It has already been discussed a little here:
Router work?
Once again I will repeat, a little creatively reworking the answer.
The detection of traffic distribution can be conditionally divided into several frontiers.
1. The first
milestone Each device in the cellular network at the time of registration informs the network of its IMEI - the device code, by which you can uniquely identify the model of your device.
Yes, you need an IMEI base with device capabilities - a description of what kind of device it is and what it can do. But the mobile operator already has it: When you first inserted a SIM card into a new phone, did you receive an SMS Internet settings? The settings for different manufacturers are slightly different, so you need to know the model of the subscriber unit.
It turns out that as soon as you insert a SIM card into a Wi-Fi router, the operator immediately understands that this is a router, which means that it will distribute the Internet via Wi-Fi.
The implementation of this technology is completely free for the operator.
2. Second frontier: TTL analysis.
It should be understood that only the routers themselves will be caught at the first line, and the Wi-Fi access point enabled in the phone settings is not visible to the operator.
But there is a trick: a device that distributes the Internet via Wi-Fi will, by default, reduce the TTL field on all ip packets passing through it.
Knowing the typical initial TTL values ​​​​for mobile platforms, you can react to all other values ​​\u200b\u200bas a signal that Wi-Fi is hiding somewhere.
To implement this, the operator will already require additional costs.
It is clear that no one will install a separate device to catch Wi-Fi lovers, so usually the operator's DPI is involved in this - a complex that classifies and "colors" subscriber traffic, thanks to which, for example, separate tariffication conditions for social networks become possible.
By the way, it's surprising, but, firstly, not all DPIs can do this (Erickson, you're ashamed, right?). Secondly, those that can, can do it for some money in the form of a license to be purchased.
3. The third milestone: heuristics
The topic is interesting and fascinating.
Yes, the subscriber can change the IMEI directly in the phone settings.
Yes, the subscriber can reflash the phone so that it does not touch TTL.
But, as soon as there are a lot of cunning subscribers, it becomes profitable for the operator to invest in advanced traffic analysis at the same DPI.
So what can be done?
Well, immediately:
3.1. Do you access the Internet directly from your phone through the built-in browser? Congratulations, you just told the operator in the User-Agent field of the HTTP protocol what mobile platform you have and what version!
How is it that from one device the operator sees different User-Agents, pointing either to Android or to Apple? Guys, do you have Wi-Fi there!
3.2. TCP/IP fingerprinting. Different mobile platforms (like Android/Apple) use different initial field values ​​in ip packets. Yes, take at least the same TCP Window size! Analyzing them, one can guess at least the platform manufacturer. And combining this with the same analysis by IMEI...
Guys, how is it: the device itself is from Apple, and the values ​​of the fields in the ip-packets are typical for Windows Phone?
Or why does your traffic look like Android or Blackberry?
It is clear that heuristic analysis is implemented, especially not on every DPI, and even more so, separate money for a license. Yes, and such an analysis squanders productivity very well ...
However, the technical means already exist, and as soon as they begin to pay off financially, it becomes profitable for the operator to implement them.