The Ever-Present Need for Deep Packet Inspection

05 August 2020

Read Time: 4 minutes

TL;DR: Deep packet inspection (DPI) lets security teams see into packets of data. But without total visibility into the details of each packet, this analysis is incomplete. Now there's a way to decrypt modern encrypted traffic safely and securely for true inspection.


You’re probably familiar with Deep Packet Inspection (DPI). Also known as payload inspection or full packet inspection, DPI allows security and DevOps teams to look at the details of data inside packets traversing their networks. These packets -- small chunks of data -- can range in size between 64 to jumbo frames up to 9,000 bytes. 

How is a packet transmitted on the wire? A network packet is like a package you receive from an overnight delivery service. When you address that physical package, you include your address (the sender) as well as the address of the person you’re shipping it to. Likewise, every packet in a network has a source address (the sender) and a destination address (the receiver). Once the package is labeled appropriately, it goes into transit, ultimately reaching its destination. Even when using an overnight delivery service, it takes up to 24 hours to be delivered. In our digital world, we call this “latency.” Packets, while near instant in their digital travel, still require a few to several hundred milliseconds to reach their destinations where they can be inspected. 

Why do security teams need to inspect the details of the packets on their networks?Screen Shot 2020-08-05 at 8.52.38 AM

Having total visibility into network traffic has never been more important. Because of the convergence of networking and cybersecurity, and an increased adoption of cloud services, security teams need to “see” the details of packets to ensure their networks function properly.

Decrypting packets enables security analysts to: 

  • Have enhanced detection of security threats.
  • Identify normal patterns and anomalies that could indicate malicious behavior.
  • Eliminate downtime and impaired network performance.
  • Access application level visibility, bandwidth, performance and quality of service analysis
  • Enhance the ability to diagnose and mitigate problems.

How Does Packet Inspection Work?

Innovation in technology enabled deep packet inspection. 

Examining the to/from information on the package’s address label doesn’t give the security team adequate information. Analysts need to go a layer deeper. Opening the package enables security analysts to perform deep packet inspection -- as long as that information is not encrypted. 

Since the vast majority of data traveling the network today is now encrypted (over 90% by some estimates), many enterprise network managers must go the extra mile to decrypt traffic before it can be inspected. Nubeva developed a new, breakthrough method of decryption that enables users to easily deploy, discover, deliver and decrypt traffic - providing total visibility into each packet. The solution leverages signature-based memory hunt rules that let Nubeva’s read-only sensors discover each session’s symmetric encryption key. Read more about this new Symmetric Key Intercept technology in our white paper. Keys are retrieved and then securely delivered to the decryptor - either Nubeva’s own software based decryptor or any commercial decryptor that can perform pure, symmetric decryption if it has the key. Or, symmetric keys can be delivered and securely stored in a key depot for as long as needed. Decryptors can then perform secure pull requests for specific keys from the key depot, enabling parallel decryption in multiple DPI, monitoring, and compliance tools at once.

Once the packets are fully decrypted, IT teams can perform deep packet inspection to  ensure their networks are secure. They can thoroughly examine network traffic patterns. They can use algorithms, heuristics, and pattern matching to detect potential malicious behavior on the network and stop it before a threat is carried out to completion.

In addition, DPI can provide application visibility. On a corporate network, application visibility can help DevOps ensure quality of service, monitor utilization and identify anomalies. Similarly, for security teams, DPI enables rapid identification of threats buried in encryption and hiding in nested payloads. Application visibility allows users to closely monitor for dangerous websites and applications along with suspicious traffic behavior.

In summary, security and DevOps must recognize that deep packet inspection is the missing element needed to provide the visibility that’s required in today’s networks. The old methods of inspecting network traffic via header information alone no longer serves a purpose if your ultimate goal is security. 

As encryption and obfuscation are becoming more prevalent, adding a software solution to the network that allows decryption -- and ultimately total visibility into all traffic -- is the logical next step. Visibility into packet payloads open a new window into network data, enabling:

  • The detection of malicious content
  • Application-specific issues
  • Elimination of blind spots 
  • The collection of vital  information on applications and protocols for proper classification

Want more information on how to get total visibility into your network traffic so you can perform meaningful deep packet inspection? Contact us here: