Global network censorship and interference are intensifying, primarily due to the widespread deployment of Deep Packet Inspection (DPI) devices. However, DPI middleboxes operate silently—evading detection by conventional scanning techniques—and vendors deliberately obfuscate their capabilities, severely hindering empirical research. Method: This paper introduces dMAP, the first framework to leverage vendor-specific ambiguities in protocol parsing as fingerprinting features. By combining differential fuzz testing with lightweight probe generation, dMAP systematically constructs minimal probes (20–40 packets) that expose parsing discrepancies across DPI implementations. Contribution/Results: Evaluated against national-scale censorship systems and mainstream commercial DPI products, dMAP achieves high discriminability, low overhead, and broad applicability in real-world Internet settings. It provides the first feasible, scalable methodology for active DPI mapping—enabling remote identification and clustering of otherwise invisible DPI devices.

Users around the world face escalating network interference such as censorship, throttling, and interception, largely driven by the commoditization and growing availability of Deep Packet Inspection (DPI) devices. Once reserved for a few well-resourced nation-state actors, the ability to interfere with traffic at scale is now within reach of nearly any network operator. Despite this proliferation, our understanding of DPIs and their deployments on the Internet remains limited -- being network intermediary leaves DPI unresponsive to conventional host-based scanning tools, and DPI vendors actively obscuring their products further complicates measurement efforts. In this work, we present a remote measurement framework, dMAP (DPI Mapper), that derives behavioral fingerprints for DPIs to differentiate and cluster these otherwise indistinguishable middleboxes at scale, as a first step toward active reconnaissance of DPIs on the Internet. Our key insight is that parsing and interpreting traffic as network intermediaries inherently involves ambiguities -- from under-specified protocol behaviors to differing RFC interpretations -- forcing DPI vendors into independent implementation choices that create measurable variance among DPIs. Based on differential fuzzing, dMAP systematically discovers, selects, and deploys specialized probes that translate DPI internal parsing behaviors into externally observable fingerprints. Applying dMAP to DPI deployments globally, we demonstrate its practical feasibility, showing that even a modest set of 20-40 discriminative probes reliably differentiates a wide range of DPI implementations, including major nation-state censorship infrastructures and commercial DPI products. We discuss how our fingerprinting methodology generalizes beyond censorship to other forms of targeted interference.