A packet may be deeply analyzed by using a deep packet inspection (Deep Packet Inspection, DPI) technology to identify the packet. In addition to performing an analysis on content of L2 (data link layer), L3 (network layer), and L4 (transmission layer) of the packet, an analysis on content of L7 (application layer) is further performed by DPI to identify various real applications and content of the applications, and therefore DPI is applied to application scenarios such as network optimization and traffic control.
In the prior art, DPI generally identify a packet based on a data flow, in other words, a single data flow is used as an object to be processed in DPI. After a flow table query is performed on the data flow, packets in the data flow are scanned by using various identification methods, such as characteristic identification, port classification, and a statistical method, to implement identification and classification of the flow. Identification of each flow is an independent process, and an identification result is saved based on flows.
A disadvantage of a flow-based identification method is as follows: packet content in each data flow is scanned within a range of the flow to implement identification and protocol classification, but a correlation between data flows is not utilized, and therefore performance of data flow identification is low, and precise service control on a per user basis cannot be implemented.