Understanding Deep Packet Inspection Once and For All

Featured Article by Rob Hock, Group Product Manager, SolarWinds

Today’s IT is one of convergence, applications and a demand for constant availability. And when it comes to downtime, all of these elements combined with the fact that many new applications are being provisioned with SaaS providers have created the perfect storm for IT pros tasked with getting to the root of problems and keeping business running. The question, “Is it the network or the app?” has never been more critical, nor more difficult to answer.

Every day, network engineers and systems administrators point their fingers and blame the other for poor application performance and user experience. System administrators staunchly proclaim, “It’s the network!” While network administrators counter, “No, it’s the application!” This is unproductive and only serves to delay finding a resolution that gets business back on track.

One potential solution is deep packet inspection (DPI)—sometimes called packet-level analysis or just packet analysis. However, DPI isn’t as well understood as it needs to be in today’s increasingly application-centric IT, and also bears the burden of a few misconceptions. For example, many hear “DPI” and think of a complicated and/or expensive tool that while possibly valuable, is out of reach due to skill or budget limitations.

However, a better understanding of what modern DPI is and how it figures into the current and future IT environment can prove invaluable in putting an end to the IT blame game.

What is DPI?

DPI involves capturing and inspecting network traffic packets that flow between a client and a server. By inspecting and interpreting network data flows at the packet level, a wealth of performance related information can be gleaned, including: network response time, propagation delays (including network routing and geographical distance), serialization delays across WAN links and queuing delays in network devices. Packet analysis can also identify all types and relative volumes of application traffic flowing over a network based on the host IP addresses, ports and protocols in use.

There have traditionally been two primary ways to accomplish this: network or packet sniffers and large DPI appliances. Each has its benefits, but each also has drawbacks, which in no small part have led to the cost and complexity misconceptions mentioned above.

For example, while sniffer tools are very useful—and inexpensive or even free—they require a certain skillset to use and by their very nature are limited in capability and typically only used as a utility on an ad-hoc basis, rather than as a proactive monitoring solution. On the other hand, the specialized, appliance-based DPI tools are much more suited to provide the kind of constant monitoring needed in today’s application-centric IT, but are very expensive and require extensive expertise in order to maximize the capabilities and get a return on investment.

To fill the void between sniffers and expensive specialized appliances, a third category of DPI solution has recently emerged. This new category combines infrastructure monitoring and DPI into a single software package, enabling front-line network and systems engineers to more easily gather and understand packet-level information in the same pane of glass as the rest of their infrastructure monitoring, without the need for appliances.

How does DPI fit into the current and future IT environment?

Today’s end users are increasingly—if not completely—reliant on applications to perform their jobs, meaning subpar application availability and performance almost always leads to lost productivity and reduced revenue. And applications are only going to get more complex.

Already we have applications that are essentially invisible from typical flow-related reporting and will show up on networks as unknown or simply as Web traffic; communication applications such as Skype are a good example. To identify and accept these applications, a more powerful solution like DPI is needed to look at the payload of data, determine the application is valid and apply various metrics.

Not only are applications themselves becoming more difficult to identify and manage, but as more organizations move to hybrid and cloud environments, communication between different layers of the application may exist outside of the corporate firewall environment. Add to this the increased mobile device usage, which means decreased visibility into performance requirements of non-corporate devices. With DPI, IT can gain greater visibility into the complicated network environment between these endpoints, and will be able to ensure IT performance despite these new hurdles.

In summary, applications are placing more demands on networks than ever before, increasing traffic and requiring IT to get smarter about how to manage them and deal with problems when they arise; the blame game was never and will never be a good approach. With DPI, engineers and administrators have the ability to go above and beyond network fault and availability monitoring to quickly identify, classify and analyze what’s causing a poor application performance and user experience without the finger pointing.

Robert Hock is a group product manager at SolarWinds, an IT performance management software provider based in Austin, Texas. In this role, Hock drives the strategic direction of the company’s industry-leading network management product portfolio.