4 Replies Latest reply on Oct 24, 2017 4:54 AM by darragh.delaney

    Usefulness of Deep Packet Inspection (DPI)

    shocko

      Guys, can anyone give me a real wordl example of the usefulness of DPI? An engineer enabled it across the board on our agents but the info it provides to my eye is pretty useless. It seems to tell you things like 'traffic to Active Directory is slow' but so what! No detail on what process, what type of packet etc. Seems useless. I used Splunk stream and its free and much more powerful. Maybe I'm missing something?

        • Re: Usefulness of Deep Packet Inspection (DPI)
          Mark Roberts

          First of all, you do not need the Quality of Experience functionality enabled on all your agents. QoE should be used in locations where you wish to analyse the performance of the traffic flowing over it; either as a spanned port on a switch or installed directly on an end point server that provides the service.

           

          As far as the use of the Orion DPI capabilities, it is NOT designed to perform true DPI, rather to measure the performance of packets based on the timings of the returned packets to help identify issues related to the network or application responsiveness. While you can create new HTTP based application entities and update mapped network port traffic to traffic categories, for now that is not something you can use as a security tool.

           

          I cannot speak for SolarWinds' future plans, but that is it for current usage of the DPI feature (QoE) for now.

          1 of 1 people found this helpful
          • Re: Usefulness of Deep Packet Inspection (DPI)
            darragh.delaney

            Hi shocko

            DPI is a broad term in today's world in my opinion. Covers everything from Wireshark to DPI within firewalls and in these cases it is very useful.

             

            However, this discussion seems to be around DPI when it comes to traffic analysis. As per other replies, the Solarwind implementation revolves around timing. I work for a company called NetFort and we have taken a different approach. In summary, we extract certain metadata from network traffic using DPI. Examples of metadata would be filenames (SMB or NFS), website names extracted from HTTP headers, SSL cert info, attachment names from SMTP traffic and SQL queries.

             

            This dashboard contains a few sample reports which use data derived from DPI. Click on the file share traffic (total) for example in the top middle report. The drill down here shows files names which have been captured using DPI technologies.

             

            http://demo2.netfort.com/Orion/SummaryView.aspx?ViewKey=Network%20Top%2010&AccountID=guest

             

            Another example of DPI in action is the Top Network Events Report. This is using IDS to check the payloads of traffic inside a network for any suspicious content. This is our approach when it comes to DPI, take a look at the traffic which we source via a SPAN, Mirror Port or TAP so you can see what is happening inside your network. Analysing this internal traffic will help you find anomalies or the reason why things happen.

             

            Darragh