Deep Packet Inspection (DPI)

Deep packet inspection (DPI) is a form of network analysis that examines not just a packet's routing headers but the actual contents of its payload. By looking inside the data, DPI can classify which application or protocol generated a flow and then alert on, log, reroute, or block it. The same capability that powers legitimate security tooling also enables network-level filtering of lawful communication, which is why circumvention design treats DPI as the primary adversary to evade.

How DPI classifies traffic

Beyond reading destination addresses, DPI matches payloads and flow characteristics against known signatures: protocol handshakes, recurring byte patterns, packet-length distributions, and timing. When a flow matches a targeted fingerprint, the inspecting system can act on it in real time. This is how a filter distinguishes, say, an anonymity protocol from ordinary web browsing even when both ride the same ports.

Dual use and the obfuscation response

DPI has clear legitimate uses, including intrusion detection and malware filtering by network operators. The same technology, however, can drive censorship and surveillance when deployed to identify and suppress disfavored but lawful traffic. The countermeasure is to deny DPI a stable signature: traffic obfuscation either randomizes a connection into featureless bytes or makes it imitate an allowed protocol so no actionable fingerprint remains.

For the techniques built to evade it, see the obfs4 and pluggable transport glossary entries.