Deep packet inspection (DPI) has been implemented in many communication systems for detecting protocol non-compliance, viruses, spam, intrusions, or for determining, based on defined criteria, whether certain data packets in network traffic may pass or if the data packets need to be routed, to a different destination, etc. Network traffic usually includes data packets of certain internet protocols transmitted between different network entities. Usually. DPI not only inspects the header portion of a data packet which often includes information related to the protocol, source and destination IP addresses and ports, but also can the pa load portion of the data packet which often includes user data to he transmitted.
Oftentimes, a DPI system may identify data packets from different applications/network entities using certain search algorithms, such as signature analyses. For example, a signature of a particular application/network entity includes a unique pattern (e.g., bytes/characters/string). A reference database may be created based on analyses of signatures of various applications/network entities. A classification engine of the DPI system may then compare data packets from the network traffic against this reference database to identify the exact applications/network entities. The reference database may be updated periodically to keep current with new applications/network entities as well as new developments of protocols associated with the existing applications/network entities.
Hardware implementation of DPI is often adopted to achieve good processing speed. For example, content addressable memories (CAM) are used in DPI systems. A CAM may make parallel comparisons between entries stored in the CAM and certain input values of the data packets in the network traffic and return the memory address of the matched entry. For example, a binary CAM is a simple type of CAM which often stores search words including two matching states, “1” and “0.” A ternary CAM (TCAM) allows a third matching state of “X” or “Don't Care” for one or more bits in the stored search words, thus adding flexibility to the search. As an example, a ternary CAM might have a stored search word of “1XX10” which can match any of the four words “10010,” “10110,” “11010,” or “11110,” This added search flexibility comes at an additional cost over a binary CAM as the internal memory cell needs to encode three states instead of two.