What is Encrypted Traffic Classification (ETC)?
ETC is a technology that identifies traffic types (YouTube, VPN, Steam, Teams, etc.) without decryption. It is used for:
-
Detection of filtering bypass attempts
-
Prioritization of video or VoIP traffic
-
Enhancing DPI efficiency
How does ETC work?
Operating principle
ETC analyzes:
-
Session behavior: packet size, intervals, direction
-
Metadata: TLS fingerprints, SNI, JA3, QUIC identifiers
-
ML model: classifies based on behavioral patterns, not content
Example: Netflix traffic can be identified by segmented delivery patterns and long keep-alive sessions, even with QUIC + TLS 1.3
Classification stages
-
The DPI engine intercepts and aggregates metadata
-
ML inference analyzes the stream
-
The system assigns a tag (e.g.,
EncryptedVideoorVPN-Tunnel) -
QoS or blocking policies are applied based on the tag
Guide: How to check for ETC in DPI
-
Open the DPI interface
-
Locate the “Encrypted Apps” section
- Check for categories: TLS Video, QUIC, VPN
-
Compare traffic with real-time metrics (e.g., NetFlow, sFlow)
How is it different from SNI filtering?
| Method | Effectiveness | Bypass vulnerability | TLS 1.3 / QUIC support |
|---|---|---|---|
| SNI filtering | Moderate | High | Limited |
| ETC | High | Low | Full |
FAQ
Is TLS decryption required?
No. That’s the point of ETC: traffic remains encrypted, but behavior is still identified.
Which ports does it work on?
ETC is port-independent — it analyzes streams regardless of their destination (TCP/UDP 443, 80, 853, and even non-standard ports).
Conclusion
ETC is a key tool in the era of full traffic encryption. It enables deep visibility without decryption, making it indispensable for DPI, CGNAT, BNG, and provider edge solutions. It is especially relevant in regions where VPN usage is common and everyday.
