Traffic analysis involves processing of network traffic at various network elements in a network and IP network traffic analysis is based on the analysis of IP packets. An IP packet consists of a header and a payload: header further comprising of source and destination IP addresses, and source and destination port numbers; payload comprises of application data. Typical IP traffic analysis is performed at two levels: layer 3 level and layer 7 level. Layer 7 level of traffic analysis is at application layer level leading to the availability of application specific information for deeper analysis. Specifically, at this level, the IP packets are used to construct application content allowing for the detailed analysis. On the other hand, the layer 3 analysis is based on the analysis of only packets without the knowledge of the applications involved and this provides limited opportunities for deep packet analysis.
There are multiple reasons why it is practically required to undertake deep packet analysis at layer 3: Consider an enterprise scenario; within the enterprise network, there is a need for undertaking fine grained bandwidth management and admission control. This is achieved by deep packet inspection. Further, such a deep packet inspection at layer 3 could be a front-end for an intrusion detection system at layer 7. And, finally, the deep packet analysis at layer 3 gives an opportunity for processing at wire speeds.