Packet Sniffing (Port Mirroring, Inline Appliances) Sensor for WANGUARD and WANSIGHT

OVERVIEW: The Sniffing Sensor provided by WANGUARD and WANSIGHT is an advanced packet sniffer that inspects every packet it receives and generates detailed traffic analytics. In switched networks only the packets for a specific device reach the device's network card. If the server running the Sniffing Sensor is not deployed in-line (in the main data-path) then a network TAP, or a switch or router that offers a monitoring port or mirroring port must be used. In this case, the network device sends a copy of data packets traveling through selected ports or VLANs to the monitoring port listened by the Sniffing Sensor.
At its core, the Sniffing Sensor has a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses. Complex statistical algorithms integrate traffic data to build an accurate and detailed picture of real-time and historical traffic flows across the network.
  • The Sniffing Sensor contains a scalable IP traffic monitoring engine able to monitor tens of thousands of IPv4 and IPv6 addresses and IP blocks.
  • Provides traffic accounting reports and per-IP, per-subnet and per-IP group graphs (histograms) for each of the following traffic types: TCP, TCP+SYN, UDP, ICMP, BAD, FLOWS, HTTP, SSL, MAIL, DNS, NTP, RDP, SNMP, SSH, IPSEC, FACEBOOK, YOUTUBE, NETFLIX, HULU
  • Generates tops and graphs for Talkers, External IPs, Autonomous Systems (based on GeoIP data), Countries, TCP ports, UDP ports, IP protocols and IP Groups.
  • Any number of instances can be deployed across the network. Management and reporting is done from a single, centralized, fully-featured web interface
  • Supports running in a clustered mode with multiple instances generating aggregated data. Each instance can be distributed on a different CPU to load-balance the load, or can listen to different 10G interfaces or NIC queues etc.
  • Can generate traffic dumps from various parts of the network. Packet dumps can be saved locally or viewed online in a wireshark-like web-based interface
  • The accuracy of traffic graphs can be adjusted between 5 seconds and 10 minutes
  • Detects all bandwidth-related traffic anomalies:
    • Distributed Denial of Service ( DDoS ) attacks
    • DNS attacks, NTP attacks, RDP attacks, UDP floods, ICMP floods, SMURF attacks
    • SYN floods, TCP port 0, UDP port 0, LOIC, peer-to-peer attacks
    • Scans and worms sending traffic to illegal or unallocated addresses
    • Unknown volumetric DoS attacks
  • Per endpoint flexible threat reaction options:
    • activate the WANGUARD Filter for DDoS attack mitigation
    • send RTBH / BGP black-holing / null-routing announcements
    • alert the NOC staff by email using user-defined email templates
    • send custom syslog messages to remote log servers
    • capture attack traffic for forensic investigation
    • extend the built-in capabilities with custom scripts accessing the API
  • It can use PF_RING for 10 Gigabit Ethernet traffic monitoring without packet losses
  • Supports MPLS and VLAN tag stripping
  • Easy and non-disruptive installation on commodity hardware
  • The most cost-effective distributed packet sniffing-based traffic analytics and DDoS detection solution on the market


Capturing Technology
  • Port Mirroring ( SPAN - Switched Port Analyzer, RSPAN, Roving Analysis Port )
  • Network TAP
  • Packet Sniffer running on an in-line server / appliance
Maximum Traffic Capacity 10 GigE per Sniffing Sensor instance, >150,000 endpoints*
DDoS Detection Time <= 5 seconds
IP Graphs Accuracy >= 5 seconds
Traffic Validation Options IP classes, MAC addresses, VLANs, BPF
* An endpoint is an IP address that belongs to your network. The software is not limited by the number of connections between IPs.


Packet Sniffing Capacity     1 Gigabit Ethernet 10 Gbit Ethernet
Architecture x86 ( 32 or 64 bit ) x86 ( 64 bit )
CPU 1 x dual-core Xeon 2.0 GHz 1 x quad-core Xeon 2.8 GHz
Network Cards 1 x Gigabit Ethernet with NAPI Support 
1 x Fast Ethernet for management
1 x 10 GbE card. Intel 82599 chipset recommended
1 x Fast Ethernet for management
Operating System*  RHEL 5 / CentOS 5, RHEL / CentOS 6, Debian 6, Ubuntu Server 12, OpenSUSE 12 RHEL 5 / CentOS 5, RHEL / CentOS 6, Debian 6, Ubuntu Server 12, OpenSUSE 12
Disk Space 10 GB ( including OS ) 10 GB ( including OS )
* Other Linux distributions might work but haven't been tested yet.


You can download and try the Sniffing Sensor for 30 days by requesting an evaluation license.
Sensor licenses can be purchased directly from our on-line store.
The answers for several frequently asked questions are listed in the Knowledge Base.
If you have any questions or requests, please don't hesitate to contact us.