Deep Packet Inspection (DPI) Test Methodology

Rethink Deep Packet Inspection (DPI) Testing

Rethink Deep Packet Inspection Testing
A Methodology to measure the performance, security, and stability of deep packet inspection (DPI)
devices under realistic conditions

www.breakingpoint.com
© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 1
All other trademarks are the property of their respective owners.


Table of Contents
Introduction .................................................................................................................................................................................................................... 3

Maximum Performance ............................................................................................................................................................................................. 5

Maximum Performance Using Jumbo Frames ................................................................................................................................................... 18

Maximum TCP Connection Rate .............................................................................................................................................................................. 25

Maximum Concurrent TCP Connections .............................................................................................................................................................. 36

Strike Mitigation ............................................................................................................................................................................................................ 46

Strikes Blocking with IP Fragmentation ................................................................................................................................................................ 54

SYN Flood......................................................................................................................................................................................................................... 61

Inappropriate Content Filtering............................................................................................................................................................................... 70

Spam Email Blocking ................................................................................................................................................................................................... 84

Suspicious Content Detection.................................................................................................................................................................................. 100

Webmail Phrase Detection ........................................................................................................................................................................................ 114

About BreakingPoint ................................................................................................................................................................................................... 129



Introduction
Deep Packet Inspection (DPI) functionality enables network devices such as content-aware switches and routers, next generation firewalls,
intrusion prevention systems (IPS), and application delivery controllers to inspect and take action based on the content and context of
packets as they travel across the network. DPI functionality goes well beyond the protocol header into data protocol structures and the
actual payload of the message. This allows DPI-capable devices to identify and classify traffic, providing a granular level of packet inspection
to help mitigate buffer overflow attacks, Denial of Service (DoS) attacks, intrusions, worms and even spam. DPI technology also enables
solutions such as metering to ensure quality of service, lawful intercept of information and data leak prevention.

DPI has become a mainstream technology and something that businesses and individuals traversing networks come across, albeit
unintentionally, every day. One of the more high profile uses of DPI involves service providers who leverage DPI to ensure quality of service
to customers in the face of an explosion of peer-to-peer (P2P) traffic. Using DPI technology, service providers better manage bandwidth
in real time, allowing for non essential services such as P2P file sharing applications while giving priority to essential services during peak
times.

Since DPI plays such an important role in providing increased network security, tiered Internet services and data loss prevention, the ability
to test DPI functionality is critical. The following BreakingPoint Deep Pack Inspection Resiliency Methodology demonstrates how to create
realistic global network simulations in order to properly verify the DPI capabilities of your device.

Performing these series of tests using the BreakingPoint Storm CTM™ on a DPI device will help determine the device’s actual abilities under
different circumstances. For example, the DPI device may perform as expected under a light traffic load but when under a higher load
perform to a fraction of its stated ability. Performing these tests will help you better understand the impact of different scenarios and the
reasons behind the results.

Realism is key in network simulation; therefore, we recommend that the test environment emulate the deployment environment as closely
as possible. Directly connected devices such as routers, switches and firewalls impact packet loss latency and data integrity. Additionally,
the number of advertised host IP and MAC addresses, VLAN Tagging and NAT can also affect the performance of the DPI.

If it is not feasible to recreate the deployment environment, we recommend connecting the BreakingPoint Storm CTM directly to the device
under test (DUT). Regardless of how your deployment environment is set up, be certain that all DPI devices and builds that are under
evaluation use the same test environment to ensure consistent results.

Recommended tests included in the methodology:

Maximum Performance
This test will validate the throughput performance the DPI device is able to handle when it does not have to inspect each packet’s
content. The overall throughput that the DPI device is able to support will be determined.

Maximum Performance Using Jumbo Frames
This test will validate the throughput performance the DPI device is able to handle when it does not have to inspect the contents of
each jumbo frame. The overall throughput that the DPI device is able to support will be determined.

Maximum TCP Connection Rate
This test will validate DPI device performance by using only good traffic without requiring the DPI device to inspect each packet.
Various TCP metrics will be analyzed to determine how a greater number of TCP connections per second affects the time it takes to establish
a new TCP connection.



Maximum Concurrent TCP Connections
This test will validate the DPI device performance by using only good traffic and without requiring the DPI device to inspect each
packet. Various TCP metrics will be analyzed to determine how a greater number of TCP connections affects the time it takes to establish a
new TCP connection.

Strike Mitigation
This test validates the ability of the DPI device to remain stable while vulnerabilities, worms and backdoors are transmitted. To
perform this test, an Attack Series will be used that includes high-risk vulnerabilities, worms and backdoors. The number of attacks blocked
by the DPI device will be determined as well as the number of attacks that were successfully able to pass through.

Strike Blocking with IP Fragmentation
This test is identical to the “Strike Mitigation” test, except that IP fragmentation will be utilized as an evasion technique.

SYN Flood
This test determines how the DPI device performs when subjected to a SYN flood. The device should be able to detect and block the
SYN flood.

Inappropriate Content Filtering
This will test the DPI unit’s ability to recognize and block any session that contains inappropriate material. A major part of DPI
functionality is the ability to filter content that is either harmful or not supposed to be on the network. The ability to filter out packets that
contain blacklisted words is a major part of DPI.

Spam Email Blocking
This test will determine the DPI device’s ability to recognize and block spam emails. With the growing amount of spam email on
today’s networks, it is important to limit the number of spam emails that are able to reach an inbox. Another part of DPI is the ability to
recognize and block spam emails.

Suspicious Content Detection
This test will help determine the DPI device’s ability to recognize, record and audit any suspicious content seen. Not all content is
harmful to the network, but some could be suspicious in its contents.

Webmail Phrase Detection
This test will determine the DPI device’s ability to inspect and record any Webmail emails that have either keywords or a key phrase
in the message. With more and more people using Web-based email products, it is important to be able to inspect the contents of the

emails being sent because they could contain information that should not be made public.



Maximum Performance
RFC:
• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
• RFC 2068 – Hypertext Transfer Protocol

Overview:
This test will use the Application Simulator test component and make use of a Max Bandwidth preset. The preset uses the BreakingPoint
Bandwidth Application Profile that attempts to achieve the maximum transmission rate using both HTTP and P2P traffic.

Objective:
Test the maximum bandwidth in terms of Mbps (Megabits per second) that the DUT can pass through using real application traffic.

Setup:



1. Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control
Center.

2. In the new window that appears, enter your Login ID and Password. Click Login.



3. Reserve the required ports to run the test.

4. Select Control Center  Network Neighborhood.



5. Under the Network Neighborhoods heading, click the Create a new network neighborhood button.

6. In the Give the new network neighborhood a name box, enter DPI Tests as the name. Click OK.



7. Four interface tabs are available for configuration. Only two are required for the tests. Click the X to delete Interface

process until only two interfaces remain.
1. When prompted about removing the interface, click Yes. The remaining interfaces will be renamed. Repeat this

8. With Interface 1 selected, configure the Network IP Address, Netmask, Gateway IP Address, Router IP Address,
Minimum IP Address and Maximum IP Address. Click Apply Changes.



9. Select the Interface 2 tab. Configure the Network IP Address, Netmask and Gateway IP Address. Using the Type drop-
down menu, select Host. Configure the Minimum IP Address and the Maximum IP Address. Click Apply Changes and
then click Save Network.

10. Now that the Network Neighborhood has been created, you can configure the test. Select Test  New Test.



11. Click Select the DUT/Network under the Test Quick Steps menu.

12. In the Choose a device under test and network neighborhood window, under the Device Under Test(s) section,
verify that BreakingPoint Default is selected, and that under Network Neighborhood(s), the newly created one is
selected. Click Accept.

13. When prompted about switching Network Neighborhoods because the new test setup has fewer interfaces, click Yes.



14. Select Add a Test Component from the Test Quick Steps menu.

15. Select Application Simulator (L7) from the Select a component type window.

16. The Information tab should already be selected. Enter Max Bandwidth as the name and click Apply Changes.



17. Select the Interfaces tab. Verify that Interface 1 Client and Interface 2 Server are enabled.

18. Select the Presets tab and choose the 1Gbps Max Bandwidth option. Click Apply Changes.

19. Select the Parameters tab. Make any required changes to the parameters to match your device’s ability. For example,
the Minimum data rate might need to be changed. If any changes are made, make sure to click Apply Changes.



20. Click Edit Description to edit the test description in the Test Information section.

21. Verify that the Test Status has a green checkmark. If it does not, click Test Status and make the required changes.

22. In the Test Quick Steps menu, click Save and Run.

23. When prompted to Save Test As, enter DPI Max Bandwidth as the name and click Save.



24. The Summary tab initially will be displayed once the test starts. The Summary tab displays multiple application, TCP,
and Ethernet statistics in a tabular form.

25. Select the TCP tab. This tab displays the number of both attempted and successful TCP connections.



26. When the test is completed, a window appears stating that the test passed. Click Close.

27. Click the View the report button. This provides more detailed results in your browser.



28. Expand the Test Results for Max Bandwidth section. Next, expand the Details folder. Select the Frame Data Rate
result view. Using the chart and the graph, determine the maximum bandwidth the DUT is able to handle.

Variations of this test that can be run include:

• Step both Maximum Simultaneous Sessions and Maximum Sessions per Second by 10% until 80% has been reached.
• Use different presets, such as the Service Provider App or a custom application profile.
• Increase the duration of the test time.



Maximum Performance Using Jumbo Frames
RFC:
• RFC 894 – A Standard for the Transmission of IP Datagrams over Ethernet
• RFC 2068 – Hypertext Transfer Protocol

Overview:
This test will use the Application Simulator test component and make use of a Max Bandwidth preset. The preset uses the BreakingPoint
Bandwidth Application Profile that attempts to achieve the maximum transmission rate using both HTTP and P2P traffic.

Objective:
Test the maximum bandwidth in terms of Mbps (Megabits per second) that the DUT can pass through using real state data and jumbo
frames.

Setup:



Center.





4. Select Test  Open Recent  DPI Max Bandwidth.



5. Click Save Test As.

6. When prompted to Save Test As, enter DPI Performance Jumbo Frames as the name. Click Save.

7. Select the Parameters tab. Locate the TCP Configuration Maximum Segment Size parameter and enter a value of
4096. Click Apply Changes.



8. If desired, edit the test description in the Test Information section.

9. Verify that the Test Status contains a green checkmark. If it does not, click Test Status and make the required changes.

10. Under the Test Quick Steps menu, click Save and Run.




12. Select the TCP tab. This will display the number of both attempted and successful TCP connections.

13. When the test is completed, a window will appear stating whether the test passed or failed. Click Close.



14. Click the View the report button. This will open up more detailed results in your browser.

15. Expand Test Results for Max Bandwidth and then expand the Detail folder. Select the Frame Data Rate result view.
Using the chart and the graph, determine the maximum bandwidth the DUT is able to handle.


• Step both Maximum Simultaneous Sessions and Maximum Sessions per Second by 10% until 80% has been reached.
• Use different presets, such as the Service Provider App or a custom application profile.
• Increase the duration of the test time.



Maximum TCP Connection Rate
RFC:

Overview:
This test will utilize an Application Simulator. The Application Simulator will be configured with the Service Provider Apps preset. The
Service Provider Apps preset contains HTTP, different Mail protocols, P2P and FTP traffic. This test will determine the maximum TP
connections per second using a stepping technique and values that match the DUT’s (Device Under Test) ability.

Objective:
Test the maximum peak rate of new connections that the DUT can handle using real stateful application traffic.

Setup:



Center.





4. Select Test  New Test.

5. Under the Test Quick Steps menu, click Select the DUT/Network.



6. In the Choose a device under test and network neighborhood window, select BreakingPoint Default as the
Device Under Test(s) and DPI Tests as the Network Neighborhood(s). Click Accept.

7. When prompted that the current test setup contains more interfaces than the newly selected one, click Yes.

8. Under the Test Quick Steps menu, click Add a Test Component.




10. The Information tab should already be selected. Enter Max TCP Connection Rate as the name and click Apply
Changes.

11. Select the Presets tab. Select Service Provider Apps as the component preset and click Apply Changes.



12. Select the Parameters tab. Several different parameters will be changed in this section. Change these parameters to
match your DUT’s ability. First, change the Minimum data rate to 100% of the DUT’s ability. Click Apply.

13. Next, change the Ramp Up Seconds in the Session Ramp Distribution section to 25 and click Apply.

14. In the Ramp Up Profile, several parameters will be changed. You may need to scroll in order to change each one of
them. First, use the Ramp Up Profile Type drop-down menu and select Stair Step. For the Minimum Connection

connection rate for the Maximum Connection Rate. Again, enter 10% of the DUT’s stated maximum connection rate
Rate, enter a value that is 10% of the DUT’s stated maximum connection rate. Enter the DUT’s stated maximum

for the Increment N connections per second parameter, and a value of 1 for Every N seconds. Once completed, click
Apply Changes.



15. In the Session Configuration section, enter 7500000 as the Maximum Simultaneous Sessions and the DUT’s stated
maximum connection rate in the Maximum Sessions Per Second. Click Apply Changes.

16. If desired, edit the test Description in the Test Information section.





19. When prompted for a name to Save Test As, enter DPI Max TCP Rate and click Save.






23. When the test is completed, click the View the report button.



24. Expand Test Results for Maximum TCP Connection Rate folder and select TCP Setup Time. Because shorter TCP
setup times allow the DUT to respond quickly and handle incoming connection requests, they are preferable to longer
TCP setup times.

25. Next, select TCP Response Time. Because shorter response times allow the DUT to respond quickly to requests and
continue normal operation, they are preferable to longer response times.



26. Select Frame Latency Summary. Smaller frame latency measurements mean the frames are arriving quickly without
much delay through the device.

27. Expand the Detail folder. Select TCP Connection Rate from the list of available results. Using the graph and the table,
determine the maximum TCP connection rate the DUT is able to handle.

Other tests can also be performed. The following are some examples that can be run:

• Vary the TCP Segment size.
• Change the Distribution type to random.
• Change the TCP Session Duration (segments).
• Increase the test time for a longer test.



Maximum Concurrent TCP Connections
RFC:

Overview:
This test is very similar to the previous test configuration though a calculated Ramp Up Profile will be used. Also, the results from the
Maximum TCP Connection Rate test will be used in the Maximum Sessions Per Second parameter.

Objective:
Test the maximum number of established TCP connections the DUT could hold using real stateful application traffic.

Setup:



Center.





4. Select Test  Open Recent  DPI Max TCP Rate.




6. When prompted for a name to save the test as, enter Max Concurrent TCP Connections and click Save.

7. Under the Information tab, change the name to Max TCP Connections and click Apply Changes.



8. Select the Parameters tab. Several parameters will be changed in this section. First, using the Ramp Up Profile Type
drop-down menu, change the value to Calculated in the Ramp Up Profile section. Click Apply Changes.

9. Next, in the Session Configuration section, change the Maximum Simultaneous Sessions to the maximum the DUT
is expected to be able to reach. Also, change the Maximum Sessions Per Second to the rate determined by the DPI
Max TCP Rate test. Click Apply Changes.

10. The next parameter to be changed is the Ramp Up Seconds in the Session Ramp Distribution section. This is a
calculated value. Take the Maximum Simultaneous Sessions/Maximum Sessions Per Second (always round to the
higher second). Click Apply Changes.



11. If desired, edit the test description in the Test Information section.

12. Verify that the Test Status has a green checkmark. If it does not, click Test Status and make the required changes.




14. The Summary tab initially will be displayed once the test starts. The Summary tab displays multiple application, TCP





17. When the test is completed, click the View the report button.

18. Expand Test Results for Max TCP Connections folder and select TCP Setup Time. Because short TCP setup times
allow the DUT to quickly react and handle the incoming connection requests better than longer TCP setup times, they
are preferred.



19. Next, select TCP Response Time. Shorter response times allow the DUT to respond quickly to requests and continue
normal operation.

20. Select Frame Latency Summary. Short frame latency measurements indicate that the frames are arriving quickly
without much delay through the device.



21. Expand the Detail folder. Select TCP Concurrent Connections from the list. Using the table and the graph, determine
the maximum number of concurrent TCP connections that the DUT is able to handle.

Other tests can also be performed. The following are some examples that can be run:

• Vary the TCP Segment size.
• Change the Distribution type to random.
• Change the TCP Session Duration (segments).
• Increase the test time for a longer test.



Strike Mitigation
RFC:

Overview:
It is important to evaluate how malicious traffic will affect the performance of the DUT. A Security test component will be used in this test.
Five default attack series are available to use, but during this test only Security Level 1 will be used. Security Level 1 includes high-risk
vulnerabilities in services often exposed to the Internet.

Objective:
Test the DUT’s ability to recognize and block malicious traffic.

Setup:



Center.






8. Next, under the Test Quick Steps menu, click Add a Test Component.



9. Select the Security component from the Select a component type window.

10. Under the Information tab, enter Strike Detection as the name and click Apply Changes.

11. Select the Presets tab and then select Security Level 1. Click Apply Changes.



12. If desired, edit the test description under the Test Information section.

13. Verify that the Test Status has a green checkmark next it. If it does not, click on Test Status and make the required
changes.


15. When prompted, enter DPI Strike Detection as a name and click Save.



16. Once the test starts to run, select the Attacks tab. This will display information about how many attacks could be
blocked and how many were actually able to pass through the DUT.

17. When the test is completed, a window will appear stating that the test failed because malicious traffic was able to pass
through the DUT. Click Close.



18. Click the View the report button to view detailed results in a browser window.

19. Expand Test Results for Strike Detection and select Strike Results. Determine the number of strikes that were
successfully blocked and the number that could be transmitted through the DUT.


• Increase the test length for a longer Malicious Traffic Attack.
• Change the Security Level.
• Use a different random seed.



Strikes Blocking with IP Fragmentation
RFC:

Overview:
This closely resembles the Strike Blocking test except the IP packets will be fragmented to determine how the DUT handles malicious traffic
that is arriving in fragmented packets.

Objective:
Test the DUT’s ability to recognize and block malicious traffic with fragmentation on IP packets.

Setup:



Center.





4. Select Test  Open Recent Tests  DPI Strike Detection.




6. Enter DPI Strike Detection Fragmentation as the name and click Save.

7. Select the Overrides tab. In the IP section, locate MaxFragSize and enter a value less than 46. Click Apply Changes.

8. If desired, edit the test Description under the Test Information section.





11. Once the test starts to run, select the Attacks tab. This will display the number of attacks that were successfully
blocked and the number of attacks that were able to successfully pass through the DUT.



12. Once the test is completed, a window will appear stating that the test failed because malicious traffic was able to pass
through the DUT. Click Close.

13. Click the View the report button. A window with detailed results will open.

14. Expand Test Results for Strike Detection and select Strike Results. Determine the number of strikes that were
locked and the number of strikes that were able to pass through the DUT. Using the results from the previous test,
determine if fragmentation made any difference.




• Increase the test length for a longer Malicious Traffic Attack.
• Change the Security Level.
• Use a different random seed.



SYN Flood
RFC:
• RFC 4987 – TCP SYN Flooding Attacks and Common Mitigations

Overview:
A SYN Flood is when a client starts a TCP connection but never sends an ACK and keeps trying to initiate a TCP connection. This can be
harmful to a DPI device, as it has to provide resources to the TCP connection requests. The DPI device likely has the ability to detect and
mitigate the SYN Flood. A Session Sender test component will be used to create a SYN Flood.

Objective:
Test the ability of the DUT to recognize and block SYN Flood attacks.

Setup:



Center.






5. Under the Test Quick Steps section, click Select the DUT/Network.





8. Under the Test Quick Steps section, click Add a Test Component.



9. Select Session Sender (L4) from the Select a component type window.

10. Under the Information tab, change the name to SYN Flood and click Apply Changes.

11. Select the Presets tab and locate the 1Gbps SYN Flood. Click Apply Changes.



12. Select the Parameters tab. Several changes will be made in this section. The first one, if needed, is to change the
Minimum data rate to what is supported by the DUT. Click Apply Changes once completed.

13. Next, two parameters in the Session Configuration section need to be changed. The first one is the Maximum

Maximum Concurrent TCP Connections test). The second parameter that needs to be changed is Maximum Sessions
Simultaneous Sessions. This needs to be set to the connection rate supported by the DUT (this is the result from the

Per Second (this is the result from the Maximum TCP Connection Rate test). Click Apply Changes.

14. If desired, edit the test description under the Test Information section.



15. Verify that the Test Status has a green checkmark next to it. If it does not, click Test Status and make the required
changes.


17. When prompted for a name to save the test as, enter DPI SYN Flood Detection and click Save.



18. The Summary tab will automatically be displayed when the test starts. This tab displays a great deal of information
about TCP. As can be seen in the TCP Connection Rate section, the SYN flood is trying to establish a connection but the
connection is not actually created.

19. Select the TCP tab. This will display information about the number of TCP Connections per Second. Again, clients are
attempting to connect but are not actually successful.



20. Once the test is completed, a window will appear stating that the test passed. Click Close.

21. Click the View the report button. This will open a new browser window with detailed results.

22. Expand Test Results for SYN Flood and select TCP Summary. Verify that there are no Client established or Server
established values.

Other test variations can be run. One variation is to increase the test length for a longer SYN Attack.



Inappropriate Content Filtering
RFC:

Overview:
It is important to determine and evaluate how the DUT is able to handle inappropriate content. Also, it is important to determine how
the DUT’s performance is affected while having to perform content filtering. A new Super Flow will be created that will contain some
type of inappropriate content. This Super Flow will then be added to an Application Profile. The BreakingPoint Application Simulator test
component will be used to transmit the newly created application profile.

Objective:
Test the ability of the DUT to recognize and block sessions containing inappropriate material.

Setup:



Center.





4. Select Managers  Application Manager.



5. Select the Super Flows tab and locate the BreakingPoint HTTP Text from the list. Click Save As.

6. When prompted for a name, enter HTTP Inappropriate and click Ok.



7. In the Define Actions section, locate the Server: Response 200 (OK) action. Click the Edit the selected action
parameter button.

8. Enable the String for response data section and enter the inappropriate terms or phrases in the String for response
data field.

9. Select Save Super Flow.



10. Select the App Profiles tab and click the Create a new application profile button.

11. When prompted for a name, enter DPI HTTP Inappropriate and click OK.



12. Locate the newly created Super Flow in the list of Available Super Flows. Click the Add the super flow to the profile
button.

13. Locate the BreakingPoint HTTP Text Super Flow and click the Add the Super Flow to the profile button.

14. Verify that both Super Flows have a weight of 100 and click Save App Profile.



21. The Information tab should already be selected. Enter Inappropriate Content for the name and click Apply Changes.

22. Select the Parameters tab. Several parameters in this section will need to be changed. First verify that the Minimum
data rate is set to 80% of the total available bandwidth. Make sure to click Apply Changes if any value is updated.

23. Next, change the Application Profile parameter. Using the drop-down menu, select the DPI HTTP Inappropriate
application profile and click Apply Changes.



24. If desired, in the Test Information section, edit the test description.

25. Verify that the Test Status has a green checkmark next to it. If it does not, click on Test Status and make the needed
changes.


27. Enter DPI Inappropriate Content when prompted for a name. Click Save.



28. Once the test starts, the Summary tab will be displayed. It contains a great deal of information about application flows
and application transactions.

29. Select the Application tab. This will display real-time information about the application flows that are being
transmitted.



30. When the test is completed, a window will appear stating that the test failed. Click Close.

31. Select the View the report button. This will open a more detailed result view in a browser window.



32. Expand Test Results for Inappropriate Content and select App Summary. This will provide a great deal of
information about all of the applications from bytes transmitted to bytes received to details about failures. Since half of
the content should be blocked because it is inappropriate, the Application attempted value should be about twice the
value of the Application successes.

33. Login to the DUT, and view the different counters to determine if the DUT was successfully blocking the inappropriate
content.


• Increase the test length for a longer run time.
• Try different inappropriate key words.
• Try a larger number of inappropriate key words.



Spam Email Blocking
RFC:

Overview:
It is important to determine and evaluate how the DUT is able to handle spam email. Also, it is important to determine how the DUT’s
performance is affected while having to block spam email. A new Super Flow will be created that will contain a spam email. This Super
Flow will then be added to an application profile. The Application Simulator test component will be used to transmit the newly created
application profile to test the DUT’s ability to block spam email.

Objective:
Test the ability of the DUT to recognize and block sessions containing spam email.

Setup:



Center.




5. Select the Super Flows tab and locate the BreakingPoint SMTP Email from the list. Click Save As.

6. When prompted, enter DPI SMTP Spam as the name and click Ok.



7. In the Step 3 – Define Actions section, locate Client: Send Email. Click the Edit the selected action parameter
button.

8. Enter an email address in the Protocol FROM Username field. Enter a different email address in the Protocol RCPT
Username field. Next, scroll down and locate the Subject field. Enter Receive 15% off Gold Watches as the Subject.
Finally, enable the Attachment Data field and click Import Attachment Data. You can upload the content into the
Web browser that launches.



9. Click the Choose File button to browse your file system to locate spam email text.

10. Once the spam email has been located in your file system, click Upload.

11. Wait until the file is uploaded successfully, then close the browser window.



12. Using the Attachment Data drop-down menu, select the newly uploaded file and click Apply Changes.

13. Click Save Super Flow.




15. When prompted, enter DPI Spam Email Content as a name and click Ok.



16. From the Available Super Flows list, locate the newly created Super Flow and click the Add the Super Flow to the
profile button.

17. Again, from the Available Super Flows list, locate the BreakingPoint SMTP Email Super Flow and click the Add the
Super Flow to the profile button.

18. Verify that each Super Flow has a weight of 100 and click Save App Profile.



25. The Information tab should already be selected. Enter Spam Email Content for the name and click Apply Changes.

26. Select the Parameters tab. Several parameters in this section will need to be changed. First verify that the Minimum
data rate is set to 80% of the total available bandwidth. Make sure to click Apply Changes if any value is updated.

27. Next, change the Application Profile parameter. Using the drop-down menu, select the DPI Spam Email Content
application profile and click Apply Changes.



28. If desired, in the Test Information section, edit the test description.

29. Verify that the Test Status has a green checkmark next to it. If it does not, click on Test Status and make the needed
changes.

30. Under the Test Quick Steps section, click Save and Run.



31. Enter DPI Spam Email when prompted for a name. Click Save.

32. Once the test starts, the Summary tab will be displayed. It contains a great deal of information about application flows
and application transactions.

33. Select the Application tab. This will display real-time information about the application flows that are being
transmitted.



34. When the test is completed, a window will appear stating that the test failed. Click Close.

35. Select the View the report button. This will open a more detailed result view in a browser window.



36. Expand Test Results for Spam Email Content and select App Summary. This will provide a great deal of information
about all of the applications including bytes transmitted, bytes received and details about failures. Since half of the
content should be blocked because it is inappropriate, the Application attempted value should be about twice the
value of the Application successes.

34. Login to the DUT and view the different counters to determine if the DUT was successfully blocking the SPAM email.


• Increase the test length for a longer run time.
• Try different spam emails.
• Try a larger number of spam emails to determine if all are blocked.



Suspicious Content Detection
RFC:

Overview:
It is important to determine and evaluate how the DUT is able to handle the detection of suspicious content. Also, it is important to
determine how the DUT’s performance is affected while having to handle suspicious content detection. A new Super Flow will be created
that will use a database protocol to simulate a credit card request by querying the database. This Super Flow will then be added to an
application profile. The Application Simulator test component will be used to transmit the newly created application profile to test the
DUT’s ability to detect suspicious content.

Objective:
Test the ability of the DUT to record and audit suspicious content.

Setup:



Center.




5. Select the Super Flows tab and locate BreakingPoint DB2 Database from the list. Click Save As.

6. When prompted for a name, enter DPI DB Credit and click OK.



7. Make sure the second item is selected under the Define Flows section and also select the Client: SQL Query in the

Define Actions section. Click the Edit the select actions parameters button.

8. In the SQL Query field, enter a specific query that will be tracked by the DUT. The query content should be defined
according to the DUT’s policy and detection model. A good example to use is: “SELECT* from credit_card_table”. Click

Apply Changes.



9. Click Save Super Flow.




11. When prompted, enter DPI Suspicious as the name and click OK.

12. Locate the newly created Super Flow in the Available Super Flows list and click the Add the Super Flow to the profile
button.

13. Next, locate the BreakingPoint DB2 Database Super Flow in the Available Super Flows list and click the Add the

Super Flow to the profile button.



14. Verify that both Super Flows have a weight of 100 and click Save App Profile.




Deep Packet Inspection (DPI) Test Methodology

Deep Packet Inspection (DPI) Test Methodology

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Deep Packet Inspection (DPI) Test Methodology

Semelhante a Deep Packet Inspection (DPI) Test Methodology (20)

Mais de Ixia

Mais de Ixia (20)

Último

Último (20)

Deep Packet Inspection (DPI) Test Methodology