Does DPI require decryption of encrypted traffic?

DPI of encrypted payloads requires either decryption (via TLS inspection/man-in-the-middle) or analysis of unencrypted metadata. Most OT protocols are unencrypted — Modbus, DNP3, and BACnet transmit in plaintext — so DPI can read full packet content without decryption. For encrypted IT protocols, behavioral metadata analysis provides security value without requiring payload decryption.

Definition

Deep Packet Inspection (DPI)

Network analysis that examines full packet content beyond headers. Essential for understanding proprietary OT and IoT protocols such as Modbus, DNP3, BACnet, and DICOM.

What is Deep Packet Inspection (DPI)?

Network analysis that examines full packet content beyond headers. Essential for understanding proprietary OT and IoT protocols such as Modbus, DNP3, BACnet, and DICOM.

Deep Packet Inspection (DPI) analyzes not just packet headers (source, destination, port, protocol) but the full content of network packets — the application-layer payload. For standard IT protocols (HTTP, DNS, TLS, SMB), this provides rich visibility into application behavior, file transfers, and user activity. For industrial and medical protocols, it is the only way to understand what OT devices are actually doing on the network.

Industrial protocols like Modbus, DNP3, BACnet, Profinet, EtherNet/IP, HART-IP, and healthcare protocols like DICOM and HL7 are opaque to network monitoring tools that only analyze headers. A Modbus packet that appears as generic TCP traffic on port 502 could be a routine read query or a write command that changes a process setpoint. Without DPI, these are indistinguishable. With DPI, security tools can understand and alert on specific protocol commands — blocking or alerting on write commands to critical registers, for example.

Protocol-aware DPI is a core capability for OT security. It enables both visibility (what commands are being issued to which devices) and threat detection (commands that violate expected behavior — unexpected WRITE operations, function code manipulation, protocol anomalies that suggest attack tools). Standard network monitoring without OT protocol DPI provides a fraction of the security value in industrial environments.

Key Facts

ORDR supports DPI for 100+ OT, IoT, and medical protocols beyond standard IT protocol coverage
Without OT protocol DPI, 60-80% of industrial device communication is classified as generic TCP/UDP with no behavioral insight
Protocol-level anomaly detection catches attacks that operate entirely within expected IP/port combinations
DPI of medical protocols like DICOM enables detection of unauthorized patient data access and device manipulation

How ORDR Addresses Deep Packet Inspection (DPI)

ORDR's discovery engine includes deep packet inspection for a comprehensive library of industrial protocols (Modbus, DNP3, BACnet, Profinet, EtherNet/IP, HART-IP) and medical protocols (DICOM, HL7, FHIR). Protocol-level analysis enables accurate device classification, behavioral baselining, and detection of protocol-level anomalies that indicate attack activity.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Complete visibility across your entire attack surface.

ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.

REQUEST A DEMO Platform Overview