Editing Deep packet inspection

{{Short description|Procedures examining network data}}
{{globalize|date=February 2018}}
{{Net neutrality}}

'''Deep packet inspection''' ('''DPI''') is a type of data processing that inspects in detail the data ([[Network packet|packet]]s) being sent over a [[computer network]], and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is often used for baselining application behavior, analyzing network usage, troubleshooting network performance, ensuring that data is in the correct format, checking for malicious code, [[Man-in-the-middle attack|eavesdropping]], and [[internet censorship]],<ref>Duncan Geere, https://www.wired.co.uk/article/how-deep-packet-inspection-works</ref> among other purposes.<ref>{{cite journal|first1=Sarang|last1=Dharmapurikarg|first2=Praveen|last2=Krishnamurthy|first3=Todd|last3=Sproull|first4=John|last4=Lockwood|title=Deep packet inspection using parallel bloom filters|journal=11th Symposium on High Performance Interconnects}}</ref> There are multiple headers for [[Internet Protocol|IP packets]]; network equipment only needs to use the first of these (the [[IPv4 header|IP header]]) for normal operation, but use of the second header (such as [[IPv4#Data|TCP or UDP]]) is normally considered to be shallow packet inspection (usually called [[stateful packet inspection]]) despite this definition.<ref name=Porter2005>{{cite web|url=http://www.securityfocus.com/infocus/1817|title=The Perils of Deep Packet Inspection|website=[[SecurityFocus]].com|author=Thomas Porter|date=2005-01-11|access-date=2008-03-02}}</ref>

There are multiple ways to acquire packets for deep packet inspection. Using [[port mirroring]] (sometimes called [[Span Port]]) is a very common way, as well as physically inserting a [[network tap]] which duplicates and sends the data stream to an analyzer tool for inspection.

Deep Packet Inspection (and filtering) enables advanced [[network management]], user service, and [[information security|security]] functions as well as internet [[data mining]], [[eavesdropping]], and [[internet censorship]]. Although DPI has been used for Internet management for many years, some advocates of [[Network neutrality|net neutrality]] fear that the technique may be used anticompetitively or to reduce the openness of the Internet.<ref name=Lewis2009>{{cite web|url=https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2009/ledeen-lewis_200903|title=Just Deliver the Packets, in: "Essays on Deep Packet Inspection", Ottawa|website=Office of the [[Privacy Commissioner of Canada]]|author1=Hal Abelson|author2=Ken Ledeen|author3=Chris Lewis|year=2009|access-date=2010-01-08}}</ref>

DPI is used in a wide range of applications, at the so-called "enterprise" level (corporations and larger institutions), in telecommunications service providers, and in governments.<ref name=Bendrath2009>{{cite web|url=http://userpage.fu-berlin.de/~bendrath/Paper_Ralf-Bendrath_DPI_v1-5.pdf|title=Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection, Paper presented at the International Studies Annual Convention, New York City, 15–18 February 2009|publisher=[[International Studies Association]]|author=Ralf Bendrath|date=2009-03-16|access-date=2010-01-08}}</ref>

==Background==
DPI technology has a long and technologically advanced history, starting in the 1990s, before the technology entered what is seen today as common, mainstream deployments. The technology traces its roots back over 30 years, when many of the pioneers contributed their inventions for use among industry participants, such as through common standards and early innovation, such as the following:

*[[RMON]]
*[[Sniffer (protocol analyzer)|Sniffer]]
*[[Wireshark]]

Essential DPI functionality includes analysis of packet headers and protocol fields. For example, [[Wireshark]] offers essential DPI functionality through its numerous dissectors that display field names and content and, in some cases, offer interpretation of field values.

Some security solutions that offer DPI combine the functionality of an [[intrusion detection system]] (IDS) and an [[intrusion prevention system]] (IPS) with a traditional [[stateful firewall]].<ref name="Dubrawsky2003">{{cite web|url=http://www.securityfocus.com/infocus/1716|title=Firewall Evolution - Deep Packet Inspection|website=[[SecurityFocus]].com|author=Ido Dubrawsky|date=2003-07-29|access-date=2008-03-02}}</ref> This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, cannot catch events on their own that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, [[denial-of-service attack]]s (DoS), sophisticated intrusions, and a small percentage of worms that fit within a single packet.<ref>{{Cite web|last=Khachatryan|first=Artavazd|date=2020-02-01|title=100Gbps Network DPI, Content Extraction on Xilinx's FPGA|url=https://medium.com/grovf/100gbps-network-dpi-content-extraction-on-xilinxs-fpga-2996d661042a|access-date=2020-10-23|website=Medium|language=en}}</ref>

DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the [[OSI model]]. In some cases, DPI can be invoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the payload of the message. DPI functionality is invoked when a device looks or takes other action based on information beyond Layer 3 of the OSI model. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize [[encryption]] and obfuscation techniques to evade DPI actions in many cases.

A classified packet may be redirected, marked/tagged (see [[quality of service]]), blocked, rate limited, and of course, reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.<ref>Moscola, James, et al. "Implementation of a content-scanning module for an internet firewall." Field-Programmable Custom Computing Machines, 2003. FCCM 2003. 11th Annual IEEE Symposium on. IEEE, 2003.</ref>

==At the enterprise level==
Initially [[Network security|security]] at the enterprise level was just a perimeter discipline, with a dominant philosophy of keeping unauthorized users out, and shielding authorized users from the outside world. The most frequently used tool for accomplishing this has been a stateful firewall. It can permit fine-grained control of access from the outside world to pre-defined destinations on the internal network, as well as permitting access back to other hosts only if a request to the outside world has been made previously.<ref name=Amir2007>{{cite web|url=http://www.itbusinessedge.com/item/?ci=35275|title=The Case for Deep Packet Inspection|website=itbusinessedge.com|author=Elan Amir|date=2007-10-29|access-date=2008-03-02|archive-date=2008-02-04|archive-url=https://web.archive.org/web/20080204203837/http://www.itbusinessedge.com/item/?ci=35275|url-status=dead}}</ref>

Vulnerabilities exist at network layers, however, that are not visible to a stateful firewall. Also, an increase in the use of laptops in enterprise makes it more difficult to prevent threats such as [[Computer virus|viruses]], [[Computer worm|worms]], and [[spyware]] from penetrating the corporate network, as many users will connect the laptop to less-secure networks such as home [[broadband]] connections or wireless networks in public locations. Firewalls also do not distinguish between permitted and forbidden uses of legitimately-accessed applications. DPI enables IT administrators and security officials to set policies and enforce them at all layers, including the application and user layer to help combat those threats.<ref>{{Cite journal|date=2020-01-15|title=ACoPE: An adaptive semi-supervised learning approach for complex-policy enforcement in high-bandwidth networks|url=https://www.sciencedirect.com/science/article/abs/pii/S1389128619304074|journal=Computer Networks|language=en|volume=166|pages=106943|doi=10.1016/j.comnet.2019.106943|issn=1389-1286|last1=Noferesti|first1=Morteza|last2=Jalili|first2=Rasool|s2cid=208094726}}</ref><ref>{{Cite web|website=[[TechTarget]].com|title=firewall|url=https://searchsecurity.techtarget.com/definition/firewall}}</ref>

Deep Packet Inspection is able to detect a few kinds of [[buffer overflow#Deep packet inspection|buffer overflow]] attacks.

DPI may be used by enterprise for [[Data Leak Prevention]] (DLP). When an e-mail user tries to send a protected file, the user may be given information on how to get the proper clearance to send the file.<ref>{{Cite book|last1=Tahboub|first1=Radwan|last2=Saleh|first2=Yousef|date=January 2014|title= 2014 World Congress on Computer Applications and Information Systems (WCCAIS)|chapter=Data Leakage/Loss Prevention Systems (DLP) |chapter-url=https://ieeexplore.ieee.org/document/6916624 |pages=1–6|doi=10.1109/WCCAIS.2014.6916624|s2cid=1022898}}</ref>{{Examples|date=December 2011}}{{Clarify|date=August 2010}}

==At network/Internet service providers==
In addition to using DPI to secure their internal networks, [[Internet service provider]]s also apply it on the public networks provided to customers. Common uses of DPI by ISPs are [[wiretapping|lawful intercept]], [[Network security policy|policy definition and enforcement]], [[targeted advertising]], [[quality of service]], offering tiered services, and [[copyright]] enforcement.

===Lawful interception===
Service providers are required by almost all governments worldwide to enable [[Lawful interception|lawful intercept]] capabilities. Decades ago{{when|date=November 2024}} in a legacy telephone environment, this was met by creating a [[traffic access point]] (TAP) using an [[intercepting proxy server]] that connects to the government's surveillance equipment. The acquisition component of this functionality may be provided in many ways, including DPI, DPI-enabled products that are "LI or [[Communications Assistance for Law Enforcement Act|CALEA]]-compliant" can be used – when directed by a court order – to access a user's datastream.<ref name=Anderson2007>{{cite web|url=https://arstechnica.com/articles/culture/Deep-packet-inspection-meets-net-neutrality.ars|title=Deep Packet Inspection meets 'Net neutrality, CALEA|website=[[Ars Technica]]|author=Nate Anderson|date=2007-07-25|access-date=2006-02-06}}</ref>

===Policy definition and enforcement===
Service providers obligated by the [[service-level agreement]] with their customers to provide a certain level of service and at the same time, enforce an [[acceptable use policy]], may make use of DPI to implement certain policies that cover copyright infringements, illegal materials, and unfair use of [[Bandwidth (computing)|bandwidth]]. In some countries the ISPs are required to perform filtering, depending on the country's laws. DPI allows service providers to "readily know the packets of information you are receiving online—from e-mail, to websites, to sharing of music, video and software downloads".<ref name=Chester2006>{{cite web|url=http://www.thenation.com/doc/20060213/chester|title=The End of the Internet?|website=[[The Nation]]|author=Jeff Chester|date=2006-02-01|access-date=2006-02-06}}</ref> Policies can be defined that allow or disallow connection to or from an IP address, certain protocols, or even [[Heuristic (computer science)|heuristics]] that identify a certain application or behavior.

===Targeted advertising===
Because ISPs route the traffic of all of their customers, they are able to monitor web-browsing habits in a very detailed way allowing them to gain information about their customers' interests, which can be used by companies specializing in targeted advertising. At least 100,000 United States customers are tracked this way, and as many as 10% of U.S. customers have been tracked in this way.<ref name=wapo/> Technology providers include [[NebuAd]], [https://www.frontporch.com/ Front Porch], and [[Phorm]]. U.S. ISPs [[Network monitoring|monitoring]] their customers include [[Knology]]<ref>{{cite web|url=http://connect.charter.com/landing/op1.html|title=Charter Communications: Enhanced Online Experience|access-date=2008-05-14}}</ref> and [[Wide Open West]]. In addition, the United Kingdom ISP [[British Telecom]] has admitted testing solutions from Phorm without their customers' knowledge or consent.<ref name=wapo>{{cite news|url=https://www.washingtonpost.com/wp-dyn/content/article/2008/04/03/AR2008040304052.html|title=Every Click You Make: Internet Providers Quietly Test Expanded Tracking of Web Use to Target Advertising|date=2008-04-04|author=Peter Whoriskey|access-date=2008-04-08|newspaper=The Washington Post}}</ref>

===Quality of service===
DPI can be used against [[net neutrality]].

Applications such as [[peer-to-peer]] (P2P) traffic present increasing problems for broadband service providers. Typically, P2P traffic is used by applications that do file sharing. These may be any kind of files (i.e. documents, music, videos, or applications). Due to the frequently large size of media files being transferred, P2P drives increasing traffic loads, requiring additional network capacity. Service providers say a minority of users generate large quantities of P2P traffic and degrade performance for the majority of broadband subscribers using applications such as e-mail or Web browsing which use less bandwidth.<ref>{{cite web|url=http://www.lightreading.com/insider/details.asp?sku_id=1221&skuitem_itemid=957|title=Deep Packet Inspection: Taming the P2P Traffic Beast|website=[[Light Reading]]|access-date=2008-03-03|archive-url=https://web.archive.org/web/20080302113455/http://www.lightreading.com/insider/details.asp?sku_id=1221&skuitem_itemid=957|archive-date=2008-03-02|url-status=dead}}</ref> Poor network performance increases customer dissatisfaction and leads to a decline in service revenues.

DPI allows the operators to oversell their available bandwidth while ensuring equitable bandwidth distribution to all users by preventing network congestion. Additionally, a higher priority can be allocated to a VoIP or video conferencing call which requires low latency versus web browsing which does not.<ref>{{cite web|url=http://www.computerworld.com/article/2541004/networking/ball-state-uses-deep-packet-inspection-to-ensure-videoconferencing-performance.html|title=Ball State uses Deep Packet Inspection to ensure videoconferencing performance|date=2007-09-17|website=[[computerworld]].com|author=Matt Hamblen|access-date=2008-03-03}}</ref> This is the approach that service providers use to dynamically allocate bandwidth according to traffic that is passing through their networks.

===Tiered services===
Mobile and broadband service providers use DPI as a means to implement tiered service plans, to differentiate "[[walled garden (technology)|walled garden]]" services from "value added", "all-you-can-eat" and "one-size-fits-all" data services.<ref>{{cite web|url=http://news.moneycentral.msn.com/ticker/article.aspx?Feed=PR&Date=20080205&ID=8139811&Symbol=ALLT|title=Allot Deploys DPI Solution at Two Tier 1 Mobile Operators to Deliver Value- Added and Tiered Service Packages|website=news.moneycentral.[[MSN]].com|date=2008-02-05|access-date=2008-03-03}}{{dead link|date=November 2016|bot=InternetArchiveBot|fix-attempted=yes}}</ref> By being able to charge for a "walled garden", per application, per service, or "all-you-can-eat" rather than a "one-size-fits-all" package, the operator can tailor their offerings to the individual subscriber and increase their [[average revenue per user]] (ARPU). A policy is created per user or user group, and the DPI system in turn enforces that policy, allowing the user access to different services and applications.

===Copyright enforcement===
ISPs are sometimes requested by [[copyright]] owners or required by courts or official policy to help enforce copyrights. In 2006, one of Denmark's largest ISPs, [[Tele2]], was given a court injunction and told it must block its customers from accessing [[The Pirate Bay]], a launching point for [[BitTorrent (protocol)|BitTorrent]].<ref>{{cite web|url=http://www.infoworld.com/article/08/02/13/Danish-ISP-prepares-to-fight-Pirate-Bay-injunction_1.html|title=Danish ISP prepares to fight Pirate Bay injunction|website=[[InfoWorld]].com|author=Jeremy Kirk|date=2008-02-13|access-date=2008-03-12|url-status=dead|archive-url=https://web.archive.org/web/20080214235115/http://www.infoworld.com/article/08/02/13/Danish-ISP-prepares-to-fight-Pirate-Bay-injunction_1.html|archive-date=2008-02-14}}</ref>

Instead of prosecuting file sharers one at a time,<ref>{{cite web|url=http://www.enn.ie/frontpage/news-9617239.html|archive-url=https://archive.today/20070814234157/http://www.enn.ie/frontpage/news-9617239.html|url-status=dead|archive-date=2007-08-14|title=Eircom and BT won't oppose music firms|website=enn.ie|author=Matthew Clark|date=2005-07-05|access-date=2008-03-12}}</ref> the [[International Federation of the Phonographic Industry]] (IFPI) and the big four record labels [[EMI]], [[Sony BMG]], [[Universal Music]], and [[Warner Music]] have sued ISPs such as [[Eircom]] for not doing enough about protecting their copyrights.<ref>{{cite web|url=https://arstechnica.com/news.ars/post/20080311-year-of-filters-turning-into-year-of-lawsuits-against-isps.html|title="Year of filters" turning into year of lawsuits against ISPs|website=[[Ars Technica]]|author=Eric Bangeman|date=2008-03-11|access-date=2008-03-12}}</ref> The IFPI wants ISPs to filter traffic to remove illicitly uploaded and downloaded copyrighted material from their network, despite European directive 2000/31/EC clearly stating that ISPs may not be put under a general obligation to monitor the information they transmit, and directive 2002/58/EC granting European citizens a right to privacy of communications.

The [[Motion Picture Association of America]] (MPAA), which aims to enforce movie copyrights, has taken the position with the [[Federal Communications Commission]] (FCC) that network neutrality could hurt anti-piracy techniques such as deep packet inspection and other forms of filtering.<ref>{{cite web|url=http://www.news.com/8301-10784_3-9746938-7.html|archive-url=https://archive.today/20130129180811/http://www.news.com/8301-10784_3-9746938-7.html|url-status=dead|archive-date=January 29, 2013|title=MPAA: Net neutrality could hurt antipiracy tech|website=[[CNET]] News|author=Anne Broach|date=2007-07-19|access-date=2008-03-12}}</ref>

===Statistics===
DPI allows ISPs to gather statistical information about use patterns by user group. For instance, it might be of interest whether users with a 2&nbsp;Mbit connection use the network in a dissimilar manner to users with a 5&nbsp;Mbit connection. Access to trend data also helps network planning.{{Clarify|date=December 2011}}<!--elucidate please, also wouldn't shallow packet inspection be sufficient?-->

==By governments==
{{See also|network surveillance|internet censorship}}
In addition to using DPI for the security of their own networks, governments in North America, Europe, and Asia use DPI for various purposes such as [[surveillance]] and [[censorship]]. Many of these programs are classified.<ref>{{cite web|url=http://www.networkworld.com/newsletters/isp/2007/0625isp1.html|title=OEM provider Bivio targets government market|website=[[NetworkWorld]].com|author=Carolyn Duffy Marsan|date=2007-06-27|access-date=2008-03-13|archive-date=2014-04-23|archive-url=https://web.archive.org/web/20140423063228/http://www.networkworld.com/newsletters/isp/2007/0625isp1.html|url-status=dead}}</ref>

===China===
{{Main|Internet censorship in the People's Republic of China|List of websites blocked in China}}

The Chinese government uses deep packet inspection to monitor and censor network traffic and content that it claims is harmful to Chinese citizens or state interests. This material includes pornography, information on religion, and political dissent.<ref>{{cite web|url=http://www.businessweek.com/technology/content/jan2006/tc20060112_434051.htm|title=The Great Firewall of China|website=[[Business Week]]|author1=Ben Elgin|author2=Bruce Einhorn|date=2006-01-12|access-date=2008-03-13|url-status=dead|archive-url=https://web.archive.org/web/20080228174845/http://www.businessweek.com/technology/content/jan2006/tc20060112_434051.htm|archive-date=2008-02-28}}</ref> Chinese network [[ISP]]s use DPI to see if there is any sensitive keyword going through their network. If so, the connection will be cut. People within China often find themselves blocked while accessing Web sites containing content related to [[Taiwan]]ese and [[Tibet]]an independence, [[Falun Gong]], the [[Dalai Lama]], the [[Tiananmen Square protests of 1989|Tiananmen Square protests and massacre of 1989]], political parties that oppose that of the ruling Communist party, or a variety of anti-Communist movements<ref>{{cite web|url=http://www.opennetinitiative.net/studies/china|title=Internet Filtering in China in 2004-2005: A Country Study|website=[[OpenNet Initiative]]|access-date=2008-03-13|archive-url=https://web.archive.org/web/20070928135524/http://www.opennetinitiative.net/studies/china|archive-date=2007-09-28|url-status=dead}}</ref> as those materials were signed as DPI sensitive keywords already. China previously blocked all VoIP traffic in and out of their country<ref>Guy Kewney, [https://www.theregister.co.uk/2005/09/12/china_blocks_skype/ China blocks Skype, VoIP, The Register, 2005]</ref> but many available VoIP applications now function in China. Voice traffic in [[Skype]] is unaffected, although text messages are subject to filtering, and messages containing sensitive material, such as curse-words, are simply not delivered, with no notification provided to either participant in the conversation. China also blocks visual media sites such as YouTube.com and various photography and blogging sites.<ref>{{cite web|url=http://www.pcworld.com/article/id,138599-c,sites/article.html|title=China Blocks YouTube, Restores Flickr and Blogspot|website=[[PC World]]|date=2007-10-18|access-date=2008-03-03|archive-date=2008-03-13|archive-url=https://web.archive.org/web/20080313102953/http://www.pcworld.com/article/id,138599-c,sites/article.html|url-status=dead}}</ref>

{|class="wikitable sortable" style=text-align:center
|+High-ranking websites blocked in mainland China using Deep Packet Inspection
|-
!Alexa rank!!Website!!Domain!!URL!!Category!!Primary language
|-
|1||[[Google]]||google.com||www.google.com||Worldwide Internet [[search engine]]||English
|-
|2||[[Facebook]]||facebook.com||www.facebook.com||[[Social network]]||English
|-
|3||[[YouTube]]||youtube.com||www.youtube.com||Video||English
|-
|6||[[Wikipedia]]||wikipedia.org||www.wikipedia.org||Free [[encyclopedia]]||English
|-
|557||[[Jehovah's Witnesses]]||jw.org||www.jw.org||Spiritual, [[Christianity]]||Multilingual
|-
|24693||[[OpenVPN]]||openvpn.net||www.openvpn.net||Avoidance of political internet censorship||English
|-
|33553||[[StrongVPN]]||strongvpn.com||www.strongvpn.com||Avoidance of political internet censorship||English
|-
|78873||[[Falun Dafa]]||falundafa.org||www.falundafa.org||Spiritual||English
|}

===Egypt===
Since 2015, Egypt reportedly started to join the list which was constantly being denied by the Egyptian National Telecom Regulatory Authority (NTRA) officials. However, it came to news when the country decided to block the encrypted messaging app [[Signal (messaging app)|Signal]] as announced by the application's developer.<ref>{{Cite web|url=https://www.engadget.com/2016/12/20/egypt-blocks-signal|title=Egypt has blocked encrypted messaging app Signal|date=18 July 2019 }}</ref>

In April 2017, all [[VoIP]] applications including [[FaceTime]], Facebook [[Facebook Messenger|Messenger]], [[Viber]], [[WhatsApp]] calls and Skype have been all blocked in the country.<ref>{{Cite web|website=[[HuffPost Arabi]]|url=http://www.huffpostarabi.com/2017/04/21/story_n_16149218.html|title=تعاني من مشكلة توقُّف خدمات الاتصال عبر الإنترنت في مصر…هذه هي أسباب الأزمة|access-date=2017-04-22|archive-url=https://web.archive.org/web/20170423151418/http://www.huffpostarabi.com/2017/04/21/story_n_16149218.html|archive-date=2017-04-23|url-status=dead}}</ref>

As of 2022, [[FaceTime]], Facebook [[Instant messenger|Messenger]] are unblocked.

===India===
{{Main|Internet censorship in India}}

The Indian ISP [[Jio]], which is also the largest network operator in India has been known to employ sophisticated DPI techniques like [[Server Name Indication|SNI]]-based filtering to enforce censorship.<ref>{{cite web |title=Reliance Jio is using SNI inspection to block websites — The Centre for Internet and Society |url=https://cis-india.org/internet-governance/blog/reliance-jio-is-using-sni-inspection-to-block-websites |access-date=13 November 2022 |website=cis-india.org}}</ref><ref>{{cite book |last1=Singh |first1=Kushagra |title=12th ACM Conference on Web Science |last2=Grover |first2=Gurshabad |last3=Bansal |first3=Varun |year=2020 |isbn=9781450379892 |pages=21–28 |language=en |chapter=How India Censors the Web |doi=10.1145/3394231.3397891 |access-date=13 November 2022 |chapter-url=https://www.arxiv-vanity.com/papers/1912.08590/ |arxiv=1912.08590 |s2cid=209405297}}</ref>

===Indonesia===
The Indonesian government via Telkom Indonesia,<ref>{{cite journal |last1=Thompson |first1=Nik |last2=McGill |first2=Tanya |last3=Khristianto |first3=Daniel Vero |title=Public Acceptance of Internet Censorship in Indonesia |journal=ACIS 2021 Proceedings |date=1 January 2021 |url=https://aisel.aisnet.org/acis2021/22 |access-date=21 August 2022}}</ref> supported by Cisco Meraki DPI technology, perform country-wide surveillance by the way of deep packet inspection,<ref>{{cite journal|last1=Tremblay|first1=Jessika|title=Internet Kampung: Community-based Internet in Post-Suharto Indonesia|journal=Indonesia |via=[[Project MUSE]] Johns Hopkins University |year=2018 |volume=105 |pages=97–125 |url=https://doi.org/10.1353/ind.2018.0004|doi=10.1353/ind.2018.0004|s2cid=158357806|hdl=1813/60028|hdl-access=free}}</ref> and map it into SSN/NIK (Nomor Induk Kependudukan) of its citizens that registered to the state-owned ISP. The purpose of deep packet inspection including filtering porn, hate speech, and reducing tension in West Papua.<ref>{{cite journal |last1=Wildana |first1=Faiq |title=An Explorative Study on Social Media Blocking in Indonesia |journal=The Journal of Society and Media |date=30 October 2021 |volume=5 |issue=2 |pages=456–484 |doi=10.26740/jsm.v5n2.p456-484 |s2cid=248056103 |language=en |issn=2580-1341|doi-access=free }}</ref> Indonesian Government planned to scale up the surveillance to next level until 2030.<ref>{{cite journal |last1=Paterson |first1=Thomas |title=Indonesian cyberspace expansion: a double-edged sword |journal=Journal of Cyber Policy |date=4 May 2019 |volume=4 |issue=2 |pages=216–234 |doi=10.1080/23738871.2019.1627476 |s2cid=197825581 |issn=2373-8871|doi-access=free }}</ref>

===Iran===
{{Main|Internet censorship in Iran}}

The Iranian government purchased a system, reportedly for deep packet inspection, in 2008 from Nokia Siemens Networks (NSN) (a joint venture [[Siemens]] AG, the German conglomerate, and [[Nokia]] Corp., the Finnish cell telephone company), now NSN is Nokia Solutions and Networks, according to a report in the ''Wall Street Journal'' in June, 2009, quoting NSN spokesperson Ben Roome.<ref>{{Cite journal |last=Christensen |first=Christian |date=2009-07-01 |title=Iran: Networked dissent |url=https://mondediplo.com/outsidein/iran-networked-dissent |journal=Le Monde Diplomatique 1}}</ref> According to unnamed experts cited in the article, the system "enables authorities to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes".

The system was purchased by the Telecommunication Infrastructure Co., part of the Iranian government's telecom monopoly. According to the ''Journal'', NSN "provided equipment to Iran last year under the internationally recognized concept of 'lawful intercept,' said Mr. Roome.{{citation needed|date=October 2017}} That relates to intercepting data for the purposes of combating terrorism, child pornography, drug trafficking, and other criminal activities carried out online, a capability that most if not all telecom companies have, he said.... The monitoring center that Nokia Siemens Networks sold to Iran was described in a company brochure as allowing 'the monitoring and interception of all types of voice and [[data communication]] on all networks.' The joint venture exited the business that included the monitoring equipment, what it called 'intelligence solution,' at the end of March, by selling it to Perusa<ref>{{cite web|url=http://www.perusa-partners.de/english/who_we_are.php|title=Perusa :: Who we are|work=perusa-partners.de|url-status=dead|archive-url=https://web.archive.org/web/20150924071637/http://www.perusa-partners.de/english/who_we_are.php|archive-date=2015-09-24}}</ref> Partners Fund 1 LP, a [[Munich]]-based investment firm, Mr. Roome said. He said the company determined it was no longer part of its core business.{{citation needed|date=October 2017}}

The NSN system followed on purchases by Iran from [[Secure Computing Corp.]] earlier in the decade.<ref>[https://www.wsj.com/articles/SB124562668777335653 "Iran's Web Spying Aided By Western Technology"] by Christopher Rhoads in New York and Loretta Chao in Beijing, ''The Wall Street Journal'', June 22, 2009. Retrieved 6/22/09.</ref>

Questions have been raised about the reporting reliability of the ''Journal'' report by David Isenberg, an independent [[Washington, D.C.]]–based analyst and [[Cato Institute]] Adjunct Scholar, specifically saying that Mr. Roome is denying the quotes attributed to him and that he, Isenberg, also had similar complaints with one of the same ''Journal'' reporters in an earlier story.<ref>[http://www.isen.com/blog/2009/06/questions-about-wsj-story-on-net.html "Questions about WSJ story on Net Management in Iran"] by David S. Isenberg, isen.blog, June 23, 2009. Retrieved 6/22/09.</ref> NSN has issued the following denial: NSN "has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran".<ref>[http://www.nokiasiemensnetworks.com/global/Press/Press+releases/news-archive/Provision+of+Lawful+Intercept+capability+in+Iran.htm "Provision of Lawful Intercept capability in Iran"] {{webarchive|url=https://web.archive.org/web/20090625174434/http://www.nokiasiemensnetworks.com/global/Press/Press+releases/news-archive/Provision+of+Lawful+Intercept+capability+in+Iran.htm|date=June 25, 2009}} Company press release. June 22, 2009. Retrieved 6/22/09.</ref> A concurrent article in ''The New York Times'' stated the NSN sale had been covered in a "spate of news reports in April [2009], including ''[[The Washington Times]]''," and reviewed censorship of the Internet and other media in the country, but did not mention DPI.<ref>[https://www.nytimes.com/2009/06/23/world/middleeast/23censor.html?_r=1&hp "Web Pries Lid of Iranian Censorship"] by Brian Stelter and Brad Stone, ''The New York Times'', June 22, 2009. Retrieved June 23, 2009.</ref>

According to Walid Al-Saqaf, the developer of the internet censorship circumventor [[Alkasir]], Iran was using deep packet inspection in February 2012, bringing internet speeds in the entire country to a near standstill. This briefly eliminated access to tools such as [[Tor (anonymity network)|Tor]] and Alkasir.<ref name="test">[http://www.arsehsevom.net/2012/02/breaking-and-bending-censorship-with-walid-al-saqaf/ February 14, 2012 "Breaking and Bending Censorship with Walid Al-Saqaf"] {{Webarchive|url=https://web.archive.org/web/20130502112534/http://www.arsehsevom.net/2012/02/breaking-and-bending-censorship-with-walid-al-saqaf |date=May 2, 2013 }}, an Interview with [http://www.arsehsevom.net/ Arseh Sevom] {{Webarchive|url=https://web.archive.org/web/20170612212711/http://www.arsehsevom.net/ |date=2017-06-12 }}. Last viewed February 23, 2012.</ref>

===Malaysia===
The incumbent Malaysian government, headed by Barisan Nasional, was said to be using DPI against a political opponent during the run-up to the 13th general elections held on 5 May 2013.

The purpose of DPI, in this instance, was to block and/or hinder access to selected websites, e.g. Facebook accounts, blogs and news portals.<ref>{{cite web|url=http://www.malaysia-chronicle.com/index.php?option=com_k2&view=item&id=102522:dap-complains-to-mcmc-over-blockade-on-its-websites-videos-fb-social-media-networks&Itemid=2|title=DAP complains to MCMC over blockade on its websites, videos, FB, social media networks|author=Goh Kheng Teong|work=Malaysia Chronicle |date=2013-05-20|access-date=2013-05-21}}</ref><ref>{{cite web|url=http://www.themalaysianinsider.com/malaysia/article/in-malaysia-online-election-battles-take-a-nasty-turn|title=In Malaysia, online election battles take a nasty turn|agency=Reuters|date=2013-05-04|access-date=2013-05-22|url-status=dead|archive-url=https://web.archive.org/web/20130507112012/http://www.themalaysianinsider.com/malaysia/article/in-malaysia-online-election-battles-take-a-nasty-turn|archive-date=2013-05-07}}</ref>

=== Pakistan ===
{{Main|Internet censorship in Pakistan}}

The [[Pakistan Telecommunication Authority]] (PTA) states that the DPI system has been installed to implement the Prevention of Electronic Crimes Act (PECA) 2016, particularly to filter and block blasphemous content and any material that is considered to be against the integrity or security of Pakistan.<ref>{{Cite web |title=Pakistan's digital spaces and privacy: Unpacking DPI and its implications {{!}} Political Economy {{!}} thenews.com.pk |url=https://www.thenews.com.pk/tns/detail/576187-unpacking-dpi-and-its-implications |access-date=2023-11-21 |website=www.thenews.com.pk |language=en}}</ref> Canadian firm [[Sandvine]] was contracted to provide and set up the equipment in Pakistan.<ref>{{Cite web |last=Desk |first=Monitoring |date=2019-10-25 |title=Govt working with controversial firm to monitor internet traffic: report |url=https://www.dawn.com/news/1512784 |access-date=2023-11-21 |website=DAWN.COM |language=en}}</ref>

===Russian Federation===
{{main|SORM}}
DPI is not yet mandated in Russia. [[Federal law of Russian Federation no. 139-FZ of 2012-07-28|Federal Law No.139]] enforces blocking websites on the [[Russian Internet blacklist]] using IP filtering, but does not force ISPs into analyzing the data part of packets. Yet some ISPs still use different DPI solutions to implement blacklisting. For 2019, the governmental agency [[Roskomnadzor]] is planning a nationwide rollout of DPI after the pilot project in one of the country's regions, at an estimated cost of 20 billion [[Russian ruble|roubles]] (US$300M).<ref>{{cite news|url=https://www.bbc.com/russian/features-46596673|title=Roskomnadzor to deploy new blocking technology (in Russian)|newspaper=BBC News Русская Служба|date=18 December 2018}}</ref>

Some human rights activists{{who|date=June 2019}} consider Deep Packet inspection contrary to Article 23 of the [[Constitution of the Russian Federation]], though a legal process to prove or refute that has never taken place.{{citation needed|date=June 2019}}<ref>{{Cite web|url=http://www.government.ru/eng/gov/base/54.html|archive-url=https://web.archive.org/web/20130504062759/http://www.government.ru/eng/gov/base/54.html|url-status=dead|title=Constitution of the Russian Federation (English translation)|archive-date=May 4, 2013}}</ref>

===Singapore===
{{main|Internet censorship in Singapore}}
The city state reportedly employs deep packet inspection of Internet traffic.<ref>{{cite web|title=Deep packet inspection rears it ugly head|url=https://majid.info/blog/telco-snooping|access-date=28 April 2015}}</ref>

===Syria===
The state reportedly employs deep packet inspection of Internet traffic, to analyze and block forbidden transit.

===United States===
{{Main|NSA warrantless surveillance controversy}}

FCC adopts Internet [[Communications Assistance for Law Enforcement Act|CALEA]] requirements: The FCC, pursuant to its mandate from the U.S. Congress, and in line with the policies of most countries worldwide, has required that all telecommunication providers, including Internet services, be capable of supporting the execution of a court order to provide real-time communication forensics of specified users. In 2006, the FCC adopted new Title 47, Subpart Z, rules requiring Internet Access Providers to meet these requirements. DPI was one of the platforms essential to meeting this requirement and has been deployed for this purpose throughout the U.S.

The [[National Security Agency]] (NSA), with cooperation from [[AT&T Inc.]], has used Deep Packet Inspection to make internet traffic surveillance, sorting, and forwarding more intelligent. The DPI is used to find which packets are carrying e-mail or a [[Voice over Internet Protocol]] (VoIP) telephone call.<ref name=Nelson2006>{{cite web|url=http://www.nerdylorrin.net/jerry/politics/Warrantless/WarrantlessFACTS.html|title=How the NSA warrantless wiretap system works|author=J. I. Nelson|date=2006-09-26|access-date=2008-03-03}}</ref>
Traffic associated with AT&T's Common Backbone was "split" between two fibers, dividing the signal so that 50 percent of the signal strength went to each output fiber. One of the output fibers was diverted to a secure room; the other carried communications on to AT&T's switching equipment. The secure room contained [[Narus (company)|Narus]] traffic analyzers and logic servers; Narus states that such devices are capable of real-time data collection (recording data for consideration) and capture at 10 gigabits per second. Certain traffic was selected and sent over a dedicated line to a "central location" for analysis. According to an affidavit by expert witness J. Scott Marcus, a former senior advisor for Internet Technology at the US Federal Communications Commission, the diverted traffic "represented all, or substantially all, of AT&T's peering traffic in the San Francisco Bay area", and thus, "the designers of the…configuration made no attempt, in terms of location or position of the fiber split, to exclude data sources {{sic|comprised|hide=y}} primarily of domestic data".<ref name=Bellovin2008>{{cite journal|last=Bellovin|first=Steven M.|author-link=Steven M. Bellovin|author2=Matt Blaze|author3=Whitfield Diffie|author4=Susan Landau|author5=Peter G. Neumann|author6-link=Jennifer Rexford|author6=Jennifer Rexford|title=Risking Communications Security: Potential Hazards of the Protect America Act|journal=IEEE Security and Privacy|volume=6|issue=1|pages=24–33|publisher=[[IEEE]] Computer Society|date=January–February 2008|url=http://www.crypto.com/papers/paa-ieee.pdf|doi=10.1109/MSP.2008.17|s2cid=874506|access-date=2008-03-03|archive-url=https://web.archive.org/web/20080227135042/http://www.crypto.com/papers/paa-ieee.pdf|archive-date=2008-02-27|url-status=dead}}</ref>
Narus's Semantic Traffic Analyzer software, which runs on [[IBM]] or [[Dell]] [[Linux]] [[Server (computing)|servers]] using DPI, sorts through IP traffic at 10&nbsp;Gbit/s to pick out specific messages based on a targeted e-mail address, [[IP address]] or, in the case of VoIP, telephone number.<ref name=Poe2006>{{cite magazine|url=https://www.wired.com/science/discoveries/news/2006/05/70914|title=The Ultimate Net Monitoring Tool|magazine=[[Wired (magazine)|Wired]]|author=Robert Poe|date=2006-05-17|access-date=2008-03-03}}</ref> President [[George W. Bush]] and Attorney General [[Alberto R. Gonzales]] have asserted that they believe the president has the authority to order secret intercepts of telephone and e-mail exchanges between people inside the United States and their contacts abroad without obtaining a [[Foreign Intelligence Surveillance Act|FISA]] warrant.<ref>{{cite news|url=https://www.washingtonpost.com/wp-dyn/content/article/2006/01/06/AR2006010601772.html|title=Report Rebuts Bush on Spying - Domestic Action's Legality Challenged|author=Carol D. Leonnig|newspaper=The Washington Post|date=2007-01-07|access-date=2008-03-03}}</ref>

The [[Defense Information Systems Agency]] has developed a sensor platform that uses Deep Packet Inspection.<ref>{{cite web|url=https://www.dpacket.org/articles/deep-security-disa-beefs-security-deep-packet-inpection-ip-transmissions|title=Deep Security: DISA Beefs Up Security with Deep Packet Inspection of IP Transmissions|author=Cheryl Gerber|date=2008-09-18|access-date=2008-10-30|url-status=dead|archive-url=https://web.archive.org/web/20110726003528/https://www.dpacket.org/articles/deep-security-disa-beefs-security-deep-packet-inpection-ip-transmissions|archive-date=2011-07-26}}</ref>

===Vietnam===
{{main|Internet censorship in Vietnam}}

Vietnam launched its network security center and required ISPs to upgrade their hardware systems to use deep packet inspection to block Internet traffic.<ref>{{cite web | url=https://www.mic.gov.vn/Pages/TinTuc/143083/Ra-mat-Nen-tang-cung-cap-dich-vu-Trung-tam-dieu-hanh-an-toan--an-ninh-mang-dap-ung-yeu-cau-ket-noi--chia-se-thong-tin.html | title=Ra mắt Nền tảng cung cấp dịch vụ Trung tâm điều hành an toàn, an ninh mạng đáp ứng yêu cầu kết nối, chia sẻ thông tin }}</ref>

==Net neutrality==
{{See also|Net neutrality}}
{{Weasel|section|date=January 2016}}

People and organizations concerned about [[privacy]] or [[network neutrality]] find inspection of the content layers of the Internet protocol to be offensive,<ref name="Anderson2007"/> saying for example, "the 'Net was built on open access and non-discrimination of packets!"<ref name="cybertelecomnn2">{{cite web|url=http://www.cybertelecom.org/ci/neutral.htm#his|title=Network Neutrality: Historic Neutrality|website=Cybertelecom|author=Genny Pershing|access-date=2008-06-26|url-status=dead|archive-url=https://web.archive.org/web/20080511161247/http://www.cybertelecom.org/ci/neutral.htm|archive-date=2008-05-11}}</ref> Critics of network neutrality rules, meanwhile, call them "a solution in search of a problem" and say that net neutrality rules would reduce incentives to upgrade networks and launch [[next-generation network]] services.<ref name="cybertelecomnn1">{{cite web|url=http://www.cybertelecom.org/ci/neutral.htm#ins|title=Network Neutrality: Insufficient Harm|website=Cybertelecom|author=Genny Pershing|access-date=2008-06-26|url-status=dead|archive-url=https://web.archive.org/web/20080511161247/http://www.cybertelecom.org/ci/neutral.htm|archive-date=2008-05-11}}</ref>

Deep packet inspection is considered by many to undermine the infrastructure of the internet.<ref>{{cite web|url=http://www.projectpact.eu/documents-1/%231_Privacy_and_Security_Research_Paper_Series.pdf|first=Christian|last=Fuchs|title=Implications of Deep Packet Inspection (DPI) Internet Surveillance for Society|access-date=2022-07-23|url-status=dead|archive-url=https://web.archive.org/web/20130829032853/http://www.projectpact.eu/documents-1/%231_Privacy_and_Security_Research_Paper_Series.pdf|archive-date=2013-08-29}}</ref>

==Encryption and tunneling subverting DPI and its countermeasure MitM==
[[File:SSL Deep Inspection Explanation.svg|alt=|thumb|700x700px|SSL/TLS Deep Inspection]]
{{Expand section|date=January 2017}}
With increased use of HTTPS and privacy tunneling using VPNs, the effectiveness of DPI is coming into question.<ref>Sherry Justine, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy, [http://dl.acm.org/citation.cfm?id=2787502 Blindbox: Deep packet inspection over encrypted traffic], ACM SIGCOMM Computer Communication Review, 2015</ref> In response, many [[web application firewall]]s now offer ''HTTPS inspection'', where they decrypt HTTPS traffic to analyse it.<ref name="checkpoint">{{Cite web|url=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202|title=Best Practices - HTTPS Inspection|date=2017-07-21|website=Check Point Support Center|quote=With HTTPS Inspection, the Security Gateway can inspect the traffic that is encrypted by HTTPS. The Security Gateway uses certificates and becomes an intermediary between the client computer and the secure web site. All data is kept private in HTTPS Inspection logs. Only administrators with HTTPS Inspection permissions can see all the fields in a log.}}</ref> The [[Web application firewall|WAF]] can either terminate the encryption, so the connection between WAF and client browser uses plain HTTP, or re-encrypt the data using its own HTTPS certificate, which must be distributed to clients beforehand.<ref name="imperva">{{Cite web|url=https://www.imperva.com/Products/WebApplicationFirewall-WAF|title=SecureSphere WAF Specifications|archive-url=https://web.archive.org/web/20161116153216/https://www.imperva.com/Products/WebApplicationFirewall-WAF|archive-date=2016-11-16}}</ref> The techniques used in HTTPS/SSL Inspection (also known as HTTPS/SSL Interception) are the same used by [[Man-in-the-middle attack|man-in-the-middle (MiTM) attacks]].<ref>{{cite web|title= HTTPS Interception Weakens TLS Security|url =https://www.cisa.gov/news-events/alerts/2017/03/16/https-interception-weakens-tls-security |website = Cyber Security and Infrastructure Security Agency }}</ref>

It works like this:<ref>{{cite web |last1=García Peláez |first1=Pedro |title=WO2005060202 - METHOD AND SYSTEM FOR ANALYSING AND FILTERING HTTPS TRAFFIC IN CORPORATE NETWORKS (11-12-2003) |url=https://patentscope.wipo.int/search/en/detail.jsf?docId=WO2005060202 |website=World Intellectual Property Organization (WIPO)}}</ref>

#Client wants to connect to <nowiki>https://www.targetwebsite.com</nowiki>
#Traffic goes through a firewall or security product
#Firewall works as [[transparent proxy]]
#Firewall creates an [[Public key certificate|SSL certificate]] signed by its own "CompanyFirewall [[Certificate authority|CA]]"
#Firewall presents this "CompanyFirewall [[Certificate authority|CA]]" signed certificate to the client (not the targetwebsite.com certificate)
#At the same time the firewall connects to <nowiki>https://www.targetwebsite.com</nowiki> on its own
#www.targetwebsite.com presents its officially signed certificate (signed by a trusted [[Certificate authority|CA]])
#Firewall checks the [[Public key certificate#Types of certificate|certificate trust chain]] on its own
#Firewall now works as [[Man-in-the-middle attack|man-in-the-middle]].
#Traffic from client can be decrypted (with Key Exchange Information from client), analysed (for harmful traffic, policy violation or viruses), encrypted (with Key Exchange Information from targetwebsite.com) and sent to targetwebsite.com
#Traffic from targetwebsite.com can also be decrypted (with Key Exchange Information from targetwebsite.com), analysed, encrypted (with Key Exchange Information from client) and sent to client.
#The firewall can read all the information exchanged between SSL-Client and SSL-Server (targetwebsite.com)

This can be done with any TLS-Terminated connection (not only HTTPS) as long as the firewall product can modify the TrustStore of the SSL-Client.
{{See also|Kazakhstan man-in-the-middle attack}}

==Hardware and software==
There is a greater emphasis being placed on deep packet inspection - this comes in light{{clarify|date=May 2015}} after the rejection of both the [[Stop Online Piracy Act|SOPA]] and [[PROTECT IP Act|PIPA]] bills. Many current DPI methods are slow and costly, especially for high bandwidth applications. More efficient methods of DPI are being developed. Specialized routers are now able to perform DPI; routers armed with a dictionary of programs will help identify the purposes behind the LAN and internet traffic they are routing. Cisco Systems is now on their second iteration of DPI enabled routers, with their announcement of the CISCO ISR G2 router.<ref>{{Cite web|url=https://www.cisco.com/c/en/us/products/routers/avc-control.html|title=Cisco Application Visibility and Control (AVC)|website=Cisco}}</ref>

A comprehensive comparison of various network traffic classifiers, which depend on Deep Packet Inspection (PACE, OpenDPI, 4 different configurations of L7-filter, NDPI, Libprotoident, and Cisco NBAR), is shown in the Independent Comparison of Popular DPI Tools for Traffic Classification.<ref name=independentcomparisonofpopulardpitools>{{cite journal|url=http://tomasz.bujlow.com/publications/2014_journal_elsevier_comnet_independent_comparison.htm|title=Independent Comparison of Popular DPI Tools for Traffic Classification|author1=Tomasz Bujlow|author2=Valentín Carela-Español|author3=Pere Barlet-Ros|journal=Computer Networks|year=2015|volume=76|pages=75–89|doi=10.1016/j.comnet.2014.11.001|citeseerx=10.1.1.697.8589|s2cid=7464085|access-date=2014-11-10}}</ref>

==See also==
<!--please keep this list in ALPHABETICAL ORDER-->
{{Div col|colwidth=20em}}
*[[Common carrier]]
*[[Data Retention Directive]]
*[[Deep content inspection]]
*[[ECHELON]]
*[[Firewall (networking)|Firewall]]
*[[Foreign Intelligence Surveillance Act]]
*[[Golden Shield]]
*[[Intrusion prevention system]]
*[[Network neutrality]]
*[[NSA warrantless surveillance controversy]]
*[[Packet analyzer]]
*[[Stateful firewall]]
*[[Theta Networks]]
*[[Wireshark]]{{div col end}}

==References==
{{Reflist|30em}}

==External links==
*[http://www.ranum.com/security/computer_security/editorials/deepinspect/ What is "Deep Inspection"?] by [[Marcus J. Ranum]]. Retrieved 10 December 2018.
*[http://netequalizernews.com/2011/02/08/what-is-deep-packet-inspection-and-why-the-controversy/ What Is Deep Packet Inspection and Why the Controversy]
*[https://web.archive.org/web/20091104045628/http://www.ipoque.com/resources/white-papers White Paper "Deep Packet Inspection – Technology, Applications & Net Neutrality"]

{{Censorship and websites}}
{{internet censorship}}
{{Censorship}}
{{Telecommunications in the People's Republic of China}}

{{DEFAULTSORT:Deep Packet Inspection}}
[[Category:Deep packet inspection|Deep packet inspection]]
[[Category:Computer network security]]
[[Category:Internet censorship in China]]
[[Category:Internet censorship]]
[[Category:Internet privacy]]
[[Category:Net neutrality]]
[[Category:Packets (information technology)]]