> surely as far as the carrier is concerned, all traffic from the mobile device is the same

Going on a bit of a tangent, but deep packet inspection can identify packets routed using NAT, so if the phone is operating as a typical hotspot it would be identifiable by your carrier. Carriers in the USA used to block / denylist / charge extra for tethering using this exact approach.

▲

HDBaseT an hour ago | parent [-]

Deep Packet Inspection presumably requires a certificate to be installed on my device to allow my connection to be MiTM'd.

	▲	codebje 42 minutes ago \| parent \| next [-]
		DPI can refer to inspecting beyond just the headers, but since it's more of a marketing term than a technical one, you could also say you're "deeply inspecting" the IP headers of a packet and no-one would show up to arrest you for bad terminology. Anyway, one way to detect NAT is to observe different TTLs originating from one device. Is that deep inspection? Probably depends on who you ask. The fact that you have to track information across multiple packets counts for something, though. Off the top of my head I wouldn't really expect there to be much value in a MITM inspection of the contents of HTTP traffic for the purposes of NAT detection. You could probably come up with some scenarios in which it might be possible, but I'd content those scenarios aren't very practical. Easier to compare TTLs between packets, say, or track connections to known OS "phone home" destinations. While these just use information from the IP layer, they're stateful observations requiring comparisons across multiple packets, and that might count for something. One way to detect a shitty carrier service, though, is that they're inspecting your traffic for "good" or "bad" uses of their service, because that is a good indicator that they're not just a carrier. I call it Dickish Practices Identification, or DPI.
	▲	akerl_ 42 minutes ago \| parent \| prev \| next [-]
		DPI is distinct from TLS MITM (though many enterprise devices offer both). The delineation here is between "shallow" packet inspection (which basically nobody refers to because it's just a normal part of networking), where network devices look at just the bits of the packets they need to route / NAT / etc them appropriately. DPI can tell a ton of things without needing to MITM encrypted layer 7 traffic. A boring example is that you can tell TLS from OpenSSH traffic just by seeing the initial handshake. sslh ( https://github.com/yrutschle/sslh ) takes advantage of this on the server side to let you run both on the same port. A less boring example is identifying OpenVPN, Wireguard, etc traffic regardless of what port they're run on, to enable blocking VPN traffic on a network.
	▲	ninjaoxygen 32 minutes ago \| parent \| prev [-]
		At one point it was definitely not so deep... carriers were literally looking at the IP TTL and seeing whether it was a recognised value from the phone or a few hops less than one of the common defaults, in which case it was considered tethering traffic. You could spoof it by finding out your mobile's TTL, overriding the TTL in the connecting device to be one higher than the mobile.