How Deepfence DPI Works
The Deepfence agent configures eBPF filters on each host for selective/surgical traffic capture and analysis. Captured traffic is sampled, pre-filtered, and reassembled into Layer 7 transactions, which are then inspected for anomalies and threat patterns. Suspicious requests can be archived on the Deepfence Console for later inspection and forensics.
Universal
Deepfence’s DPI does not require custom kernel modules, in-line proxies or other invasive capture methods. DPI uses the standard eBPF filters present in every modern Linux kernel to copy selected packets and pass them to the local agent for encapsulation and forwarding.
Efficient
In normal operation, DPI is configured to only capture packets relating to processes of interest. For example, Deepfence DPI can exclude sidecar proxies (service mesh) and local internal services. The CPU requirements are low, typically no more than 1-2% on the production server.
TLS-Aware
When capturing TLS-encrypted packets, the Deepfence agent can extract the encryption key from the running process and submit this along with the packet data for decryption on the Management Server.
Deepfence avoids the use of proxies to capture traffic, which add significant latency, CPU, and additional points of failure to production systems. Deepfence’s approach minimizes load on production infrastructure by performing the necessary packet assembly and processing on a separate, scalable Console.
