GoodbyeDPI- Passive Deep Packet Inspection

Ever wondered why we cannot access certain websites? Well, here’s everything you need to know about what causes that to happen. How some of the websites redirect us to the censorship page displaying ‘blocked.’ DPI is one such technology that is used to examine the data part of the network packets and search for protocols like viruses, spams, intrusions. For further information, get to know about how DPI works and what is GoodbyeDPI.


  1. What is DPI?
  2. working of DPI
  3. Uses of Deep Packet Inspection
  4. About Goodbye DPI
  5. How does Goodbye DPI work?
  6. Challenges faced by Deep Packet Inspection

What is DPI?

Deep Packet Inspection, also known as DPI or complete packet inspection, is a type of network packet filtering. Deep packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to the protocol, spam, virus, intrusions, and any other defined criteria to block the packet from passing through the inspection point. Deep packet inspection is also used to decide if a particular packet is redirected to another destination. DPI can locate, detect, categorized, blocked, or directed by conventional packet filtering.

DPI flourished in the initial days of Unified Threat Management (UTM) and network IDS that combines the functionality of an Intrusion Detection System (IDS) with a traditional stateful firewall. DPI-enabled devices have the ability to look at layer 2, and beyond layer 3 of the OSI model, and with the combination of  IDS/IPS, it was possible to detect specific attacks.

The nature of DPI is inspecting beyond the shallow headers of a packet all the way to its payload is rendered impotent when encryption is used in command and control (C2). If the attack is carried inside a VPN tunnel, or if a web application attack is performed over SSL, the DPI could help in investigations.

pandasecurity what it firewall

Working of DPI:

Deep packet inspection is a form of packet filtering usually carried out as a function of our firewall. It is applied to an Open Systems Interconnection’s application layer. Although it evaluates the contents of a packet that is going through the checkpoint, it also uses rules assigned by our internet service provider. It determines the inspection in real-time and what should be done with network or systems administration. The DPI is able to check the contents of these packets and then figure out where it came from. It also works with filters in order to find and redirect network traffic from an online service, such as Twitter or Facebook, or from a particular IP address.

Uses of Deep Packet Inspection:

There are diverse uses for deep packet inspection, as it acts as both an intrusion detection system or a combination of intrusion prevention and intrusion detection. The network can identify specific attacks that our firewall cannot adequately detect, like intrusion prevention and intrusion detection systems.

If an office/organization has users who are using their laptops for work, then deep packet inspection is vital in preventing worms, spyware, and viruses from getting into corporate work. The DPI is also used by network managers to help ease the flow of network traffic. The packets can also be prioritized that are mission-critical, ahead of ordinary browsing packets.

About GoodbyeDPI:

GoodbyeDPI or Passive Deep Packet Inspection blocker is an autonomous censorship circumvention software, which is used to regain access to country-wide blocked websites. Unlike similar utilities for censorship circumvention, GoodbyeDPI doesn’t use third-party servers; hence cannot be easily blocked by ISP (Internet Service Provider). It also doesn’t affect internet connection speed, the drawback being it does not work in all cases with all ISPs. While it requires no configuration, it is designed for non-tech-savvy people, which doesn’t require interaction with the user.

The software designed to bypass Deep Packet Inspection systems found in many Internet Service Providers, which block access to specific websites. It handles DPI connected using an optical splitter or port mirroring (Passive DPI) which does not block any data but just replying faster than the requested destination.

Best ISP Internet Service Provider

How does it Work?

Passive DPI

Most Passive DPI sends HTTP 302 Redirect when we try to access blocked websites over HTTP and CTP Reset in case of HTTPS, faster than the destination website. Packets sent by the DPI have an IP Identification field equal to 0x0000 or 0x0001. These packets, if they redirect us to another website (censorship page), are blocked by GoodbyeDPI.

Active DPI

It is more tricky to fool Active DPI; currently, the software uses 6 methods to circumvent. The program loads Windivert driver, which uses Windows Filtering Platform to set filters and redirect packets to the userspace. Following are the 6 methods:

  1. TCP- level fragmentation for first data packet
  2. TCP- level fragmentation for persistent (keep-alive) HTTP sessions
  3. Replacing Host header with host
  4. Removing space between header name and value in the host header
  5. Adding additional space between the HTTP Method and URI
  6. Mixing case of the Host header value.

Challenges faced by Deep Packet Inspection:

There is no technology existing that is perfect, even the DPI has no exception. Apart from privacy concerns, some doubts have risen due to HTTPS certificates and even VPNs with privacy tunneling. Some of the weaknesses found to be are:

  1. It is very effective in preventing attacks such as a denial of service attacks, buffer overflow attacks, and even some forms of malware. DPI can also be used to create similar attacks.
  2. It can make our current firewall and other security software more complicated and harder to manage. There should be a constant update and revision of the policies to ensure continued effectiveness.
  3. DPI can sometimes slow down the network we are using by dedicating resources for the firewall to handle the processing load.

The main principle of the internet is that the routers only inspect the IP address in order to decide the route packets. Whereas, DPI – Deep Packet Inspection, means it looks deeper into the packet. To reduce the processing requirements, DPI often uses shortcuts, simple tricks instead of a full inspection. Hence, it is important which evasion techniques you’ll choose depending on the specific DPI system you are trying to evade as it requires computers with heavy CPU power. This was all bout Goodbye DPI and it further brings us back to a new attack PDFex. Portable Document Format (PDF), a file format used to present and exchange documents, independent of software, hardware, or operating system. Invented by Adobe, PDF is an open standard maintained by the Internation Organisation for Standardizations (ISO). To learn more about PDFex and how can your PDF files containing sensitive information can be protected, preside towards the home page or visit


- Advertisement -

An Architect by profession & practice, Pranita is a keen observer and specialises in content, visualisation, and presentation. Cyber attacks & Architecture Technology in the far more technologically-advanced world made her realise that there is a lack of necessary awareness among people. Hence, keeping you all updated and protected by all means with subjects from Architecture Technology to Security Awareness.Currently working as a Head of Content, content writer & creator at BLARROW.TECH

- Advertisement -

Latest articles

Related articles