Deep Packet Inspection

Know which applications are on your network

Application Awareness (or Layer 7 Awareness)

In today's world more and more enterprise applications are using HTTP and HTTPS to communicate between end users and back-end servers. The benefits of the web as a delivery vehicle for apps are abundantly clear to everyone. However, the architecture does present organizations with some tricky monitoring and visibility challenges.

At the port level, all HTTP and HTTPS traffic looks the same. It all generally uses port 80 or 8080 and is, at least at the port level, homogenous. Of course, it's not all the same and inside the bucket of web traffic, there's everything from World of WarCraft to SalesForce.com, YouTube, and everything in between. There are more than 1200 different web applications that all have some kind of unique signature associated with them, with more being added every day. Some of them are good, some are definitely bad and some are questionable, but how do you tell the difference?

Deep Packet Inspection or DPI

To differentiate between web apps many modern 'application aware' firewalls and some next generation network visibility systems incorporate a DPI engine.

A DPI engine works by analyzing a variety of different traffic characteristics at the flow level. DPI vendors use various techniques including surgical pattern matching, deep protocol dissection, semantic and conversational awareness, behavioral analysis and flow registration to figure out what the traffic actually is. The process is processor intensive and thus challenging to do at 10Gbps, but absolutely critical for network monitoring.

DPI is by definition an imprecise science, however, classification accuracy is improving all the time as DPI vendors learn more about application behaviors. A good DPI engine should be able to achieve a greater than 90% accurate classification rating.

EndaceProbes™ are able to classify hundreds of unique applications. Like writing bespoke rules for an IDS, signatures for custom applications can be written and uploaded into the DPI engine. This feature is often used by customers to help understand the network behavior of custom in-house applications before releasing them into production network environments.

Applied DPI

EndaceProbes integrates a commercial DPI engine from Procera. The DPI engine creates an application classification for every flow which is added to the EndaceVision™ metadata database.

Once in the database, the application classification can be used as part of a search string in EndaceVision™, enabling users to answer questions like "show me all of the Dropbox traffic on my network yesterday" or "show me how much bandwidth salesforce.com consumes on a monthly basis."