Skip to main content

Aviz Open Packet Broker details offset-based UDF for deep packet inspection

The blog explains how deep packet inspection can be implemented with offset-based User Defined Filtering in Aviz Open Packet Broker (OPB) running on SONiC, enabling administrators to permit or deny traffic based on specific bytes and offsets. For security and network operations leaders, the approach targets granular inspection for filtering, threat detection, and data loss prevention.

Research Overview

The post describes deep packet inspection (DPI) as content-level packet analysis that examines the data carried within packets rather than relying only on traditional network monitoring and filtering. It positions DPI as a way to increase granularity when enterprise requirements call for inspection at specific locations within packet data.

The blog then connects this DPI concept to User Defined Filtering (UDF) in Aviz OPB, which is built over open-source SONiC. The stated goal is to provide packet-level control by letting users define where in the packet to match bytes and how to apply permit or deny behavior.

Key Findings

According to the blog, offset inspection supports customization through administrator-defined offsets within data packets. It also states that focusing on specific offsets and values can improve accuracy for traffic classification, including for complex or non-standard protocols and applications.

The post links DPI with threat detection by describing the ability to detect patterns, signatures, or anomalies within inspected packet content. It also describes policy enforcement use cases, including filtering sensitive data, blocking content types, prioritizing services, and using the same inspection for data loss prevention monitoring of sensitive or proprietary data.

Technical Breakdown

The blog outlines UDF’s operation as rule-based matching of bytes within ingress packets based on an offset, with matched packets permitted or denied. It describes two offset reference points for rule configuration: the L3 packet offset starts from the IP header, and the L2 packet offset starts from EtherType in the packet.

It also includes configuration examples that show UDF-related fields such as udf-data, udf-extraction-group, and udf-offset, along with counters enabled for the rules. The post describes an example rule setup in which a rule matches bytes at a specified offset and is configured to permit matched packets.

Operational Impact

The blog describes user-defined control as granular filtering and monitoring, including options to block access, prioritize or de-prioritize application traffic, and monitor traffic for keywords or patterns. It also states that administrators can modify filtering rules as network conditions and security threats change.

For monitoring and reporting, the post states that Aviz OPB includes monitoring and reporting capabilities to observe network activity and generate reports on traffic patterns. It also presents an FAQ framing that rules can be updated through CLI commands or APIs.

Overall, the blog describes offset-based deep packet inspection using UDF in Aviz Open Packet Broker on SONiC, with rule configuration that permits or denies matched packets based on specific byte offsets for security, policy enforcement, and data loss prevention use cases. This “Blog Signals brief” is a fact-based summary of the vendor blog.