d love to say hi and answer any questions.

  • Tuesday, 09:30-10:30, Automation success at CenturyLink, TB9072
  • Tuesday, 11:00-12:00, Datacenter Automation Best Practices, TB8994
  • Tuesday, 12:30–13:30, Meet the HPE NNMi Experts, RT9074
  • Wednesday, 11:30–12:30, Network Management Innovations, TB9063
  • Wednesday, 14:30-15:30, Data Center Automation Roundtable, RT9068
  • Wednesday, 16:00-17:00, Value from NA at GM, TB8132
  • Thursday, 12:00–13:00, Meet the HPE Network Automation Experts, RT9075


 About the author: Balaji Venkatraman is the Director of Product Management, Network Management and Storage Management solutions at HPE Software.

Balaji has a PhD in Computer Science from University of Florida and a MBA from Santa Clara University; he enjoys teaching and is an Adjunct Faculty in the Electrical Engineering department, San Jose State University, teaching graduate courses on Network Security, Internetworking and VoIP.

Register for Discover


Network Node Manager i (NNMi) unifies fault, availability, and performance monitoring for your network. NNMi software helps you improve network uptime and performance, and increase responsiveness to business needs. Download a free trial today !

Tweet to us at @HPE_ITOps and let us know what you think! | Friend HPE Software on Facebook | Join our Network Management Solutions group on LinkedIn




Michael Procopio Procopio
  • infrastructure management
0 Kudos
About the Author


HPE Software Product Marketing. Over 20 years in network and systems management.


Hi. Does this mean NNMi offers DPI as a capability?


We don't have a 'probe' at the moment but we do pull data from routers etc.

//Add this to "OnDomLoad" event