Deep packet analysis is a network methodology that is particularly useful in firewalls. The use of deep packet inspection has increased in recent years because it can be used as part of intrusion detection systems (IDSs) and intrusion prevention systems (IPSs).
Firewalls traditionally block access to a network. Filters in firewalls can also block access to a list of websites by inspecting the destination IP address contained in the packet header.
We go into some depth on each of the tools further down, but in case you haven’t got time to read the whole piece, here is our list of the best Deep Packet Inspection and Analysis tools:
- SolarWinds Network Performance Monitor (FREE TRIAL) – This network monitoring tool includes deep packet inspection to identify the source and destination applications and endpoints on network traffic.
- Paessler Packet Sniffing with PRTG – The PRTG system is an infrastructure monitoring tool and it includes a packet sensor.
- OpManager – This is a network performance monitor that can capture packets for offline analysis. The tool runs on Windows and Linux.
- nDPI – This tool inspects packets at the application layer, which means that you need to buffer traffic for inspection.
- Netifyd – An adaption of nDPI that captures packets for inspection by other services.
- AppNeta – A Cloud-based network monitoring system that includes offline traffic analysis.
- NetFort LANGuardian – A network security analysis tool that uses DPI and runs on Linux.
SPI Vs DPI
Advancements on gateways that examine the IP header are “stateful” firewalls. They employ Stateful Packet Inspection (SPI). This methodology examines the TCP or UDP headers, which are enclosed within the IP packet. Stateful packet inspection is also known as shallow packet inspection. Deep Packet Inspection (DPI) looks at the data payload of the packet.
SPI examines individual packets as they are processed by the gateway, and selectively drops outgoing requests or incoming data packets that don’t comply with the network security policy. The “stateful” part of the name refers to connection data. The firewall records header information relating to the TCP connection, which enables it to follow a stream of packets. The type of stateful header data that the firewall collects include the sequence number of packets.
A stateful firewall typically stores this connection information in memory, enabling it to pick out streams of related packets as they pass through the interface. Connection data is held in a dynamic table. Once a connection is closed, that information is wiped from the table to free up memory. The stateful firewall is more likely to block connections while they are in progress. Stateful packet inspection only focuses on live data.
DPI collects packets to be examined as a group, so regular traffic continues on its way while copies are harvested for analysis. This is why DPI is often referred to as “deep packet analysis.” DPI takes longer to produce actionable intel than SPI.
Benefits of deep packet inspection and analysis
Intrusion detection systems look for “signatures” in data traffic to identify irregular activity. One trick hackers use to get around these signature detection systems is to split up packets into smaller segments. This spreads the patterns that shallow packet analysis looks for, so no single packet contains that signature and the attack gets through. DPI analysis reassembles streams of packets from the same source, so the attack signatures can be detected even when spread over several incoming packets.
When DPI analysis is part of an intrusion prevention system, the ongoing analysis results generate and apply actions to automatically defend the system. Such action may include blocking all packets arriving from a particular source IP address or even a range of addresses.
The collection of packets enables DPI to identify types of attacks that stateful analysis would miss. Examples of these are the irregular use of standard network utilities, such as Powershell or WMI, and directed volume overloads, such as buffer overflow attacks. The use of regular system utilities in virus infection or spyware operations means that a ban on the applications known to be used by hackers cannot be enforced. This is because those system utilities are essential for the delivery of applications and service to legitimate users. Thus, deep packet inspection and analysis steps in to examine the usage patterns usage of those system services and selectively roots out the traffic that displays suspicious behavior. Thus, malicious activity can be identified even though it initially seems to be legitimate traffic.
Data leak prevention
Data leak prevention is another use for deep packet analysis. This takes a whitelisting approach. The company can set a policy that no one should be allowed to copy data onto a memory stick or send email attachments. But there are legitimate instances where such actions are necessary. In this case, the DPI would be notified to allow through what would otherwise be treated as an unauthorized activity. That user shouldn’t be allowed to send out any file, and so the DPI function keeps monitoring activities to block file transfers other than the authorized attachment.
The best deep packet inspection and analysis tools
Sophisticated network monitoring systems now include deep packet analysis routines. So, you can get this facility as part of your general network management software. Some software providers produce network defense software that incorporates deep packet analysis.
The SolarWinds Deep Packet Inspection and Analysis with NPM uses a range of techniques to monitor and manage network traffic. The main element uses the SNMP messaging system that is native to the firmware of network equipment. However, the analysis sections of the monitor use deep packet inspection (DPI) as part of the tool’s network behavior visibility services.
The purpose of DPI in the SolarWinds tool satisfies two aims of network administrators. The first is to identify the types of traffic that use up most of the system’s resources. Excessive load on the network makes the working environment difficult for everyone and it is important to find out exactly where all of that demand originates. DPI provides this data, and once the resource hoggers have been identified, it is easier for the network administrator to decide what to do about them.
Deep packet inspection also gives the Network Performance Monitor security functions. DPI techniques will identify specific users and applications that cause surges in traffic and display erratic behavior. Those peaks in demand could be caused by hacker attacks, however, they could also be caused by business requirements, such as end-of-the-month account processing. DPI lets you see whether those surges are generated by legitimate business activities. Irregular behavior can be blocked.
User tracking may highlight unusual activity. For example, one user account could have been compromised, leading that user to access services that don’t tie in with his usual activities. Logins from disparate physical locations within short periods can also identify a user account that has been compromised.
The employment of deep packet analysis by SolarWinds in the Network Performance Monitor shows this technique is not just of use to security specialists. SolarWinds does include deep packet analysis for intrusion detection, but it also uses the system to help shape regular traffic and examine the categories of applications that overload the system. The use of DPI to support legitimate business activities points the way forward for all network monitoring systems. The sophisticated methods of DPI are now becoming mainstream and will become a central part of all network traffic monitoring systems in the future.
The Network Performance Monitor is not free. The price for this system starts at $2,955. However, you can get a free trial for 30 days. The SolarWinds Network Performance Monitor can only be installed on Windows Server operating systems.
Paessler Packet sniffing with PRTG is a comprehensive network monitoring tool that includes DPI in its data gathering procedures. The Packet sniffer of PRTG analyzes specific traffic types to monitor for resource usage and irregular activity. The monitor reports on those traffic types and their throughput including web traffic, mail server activity, and file transfers. These controls can be very useful for imposing mail and data security policies, and they will enable you to spot surges in traffic that could be indications of intrusion or cyber attacks.
If you are particularly interested in using deep packet analysis for security, then the information that you will get on DHCP, DNS, and ICMP traffic should be of particular use to you.
The packet sensor page in the PRTG dashboard features dials and graphs to help you make sense of traffic data quickly.
Paessler PRTG can be installed on Windows and there is a free version for small networks. This will cover 100 sensors on your network. A sensor is a monitoring point on a network, such as a port or a condition like free disk space. You can download the software for a free trial here.
ManageEngine’s OpManager is another of the leading network monitoring systems on the market today. This monitor uses SNMP methods for ongoing network monitoring and device status tracking. The deep packet inspection functions of OpManager add traffic management to the system.
As is to be expected with DPI, analysis is performed offline. The packets under examination are first written to a PCAP file. These files supply the source information for the analysis.
The deep packet analysis functions of OpManager aim to uncover reasons for poor network performance rather than detect intrusion. Two metrics emerge from the analysis: network response times and application response times. The administrator can spot which applications perform badly and may require more resources than standard network functions. You can then decide whether to increase resources to serve hungry applications, investigate more efficient alternatives, or restrict the bandwidth available to that application in order to give more important network services better response times.
The data that emerges from the deep packet analysis exercise can be output in reports. These enable you to lead discussions with stakeholders on whether budget should be spent expanding the infrastructure or whether overactive applications should be curbed or shelved.
OpManager is available for free to monitor ten nodes or less on a network. Systems larger than that have to use the paid OpManager. The OpManager monitoring console can be installed on Windows and Linux operating systems.
OpenDPI is an open source project of deep packet analysis tools. An open source project allows anyone to see the source code of an application. That assures users that there are no hidden tricks or damaging malware procedures buried inside. nDPI from Ntop is based on the OpenDPI code and expands its functionality. The source code for nDPI is also available.
This open source model gives you the option of installing it as is or modifying the system to suit your business’s needs. Modification of open source code is very common and many people who create enhancements for such systems also make those new features available to the community. In some cases, the organization that manages the source code will accept those changes into the core version. Ntop keeps nDPI separate from the original OpenDPI, so you have two open source options.
nDPI operates at the Application Layer. That means it unifies packets before examining their contents. The headers of the packets tell the analysis engine which protocol the transmission is using and which port the traffic came from and went to. That info identifies any mismatch between applications sending data on the networks and the ports that each uses, as opposed to the ports that the application should be using for the protocol that it follows.
The nDPI system is able to identify encrypted packets by looking at the SSL security certificate that specified the encryption key for the transmission. This is a clever insight and gets around the difficulties that encryption presents to deep packet analysis.
The nDPI software can be installed on Windows, Linux, and MacOS. The DPI module supports other Ntop products like nProbe and Ntop-NG. nProbe is a traffic monitoring system that collects NetFlow messages. NetFlow is a signaling standard used by Cisco Systems for its network equipment products. This system is available for a small fee and it runs on Linux and Windows. Ntop-NG is a traffic analyzer for networks. This is an alternative network monitoring system that employs SNMP messages. Ntop-NG is available for Windows, Unix, Linux, and Mac OS. It is available in three versions, one of which, the Community Edition, is free.
Despite being a fork of OpenDPI, nDPI is becoming a standard all of its own and is the basis for a number of other adaptations. Netifyd is one of these. This makes Netifyd and adaptation of an adaptation of OpenDPI. Like its ancestors, Netifyd is an open source product and you can see the code that makes up the program, compile it, and use it. Alternatively, you could adapt the code yourself and end up with an adaptation of an adaptation of an adaptation of OpenDPI.
Netifyd will capture packets, but it does not include analysis functions to interpret data or take actions to shape traffic or block protocols. You would need to import the Netifyd data into another application for those functions.
This system is available from the community pages of the Egloo website. The main product of Egloo is the Netify network monitor that is based on Netifyd but has many more features and is not free. This tool offers you the visualization and sorting capabilities needed in order to properly understand the information that arises out of deep packet inspection. The starter package of Netify is priced at $25 per site per month. That edition allows you to monitor data from up to 25 devices and the service will store your data for two days. Higher packages give you a longer time horizon for historical data.
AppNeta is a cloud-based network monitoring system. It is particularly aimed at companies that operate WANs and extend their capabilities into the cloud. The software uses a proprietary network traffic analysis methodology called TruPath, which is a little like Traceroute with added performance reporting.
After TruPath collects information, the system adds on traffic details gleaned through deep packet inspection. The DPI module works to segment traffic metrics by application. As AppNeta is aimed at businesses that use the internet intensely for all company traffic. It conducts all packet inspection offsite, reducing the strain that excessive reporting procedures can put on networks.
Information that the DPI module gathers is sent to the cloud data center. The analysis engine is hosted remotely and not on any of your equipment. This makes the dashboards and reports available from any location, not just in your HQ. The location neutrality of this configuration makes the control panel for the system available from anywhere over the web. Data is stored on the AppNeta servers for 90 days, which gives you ample opportunity to analyze trends and plan capacity. Demand on apps covers both the cloud services accessed by your company as well as online services that your business provides to others.
The AppNeta presentation focuses on monitoring the delivery performance for applications. It includes alerts on traffic volumes per application. Those traffic warnings could act as a security monitor because sudden surges in traffic may indicate an attack. The utility includes user activity analysis, which would come in handy to track suspicious activity and identify compromised accounts. However, AppNeta isn’t positioned as a security tool.
AppNeta covers all communication between your sites and its data center with encryption. The package doesn’t use data analysis tools and you are recommended by the company to use a third-party tool, such as Wireshark.
This monitoring system is not free. The service is priced at $199 per application per location. You can request a free trial of the system, but the company does not offer this for a fixed time period. You may negotiate a trial period with a sales representative upon request.
LANGuardian uses deep packet inspection primarily as a security tool. The system isolates resource-greedy apps and examines the protocol traffic on your network that uses the most bandwidth.
The dashboard for the system offers summary data from which you can drill down to mine available information all the way to user activity. The LANGuardian software runs on Linux. It comes bundled with its own Linux interface, so it can also be run off virtual machines including Microsoft Hyper-V. However, it won’t run directly on Windows. If you want to use LANGuardian on a Windows computer, you will have install VMWare Player or VirtualBox and run the software through that interface.
The LANGuardian system includes four elements:
- A collection engine
- An analysis engine
- A traffic database
- A reporting engine
Like most DPI systems, you can’t analyze live data. This is where the database comes in handy. The information gathered by the collection agent is inserted into a database. Gathered data can then be sorted and manipulated by the analytical engine. This gives the system an application-level perspective on network traffic and enables the analyzer to track traffic patterns across packets. However, those records can be assembled very quickly and added to in real-time, so it is possible to get near-live views of your network traffic.
The software has to be installed on one computer on your network, and that computer must have a direct connection to your core switch. This gives the collection agent the power to copy all of the traffic that runs over your network. That collector becomes the primary sensor and creates a one-to-one relationship between the core switch and the monitoring console. Obviously, this architecture would prevent the LANGuardian system being deployed on distributed networks and it particularly wouldn’t work with WANs. In these scenarios, the LANGuardian deploys remote sensors that remote back from the other prime switches in your organization to centralize data analysis.
The system is not free. However, you can get a 30-day free trial of LANGuardian.
How to choose DPI and analysis software
Deep packet inspection and analysis doesn’t have to be performed by a standalone tool. You can get DPI functionality integrated into many of the industry’s top network monitoring systems. If you have a small network and don’t want to shell out for network management systems, then look into the free versions of those big-name network monitors. If you just want a separate system to perform deep packet analysis and don’t want those tasks interfering with your regular monitoring, then you will find some very suitable tools on our list.
Be careful about installing deep packet analysis tools because they extract the data that is carried across your network. Deep packet inspection might compromise the privacy of the data exchanged across your organization. You should check with your company’s legal advisor first before installing any network tool that will enable you to capture data as it crosses the network. Data privacy and access control could be compromised by giving access to network administrator staff. In some cases, the company must pledge to limit access to the personal information of members of the public held on the business’s assets. So, make sure that you aren’t breeching those obligations by installing DPI tools.
The ability to check on packet-level traffic is certainly helpful when you encounter network performance issues. Deep packet analysis goes one step further and reads the contents of each packet. You must reassure yourself and your board of directors, that you really need that level of information in order to protect the network before installing DPI systems.
Do you currently use deep packet inspection techniques to keep your network running well? Have you encountered legal problems over the issue of data privacy while using DPI tools? Let the community learn from your experience by leaving a message in the comments section below.
Image: Raspberry Pi Model B in PiHouse case – operational by Tim Walker via Flickr. Licensed under CC BY-SA 2.0 (modified: additional text added)