Deep Packet Inspection (DPI)
What is Deep Packet Inspection (DPI)?
Deep Packet Inspection (DPI)An inspection technique that examines the full payload of network packets — not just headers — to identify applications, content, and threats.
Deep Packet Inspection (DPI) parses traffic beyond the IP and TCP/UDP headers, reaching into application protocols (HTTP, DNS, SMB, TLS metadata, etc.) to identify the actual application or content. It powers application-aware firewalls, IPS, NDR, anti-malware gateways, and traffic-shaping tools, and is essential for detecting protocol abuse, data exfiltration, and signature-based threats. Because much modern traffic is TLS-encrypted, DPI is typically combined with TLS interception or with metadata-based techniques (JA3, JA4, certificate fingerprints, traffic analytics). Operators must balance security benefits against privacy, performance, and legal/regulatory constraints around inspecting user content.
● Examples
- 01
An IPS detecting a Cobalt Strike beacon by matching a payload signature in HTTP traffic.
- 02
An NGFW classifying traffic as Zoom or YouTube using DPI even when on TCP/443.
● Frequently asked questions
What is Deep Packet Inspection (DPI)?
An inspection technique that examines the full payload of network packets — not just headers — to identify applications, content, and threats. It belongs to the Network Security category of cybersecurity.
What does Deep Packet Inspection (DPI) mean?
An inspection technique that examines the full payload of network packets — not just headers — to identify applications, content, and threats.
How do you defend against Deep Packet Inspection (DPI)?
Defences for Deep Packet Inspection (DPI) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Deep Packet Inspection (DPI)?
Common alternative names include: DPI, Content inspection.