DPI on EndaceProbe
Deep Packet Inspection (DPI)
EndaceProbes use a commercial DPI engine from Procera. This DPI engine examines traffic in real-time, creates an application classification for every Flow and adds this information to the EndaceProbe’s metadata database.
Once in the database, this application classification can be used as part of a search string in EndaceVision™, enabling users to apply filters to traffic views to answer questions like "show me all of the Dropbox traffic on my network yesterday" or "show me how much bandwidth Salesforce.com traffic consumes a week."
Application Awareness (or Layer 7 Awareness)
In today's world more and more enterprise applications are using HTTP and HTTPS to communicate between end users and back-end servers. The benefits of the web as a delivery vehicle for apps are abundantly clear to everyone. However, the architecture does present organizations with some tricky monitoring and visibility challenges.
At the port level, all HTTP and HTTPS traffic looks the same. It all generally uses port 80 or 8080 and is, at least at the port level, homogenous. Of course, it's not all the same and inside the bucket of web traffic, there's everything from World of WarCraft to SalesForce.com, YouTube, and everything in between.
There are more than 1200 different web applications that all have some kind of unique signature associated with them, with more being added every day. Some of them are good, some are definitely bad and some are questionable, but how do you tell the difference?
Deep Packet Inspection or DPI
To differentiate between web apps many modern 'application aware' firewalls and some next generation network visibility systems incorporate a DPI engine.
A DPI engine works by analyzing a variety of different traffic characteristics at the flow level. DPI vendors use various techniques including pattern matching, deep protocol dissection, semantic and conversational awareness, behavioral analysis and flow registration to figure out what the traffic actually is. The process is processor intensive and thus challenging to do at 10Gbps, but absolutely critical for network monitoring.
DPI is by definition an imprecise science, however, classification accuracy is improving all the time as DPI vendors learn more about application behaviors. A good DPI engine should be able to achieve a greater than 90% accurate classification rating.
EndaceProbes™ are able to classify hundreds of unique applications. Like writing bespoke rules for an IDS, signatures for custom applications can be written and uploaded into the DPI engine. This feature is often used by customers to help understand the network behavior of custom in-house applications before releasing them into production network environments.