Deep packet analysis is a network methodology that is particularly useful in firewalls. The use of deep packet inspection technology has increased in recent years because it can be used as part of intrusion detection systems (IDSs) and intrusion prevention systems (IPSs).
Firewalls traditionally block access to a network. Filters in firewalls can also block access to a list of websites by inspecting the destination IP address contained in the packet header.
Here is our list of the best Deep Packet Inspection and Analysis tools:
- SolarWinds Network Performance Monitor EDITOR’S CHOICE This network monitoring tool includes deep packet inspection to identify the source and destination applications and endpoints on network traffic. This is just part of the service of this package that includes autodiscovery and constant device monitoring. Runs on Windows Server. Get a 30-day free trial.
- ManageEngine DataSecurity Plus (FREE TRIAL) This package is primarily concerned with protecting data on site and in the cloud but it also performs DPI to impose content controls on Web pages requested on company browsers. Start 30-day free trial.
- Paessler Packet Sniffing with PRTG The PRTG system is an infrastructure monitoring tool and it includes a packet sensor.
- ManageEngine OpManager This is a network performance monitor that can capture packets for offline analysis. The tool runs on Windows and Linux.
- nDPI This tool inspects packets at the application layer, which means that you need to buffer traffic for inspection.
- Netifyd An adaption of nDPI that captures packets for inspection by other services.
- AppNeta A Cloud-based network monitoring system that includes offline traffic analysis.
SPI Vs DPI
Advancements on gateways that examine the IP header are “stateful” firewalls. They employ Stateful Packet Inspection (SPI). This methodology examines the TCP or UDP headers, which are enclosed within the IP packet. Stateful packet inspection is also known as shallow packet inspection. Deep Packet Inspection (DPI) looks at the data payload of the packet.
SPI examines individual packets as they are processed by the gateway, and selectively drops outgoing requests or incoming data packets that don’t comply with the network security policy. The “stateful” part of the name refers to connection data. The firewall records header information relating to the TCP connection, which enables it to follow a stream of packets. The type of stateful header data that the firewall collects includes the sequence number of packets.
A stateful firewall typically stores this connection information in memory, enabling it to pick out streams of related packets as they pass through the interface. Connection data is held in a dynamic table. Once a connection is closed, that information is wiped from the table to free up memory. The stateful firewall is more likely to block connections while they are in progress. Stateful packet inspection analysis only focuses on live data.
DPI collects packets to be examined as a group, so regular traffic continues on its way while copies are harvested for analysis. This is why DPI is often referred to as “deep packet analysis“. DPI takes longer to produce actionable intel than SPI.
Benefits of deep packet inspection and analysis
Intrusion detection systems look for “signatures” in data traffic to identify irregular activity. One trick hackers use to get around these attack signature detection systems is to split up packets into smaller segments. This spreads the patterns that shallow packet analysis looks for, so no single packet contains that signature and the attack gets through. DPI analysis reassembles streams of packets from the same source, so the attack signatures can be detected even when spread over several incoming packets.
When DPI analysis is part of an intrusion prevention system, the ongoing analysis results generate and apply actions to automatically defend the system. Such action may include blocking all packets arriving from a particular source IP address or even a range of addresses.
The collection of packets enables DPI to identify types of service attacks that stateful analysis would miss. Examples of these are the irregular use of standard network utilities, such as PowerShell or WMI, and directed volume overloads, such as buffer overflow attacks. The use of regular system utilities in virus infection or spyware operations means that a ban on the applications known to be used by hackers cannot be enforced. This is because those system utilities are essential for the delivery of applications and service to legitimate users. Thus, deep packet inspection and analysis steps in to examine the usage patterns of those system services and selectively roots out the traffic that displays suspicious behavior. Thus, malicious activity can be identified even though it initially seems to be legitimate traffic.
Data leak prevention
Data leak prevention is another use for deep packet analysis. This takes a whitelisting approach. The company can set a policy that no one should be allowed to copy data onto a memory stick or send email attachments. But there are legitimate instances where such actions are necessary. In this case, the DPI would be notified to allow through what would otherwise be treated as an unauthorized activity. That user shouldn’t be allowed to send out any file, and so the DPI function keeps monitoring activities to block file transfers other than the authorized attachment.
The best deep packet inspection and analysis tools
Sophisticated network monitoring systems now include deep packet analysis routines. So, you can get this facility as part of your general network management software. Some software providers produce network defense software that incorporates deep packet analysis.
Our methodology for selecting a deep packet inspection tool
We reviewed the market for DPI systems and analyzed the options based on the following criteria:
- Packet scanner that can read headers
- Nice to have SSL offloading on a private network to read payload
- A system that performed live monitoring of network devices
- The option to use SPI instead of DPI
- Guidance to dereference packet header codes
- A free trial or a demo service to assess the software without paying
- Value for money from a system that provides a useful service at a fair price or for free
1. SolarWinds Network Performance Monitor (FREE TRIAL)
The SolarWinds Deep Packet Inspection and Analysis with NPM uses a range of techniques to monitor and manage network traffic. The main element uses the SNMP messaging system that is native to the firmware of network equipment. However, the analysis sections of the monitor use deep packet inspection (DPI) as part of the tool’s network behavior visibility services.
- Protocol analysis
- Traffic categorization
- Network discovery
- Device performance tracking
- Alerts for traffic issues
Why do we recommend it?
SolarWinds Network Performance Monitor is an on-premises package for Windows Server that uses SNMP to discover all devices on a network, compile a network inventory, create a network topology map, and then perform constant device monitoring. This is one of the leading network monitoring services available.
The purpose of DPI in the SolarWinds tool satisfies two aims of network administrators. The first is to identify the types of traffic that use up most of the system’s resources. Excessive load on the network makes the working environment difficult for everyone and it is important to find out exactly where all of that demand originates. DPI provides this data, and once the resource hoggers have been identified, it is easier for the network administrator to decide what to do about them.
Deep packet inspection also gives the Network Performance Monitor security functions. DPI techniques will identify specific user behavior and applications that cause surges in traffic and display erratic behavior. Those peaks in demand could be caused by hacker attacks, however, they could also be caused by business requirements, such as end-of-the-month account processing. DPI lets you see whether those surges are generated by legitimate business activities. Irregular behavior can be blocked.
User tracking may highlight unusual activity. For example, one user account could have been compromised, leading that user to access services that don’t tie in with his usual activities. Logins from disparate physical locations within short periods can also identify a user account that has been compromised.
The employment of deep packet analysis by SolarWinds in the Network Performance Monitor shows this technique is not just of use to security specialists. SolarWinds does include deep packet analysis for intrusion detection, but it also uses the system to help shape regular traffic and examine the categories of application traffic that overload the system. The use of DPI to support legitimate business activities points the way forward for all network monitoring systems. The sophisticated methods of DPI are now becoming mainstream and will become a central part of all network traffic monitoring systems in the future.
Who is it recommended for?
This package is comprehensive and is suitable for large businesses. Mid-sized businesses could also use this system. However, its functions are probably a little too extensive for the needs of small businesses. The service provides automated network device monitoring but it requires an add-on package to track traffic patterns.
- Built with scale and enterprise in mind, can support thousands of devices across multiple LANs
- Can identify user-specific behavior and automate remediation actions
- Can support WAN environments and multiple VPN configurations
- Dashboard configuration uses simple drag-and-drop widgets for easy customization
- Alerts allow sysadmins to manage their LAN more proactively than most other products
- This is an enterprise tool and can take time to fully explore and all of its features and options
The Network Performance Monitor is not free. The price for this system starts at $2,955. However, you can get a free trial for 30 days. The SolarWinds Network Performance Monitor can only be installed on Windows Server operating systems.
SolarWinds Network Performance Monitor is our top pick for a DPI tool because it doesn’t just perform deep packet inspection. While you get protocol analysis for more than 1,200 applications and QoS monitoring with the DPI system, you also get network monitoring. This service automatically detects all devices on the network, creates an inventory, and draws up a network topology map. These functions cycle constantly so the inventory and map are always up to date.
Download: Get a 30-day free trial
Official Site: https://www.solarwinds.com/network-performance-monitor/registration
OS: Windows Server
2. ManageEngine DataSecurity Plus (FREE TRIAL)
ManageEngine DataSecurity Plus is a very large package of data protection systems. It includes a Cloud Protection module that operates on internet traffic through deep packet inspection. This tool looks at transfers between your site and your cloud accounts and also provides policy enforcement to block inappropriate or offensive Web content from loading into the browsers in your company.
- Data transfer controls
- Web content filtering
- Infected site detection
- Trusted application list
This module provides a diverse list of services in addition to the sensitive data discovery and protection services of the main DataSecurity Plus package. The entire system is able to enforce compliance with SOX, HIPAA, FISMA, GDPR, PCI, and GLBA.
- Blocks phishing and malware sites
- Enforces Web usage policies
- Identifies and protects sensitive data
- Controls data movements
- Enforces data protection compliance and provides reporting
- No SaaS version
The DataSecurity Plus system is really a bundle of ManageEngine units and each module has an individual price, so calculating the cost of the entire package can be complicated. The software for the bundle runs on Windows Server and you can get it on a 30-day free trial.
3. Paessler Packet Sniffing with PRTG
Paessler Packet sniffing with PRTG is a comprehensive network monitoring tool that includes DPI in its data gathering procedures. The Packet sniffer of PRTG analyzes specific traffic types to monitor for resource usage and irregular activity. The monitor reports on those traffic types and their throughput including web traffic, mail server activity, and file transfers. These controls can be very useful for imposing mail and data security policies, and they will enable you to spot surges in traffic that could be indications of intrusion or cyber-attacks.
- Traffic statistics per application
- Data presented in graphs and charts
- Network monitoring
- Alerts for performance problems
Why do we recommend it?
Paessler PRTG provides packet sniffing as one of its many sensors. Each sensor is an individual monitoring service. The packet sniffing tool can be supplemented by other tools to track traffic, which include NetFlow, J-Flow, sFlow, and IPFIX monitors. You can identify the port in each packet header to assess traffic patterns.
If you are particularly interested in using deep packet analysis for security, then the information that you will get on DHCP, DNS, and ICMP traffic should be of particular use to you.
The packet sensor page in the PRTG dashboard features dials and graphs to help you make sense of traffic data quickly.
Who is it recommended for?
This tool is available in a free version, which is limited to 100 sensors. This is a good choice for small businesses and is enough to activate the network discovery and packet sniffing features of the bundle. Mid-sized and large enterprises would probably need to activate more sensors.
- Uses a combination of deep packet analysis, WMI, and SNMP to report network performance data
- Can monitor baselines and automatically alert to abnormalities.
- Drag and drop editor makes it easy to build custom views and reports
- Supports a wide range of alert mediums such as SMS, email, and third-party integrations into platforms like Slack
- Each sensor is specifically designed to monitor each application, for example, there are pre-built sensors whose specific purpose is to capture and monitor VoIP activity
- Supports a freeware version
- Is a very comprehensive platform, not designed for home use hobbyist use.
Paessler PRTG can be installed on Windows and there is a free version for small networks. This will cover 100 sensors on your network. A sensor is a monitoring point on a network, such as a port or a condition like free disk space. You can download the software for a free trial here.
4. ManageEngine OpManager
ManageEngine’s OpManager is another of the leading network monitoring systems on the market today. This monitor uses SNMP methods for ongoing network monitoring and device status tracking. The deep packet inspection functions of OpManager add traffic management to the system.
- Packet capture
- Response time reports
- Historical analysis
Why do we recommend it?
ManageEngine OpManager combines network device and endpoint monitoring through SNMP processes. The tool includes a packet sniffer, which is enough for protocol analysis. However, you would need to add on another package to get full network traffic analysis. This package is a major rival to the SolarWinds Network Performance Monitor.
As is to be expected with DPI, analysis is performed offline. The packets under examination are first written to a PCAP file. These files supply the source information for the analysis.
The deep packet analysis functions of OpManager aim to uncover reasons for poor network performance rather than detect intrusion. Two metrics emerge from the analysis: network response times and application response times. The administrator can spot which applications perform badly and may require more resources than standard network functions. You can then decide whether to increase resources to serve hungry applications, investigate more efficient alternatives, or restrict the bandwidth available to that application in order to give more important network services better response times.
The data that emerges from the deep packet analysis exercise can be output in reports. These enable you to lead discussions with stakeholders on whether budget should be spent expanding the infrastructure or whether overactive applications should be curbed or shelved.
Who is it recommended for?
This system includes an autodiscovery function. The package has a free version. However, it is limited to monitoring just three devices, which would only cater to the very smallest companies. The Standard edition is designed for small businesses and the top package will cover WANs. There is also an MSP version.
- Designed to work right away, features over 200 customizable widgets to build unique dashboards and reports
- Features traffic management options alongside DPI tools
- Uses intelligent alerting to reduce false positives and eliminate alert fatigue across larger networks
- Supports email, SMS, and webhook for numerous alerting channels
- Can set up SLAs based on network, application, or process.
- Is a feature-rich tool that will require a time investment to properly learn
OpManager is available for free to monitor ten nodes or less on a network. Systems larger than that have to use the paid OpManager. The OpManager monitoring console can be installed on Windows and Linux operating systems.
OpenDPI is an open-source project of deep packet analysis tools. An open source project allows anyone to see the source code of an application. That assures users that there are no hidden tricks or damaging malware procedures buried inside. nDPI from Ntop is based on the OpenDPI code and expands its functionality. The source code for nDPI is also available.
- Free to use
- Partners with ntop
- SSL certificate analysis
Why do we recommend it?
nDPI is an open-source project that provides deep packet inspection in a library of functions. This package’s code can be viewed and amended. Thus, you can call the functions, change their parameters, alter their data types, or rewrite large sections as you please. This package doesn’t provide a full monitoring system.
This open-source model gives you the option of installing it as is or modifying the system to suit your business’s needs. Modification of open source code is very common and many people who create enhancements for such systems also make those new features available to the community. In some cases, the organization that manages the source code will accept those changes into the core version. Ntop keeps nDPI separate from the original OpenDPI, so you have two open source options.
nDPI operates at the Application Layer. That means it unifies packets before examining their contents. The headers of the packets tell the analysis engine which protocol the transmission is using and which port the traffic came from and went to. That info identifies any mismatch between applications sending data on the networks and the ports that each uses, as opposed to the ports that the application should be using for the protocol that it follows.
The nDPI system is able to identify encrypted packets by looking at the SSL security certificate that specified the encryption key for the transmission. This is a clever insight and gets around the difficulties that encryption presents to deep packet analysis.
Who is it recommended for?
The nDPI package is suitable for use by programmers when developing a monitoring system. The nDPI functions provide packet inspection capabilities. The benefit of using these functions out-of-the-box rather than adapting them is that these utilities have been tested and then used in the real world again and again, which provides excellent bug spotting.
- Opens source project allows for additional customization
- Can report data back regarding encrypted communications (Certificate date, signing authority, etc)
- Takes advantage of NetFlow, making it a solid option for networks heavily using Cisco products
- Completely free
- Has a higher learning curve than some paid solutions
- No paid support option, must rely on the community for updates/fixes
- Only support application layer scanning
The nDPI software can be installed on Windows, Linux, and MacOS. The DPI module supports other Ntop products like nProbe and Ntop-NG. nProbe is a traffic monitoring system that collects NetFlow messages. NetFlow is a signaling standard used by Cisco Systems for its network equipment products. This system is available for a small fee and it runs on Linux and Windows. Ntop-NG is a traffic analyzer for networks. This is an alternative network monitoring system that employs SNMP messages. Ntop-NG is available for Windows, Unix, Linux, and Mac OS. It is available in three versions, one of which, the Community Edition, is free.
Despite being a fork of OpenDPI, nDPI is becoming a standard all of its own and is the basis for a number of other adaptations. Netifyd is one of these. This makes Netifyd and adaptation of an adaptation of OpenDPI. Like its ancestors, Netifyd is an open-source product and you can see the code that makes up the program, compile it, and use it. Alternatively, you could adapt the code yourself and end up with an adaptation of an adaptation of an adaptation of OpenDPI.
- Packet analysis tool
- Partners with a network monitor
- Displays packets
Why do we recommend it?
Netifyd is a free packet collection system that can compile statistics on packets according to protocol. It is a data collection agent rather than a full packet analysis tool. You could choose to file the records that Netfyd collects and forward them to a data analysis system.
Netifyd will capture packets, but it does not include analysis functions to interpret data or take actions to shape traffic or block protocols. You would need to import the Netifyd data into another application for those functions.
Who is it recommended for?
This package is only likely to appeal to a developer. It is possible to use this agent to gather input data for a customized tool or assemble a pre-written search and display feature in a data analysis system, such as Prometheus or the ELK stack.
- Transparent open-source project
- The dashboard is minimalistic and good for smaller network deployments
- Paid version if affordable, even for smaller labs
- Another fork of OpenDPI can be a con if you’re not a fan of that framework
- No packet analysis functionality
- Only supports application layer scanning
This system is available from the community pages of the Egloo website. The main product of Egloo is the Netify network monitor that is based on Netifyd but has many more features and is not free. This tool offers you the visualization and sorting capabilities needed in order to properly understand the information that arises out of deep packet inspection. The starter package of Netify is priced at $25 per site per month. That edition allows you to monitor data from up to 25 devices and the service will store your data for two days. Higher packages give you a longer time horizon for historical data.
AppNeta is a cloud-based network monitoring system. It is particularly aimed at companies that operate WANs and extend their capabilities into the cloud. The software uses a proprietary network traffic analysis methodology called TruPath, which is a little like Traceroute with added performance reporting.
- Path analysis
- Protocol analyzer
Why do we recommend it?
AppNeta excels at monitoring connections across the internet between sites. This system is based in the cloud, which gives it an ideal viewpoint for tracking long-distance connections. The monitor performs protocol analysis, which requires deep packet inspection. The information extracted by this monitor can be used to accelerate specific types of traffic.
After TruPath collects information, the system adds on traffic details gleaned through deep packet inspection. The DPI module works to segment traffic metrics by application. As AppNeta is aimed at businesses that use the internet intensely for all company traffic. It conducts all packet inspection offsite, reducing the strain that excessive reporting procedures can put on networks.
Information that the DPI module gathers is sent to the cloud data center. The analysis engine is hosted remotely and not on any of your equipment. This makes the dashboards and reports available from any location, not just in your HQ. The location neutrality of this configuration makes the control panel for the system available from anywhere over the web. Data is stored on the AppNeta servers for 90 days, which gives you ample opportunity to analyze trends and plan capacity. Demand on apps covers both the cloud services accessed by your company as well as online services that your business provides to others.
The AppNeta presentation focuses on monitoring the delivery performance for applications. It includes alerts on traffic volumes per application. Those traffic warnings could act as a security monitor because sudden surges in internet traffic may indicate an attack. The utility includes user activity analysis, which would come in handy to track suspicious activity and identify compromised accounts. However, AppNeta isn’t positioned as a security tool.
AppNeta covers all communication between your sites and its data center with encryption. The package doesn’t use data analysis tools and you are recommended by the company to use a third-party tool, such as Wireshark.
Who is it recommended for?
AppNeta is particularly necessary for businesses that run virtual networks, such as SD-WANs or SASE configurations. In these circumstances, internet connections between sites, or to remote workers, or cloud platforms rae protected by VPNs. The AppNeta system is able to work around these connection encryption systems.
- Operates as a cloud-based SaaS making it flexible and easy to deploy
- Utilizes a proprietary traffic analysis method that provides detailed reports based on each network hop
- A great option for companies that rely on many public-facing applications to conduct business (DMZs, SaaS tools, cloud services)
- Pairs DPI with application performance, allowing users to correlate attacks and uptime easily
- Must contact sale for an undetermined free trial period
- Could use more security features to stop threats as they’re identified
- More expensive than similar DPI tools
This monitoring system is not free. The service is priced at $199 per application per location. You can request a free trial of the system, but the company does not offer this for a fixed time period. You may negotiate a trial period with a sales representative upon request.
How to choose DPI and analysis software
Deep packet inspection management and analysis doesn’t have to be performed by a standalone tool. You can get DPI functionality integrated into many of the industry’s top network monitoring systems. If you have a small network and don’t want to shell out for network management systems, then look into the free versions of those big-name network monitors. If you just want a separate system to perform deep packet analysis and don’t want those tasks interfering with your regular monitoring, then you will find some very suitable tools on our list.
Be careful about installing deep packet analysis tools because they extract the data that is carried across your network. Deep packet inspection might compromise the privacy of the data exchanged across your organization. You should check with your company’s legal advisor first before installing any network tool that will enable you to capture data as it crosses the network. Data privacy and access control could be compromised by giving access to network administrator staff. In some cases, the company must pledge to limit access to the personal information of members of the public held on the business’s assets. So, make sure that you aren’t breaching those obligations by installing DPI tools.
The ability to check on packet-level traffic is certainly helpful when you encounter network performance issues. Deep packet analysis goes one step further and reads the contents of each packet. You must reassure yourself and your board of directors, that you really need that level of information in order to protect the network before installing DPI systems.
Do you currently use deep packet inspection techniques to keep your network running well? Have you encountered legal problems over the issue of data privacy while using DPI tools? Let the community learn from your experience by leaving a message in the comments section below.
Deep Packet Inspection FAQs
What is a stateless firewall?
A stateless firewall examines the information in the header of each individual packet when applying its rules of admission. The opposite of stateless is the stateful firewall, which looks at conditions that require the examination of several packets.
How does NPM support deep packet inspection?
The SolarWinds Network Performance Monitor (NPM) includes deep packet inspection as an on-demand analysis tool. The implementation of this service requires the setup of a packet analysis sensor, which, effectively, activates port mirroring on a network device.
Does deep packet inspection block VPNs?
Deep packet inspection will only perform the checks that the firewall’s owners have specified. However, DPI can be used to detect patterns in encrypted packets that are typical of VPN processing. The Chinese government uses this and VPNs deploy stealth tactics to try and evade detection.
What are the deep packet inspection techniques used today?
The most commonly used method deployed for deep packet inspection is signature-based detection. This looks for a specific pattern of characters within the packet. Usually, DPI systems focus their pattern searches on the headers of packets because it is assumed that the body will be encrypted.