Usefulness of Deep Packet Inspection (DPI)

Guys, can anyone give me a real wordl example of the usefulness of DPI? An engineer enabled it across the board on our agents but the info it provides to my eye is pretty useless. It seems to tell you things like 'traffic to Active Directory is slow' but so what! No detail on what process, what type of packet etc. Seems useless. I used Splunk stream and its free and much more powerful. Maybe I'm missing something?

Top Replies

  • First of all, you do not need the Quality of Experience functionality enabled on all your agents. QoE should be used in locations where you wish to analyse the performance of the traffic flowing over it; either as a spanned port on a switch or installed directly on an end point server that provides the service.

    As far as the use of the Orion DPI capabilities, it is NOT designed to perform true DPI, rather to measure the performance of packets based on the timings of the returned packets to help identify issues related to the network or application responsiveness. While you can create new HTTP based application entities and update mapped network port traffic to traffic categories, for now that is not something you can use as a security tool.

    I cannot speak for SolarWinds' future plans, but that is it for current usage of the DPI feature (QoE) for now.

  • Thanks for the reply. We didn't enable it at all but a SolarWinds partner Engineer did (and we weren't very happy as now we have winpcap on all our systems which is not good for audit emoticons_sad.png ). What you have stated regarding the spanned ports makes much more sense as you are analyzing the backbone in such cases and the info there might prove useful at a high level. I'll remove that plugin from our estate.

  • Great answer Mark.  We use it selectively like you said to point us in the right direction as an early troubleshooting tool.

  • Hi shocko

    DPI is a broad term in today's world in my opinion. Covers everything from Wireshark to DPI within firewalls and in these cases it is very useful.

    However, this discussion seems to be around DPI when it comes to traffic analysis. As per other replies, the Solarwind implementation revolves around timing. I work for a company called NetFort and we have taken a different approach. In summary, we extract certain metadata from network traffic using DPI. Examples of metadata would be filenames (SMB or NFS), website names extracted from HTTP headers, SSL cert info, attachment names from SMTP traffic and SQL queries.

    This dashboard contains a few sample reports which use data derived from DPI. Click on the file share traffic (total) for example in the top middle report. The drill down here shows files names which have been captured using DPI technologies.

    http://demo2.netfort.com/Orion/SummaryView.aspx?ViewKey=Network%20Top%2010&AccountID=guest

    Another example of DPI in action is the Top Network Events Report. This is using IDS to check the payloads of traffic inside a network for any suspicious content. This is our approach when it comes to DPI, take a look at the traffic which we source via a SPAN, Mirror Port or TAP so you can see what is happening inside your network. Analysing this internal traffic will help you find anomalies or the reason why things happen.

    Darragh

  • Hi Sir,

    Can you please let me know if Solar winds has this feature currently for DPI ?

  • Hi Daragh , can you please let me know if more about Netfort along with DPI  . Does it has the feature of  all the Network monitoring statistics as well.

    For example: SMPP ,SMTP,HTTP,TCP