The reason it makes sense NOT to jump into deep packet inspection (or, as you ask, starting at L1), is that starting at an app layer you have a holistic view of *every* possible link in the chain. If ...