How Deepfence DPI Works

The Deepfence agent configures eBPF filters on each host for selective/surgical traffic capture and analysis. Captured traffic is sampled, pre-filtered, and reassembled into Layer 7 transactions, which are then inspected for anomalies and threat patterns. Suspicious requests can be archived on the Deepfence Console for later inspection and forensics.

arrow forwarding right icon


Deepfence’s DPI does not require custom kernel modules, in-line proxies or other invasive capture methods. DPI uses the standard eBPF filters present in every modern Linux kernel to copy selected packets and pass them to the local agent for encapsulation and forwarding.

gear with check icon


In normal operation, DPI is configured to only capture packets relating to processes of interest. For example, Deepfence DPI can exclude sidecar proxies (service mesh) and local internal services. The CPU requirements are low, typically no more than 1-2% on the production server.

key icon


When capturing TLS-encrypted packets, the Deepfence agent can extract the encryption key from the running process and submit this along with the packet data for decryption on the Management Server.

Deepfence avoids the use of proxies to capture traffic, which add significant latency, CPU, and additional points of failure to production systems. Deepfence’s approach minimizes load on production infrastructure by performing the necessary packet assembly and processing on a separate, scalable Console.

Deepfence DPI Key Benefits

Capture network traffic to identify additional attack signals and anomalies

Fine-tune capture targets to minimize load and noise

TLS Decryption, including TLS 1.3 Perfect Forward Secrecy

Supported Platforms

Agents support a wide range of deployment options

Kubernetes blue mark


Agents are deployed as a daemonset, a common pattern for log, metrics, monitoring, and security services that run alongside Kubernetes workloads in a non-intrusive manner.

Docker blue mark


Agents are deployed as a Docker container on each Docker host.

Bare metal and VM-based platforms

Agents are deployed as a Docker container on each operating system instance, using a Docker runtime. Both Windows and Linux instances are supported.


Deepfence supports AWS Fargate, where agents are deployed as a daemon service alongside each serverless instance.