Editing Deep packet inspection (section)

==Background==
DPI technology has a long and technologically advanced history, starting in the 1990s, before the technology entered what is seen today as common, mainstream deployments. The technology traces its roots back over 30 years, when many of the pioneers contributed their inventions for use among industry participants, such as through common standards and early innovation, such as the following:

*[[RMON]]
*[[Sniffer (protocol analyzer)|Sniffer]]
*[[Wireshark]]

Essential DPI functionality includes analysis of packet headers and protocol fields. For example, [[Wireshark]] offers essential DPI functionality through its numerous dissectors that display field names and content and, in some cases, offer interpretation of field values.

Some security solutions that offer DPI combine the functionality of an [[intrusion detection system]] (IDS) and an [[intrusion prevention system]] (IPS) with a traditional [[stateful firewall]].<ref name="Dubrawsky2003">{{cite web|url=http://www.securityfocus.com/infocus/1716|title=Firewall Evolution - Deep Packet Inspection|website=[[SecurityFocus]].com|author=Ido Dubrawsky|date=2003-07-29|access-date=2008-03-02}}</ref> This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, cannot catch events on their own that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, [[denial-of-service attack]]s (DoS), sophisticated intrusions, and a small percentage of worms that fit within a single packet.<ref>{{Cite web|last=Khachatryan|first=Artavazd|date=2020-02-01|title=100Gbps Network DPI, Content Extraction on Xilinx's FPGA|url=https://medium.com/grovf/100gbps-network-dpi-content-extraction-on-xilinxs-fpga-2996d661042a|access-date=2020-10-23|website=Medium|language=en}}</ref>

DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the [[OSI model]]. In some cases, DPI can be invoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the payload of the message. DPI functionality is invoked when a device looks or takes other action based on information beyond Layer 3 of the OSI model. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize [[encryption]] and obfuscation techniques to evade DPI actions in many cases.

A classified packet may be redirected, marked/tagged (see [[quality of service]]), blocked, rate limited, and of course, reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.<ref>Moscola, James, et al. "Implementation of a content-scanning module for an internet firewall." Field-Programmable Custom Computing Machines, 2003. FCCM 2003. 11th Annual IEEE Symposium on. IEEE, 2003.</ref>