Packet Sniffing (Port Mirroring, Inline Appliances) Sensor for WANGUARD and WANSIGHT

OVERVIEW:
The Packet Sensor included in WanGuard and WanSight is a packet sniffer that inspects IP packets and generates detailed traffic analytics. At its core, it contains a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses. Complex statistical algorithms integrate traffic data to build an accurate and detailed picture of real-time and historical traffic flows across the network.
KEY FEATURES
AND BENEFITS:
  • Contains a completely scalable IP traffic analysis engine able to monitor, in real time, tens of thousands of IPv4 and IPv6 addresses and ranges
  • Management and reporting through a single web-based Console with a unified, holistic presentation
  • Detects all bandwidth-related traffic anomalies (when used with a WanGuard license), such as:
    • Distributed Denial of Service (DDoS) attacks, unknown volumetric DoS attacks
    • NTP amplification attacks, generic UDP floods, ICMP floods, SMURF attacks
    • SYN floods, TCP/UDP port 0, LOIC, peer-to-peer attacks
    • Scans and worms sending traffic to illegal or unallocated addresses, missing traffic to/from critical services
  • Per-endpoint flexible threat reaction options (when used with a WanGuard license), such as:
    • Activate on-premise DDoS attack mitigation with WanGuard Filter
    • Send remotely-triggered BGP black hole announcements
    • Send BGP off-/on-ramp traffic diversion announcements to on-premise / on-cloud DDoS mitigation services
    • Email alerts with user-defined dynamic templates
    • Send custom Syslog messages to remote log servers or SIEM systems
    • Capture a sample of traffic for forensic investigation
    • Extend the built-in capabilities by executing your own scripts with access to over 70 operational parameters through an easy-to-use API
  • Provides traffic accounting reports and per-IP, subnet or IP group graphs for each of the following traffic types: total, tcp, tcp+syn, tcp+rst, tcp+ack, tcp+syn+ack, tcp-null, udp, icmp, other, bad, flows, flows+syn, http, https, ssl, mail, dns, sip, ntp, rdp, snmp, ssh, ipsec, ssdp, facebook, youtube, netflix, hulu, and more to come
  • Generates tops and graphs for talkers, external IPs, IP groups, autonomous systems (GeoIP based), countries (GeoIP based), TCP ports, UDP ports, IP protocols, and more
  • The short-term accuracy of bandwidth graphs can be set between 5 seconds and 10 minutes. Long-term accuracy can be set to any number of years
  • Users can save packet dumps for forensic investigation and aiding network troubleshooting. Packet dumps can be downloaded or viewed online in a Wireshark-like interface. Packet captures can be displayed in hexadecimal raw and ASCI data for inclusion in regular expressions
  • Supports running in a clustered mode where multiple Packet Sensor instances are load-balanced on different CPU cores or servers
  • Any number of instances can be deployed on servers across the network
  • Can use PF_RING version 6 (no DNA, ZC or Libzero licenses needed) for packet sniffing on 10 Gbit interfaces with no packet losses
  • Supports MPLS, VLAN and double-VLAN tag stripping
  • Easy and non-disruptive installation on commodity hardware
  • The most affordable distributed packet sniffing-based traffic analysis and DDoS detection tool on the market

DATASHEET:

Traffic Capturing Technology:
  • Packet Sniffer running on: Linux servers deployed in the main data path, routers, firewalls or other appliances
  • Port Mirroring (SPAN - Switched Port Analyzer, RSPAN, Roving Analysis Port)
  • Network TAP
Capacity / Sensor Instance: 10 Gigabit Ethernet, 14 Mpackets/s, not limited by the number of connections between IPs
DDoS Detection Time: ≤ 5 seconds
IP Graphs Accuracy: ≥ 5 seconds
Traffic Validation Options: IP classes, MAC addresses, VLANs, BPF

MINIMUM SYSTEM
REQUIREMENTS:
   

Packet Sniffing Capacity:     1 Gbit/s - 1,400,000 packets/s 10 Gbit/s - 14,000,000 packets/s
Architecture: 64 bit (x86) 64 bit (x86), dedicated server (No VM)
CPU: 2.0 GHz dual-core Xeon 3.2 GHz quad-core Xeon (e.g. Intel X5672)
RAM: 2 GB 4 GB
Network Cards: 1 x Gigabit Ethernet (with driver supported by PF_RING)
1 x Fast Ethernet for management
1 x 10 GbE adapter (Myricom or Intel 82599 chipset)
1 x Fast Ethernet for management
Operating System*:  Red Hat / CentOS 6 or 7, Debian 6 or 7, Ubuntu Server 12 or 14, OpenSUSE 13 Red Hat / CentOS 6 or 7, Debian 6 or 7, Ubuntu Server 12 or 14, OpenSUSE 13
Disk Space: 10 GB (including OS) 10 GB (including OS)
* Other Linux distributions might work but have not yet been tested.

In switched networks, only the packets for a specific device reach the device's network card. If the server running the Packet Sensor is not deployed in-line (in the main data-path), then a network TAP or a switch or router that offers a monitoring port or mirroring port must be used.

ADDITIONAL
INFORMATION:
You can download and try the Packet Sensor for 30 days by requesting an evaluation license.
Packet Sensor licenses can be purchased through the online store.
Frequently asked questions are answered in the User Guide and Knowledge Base.
If you need any further information, do not hesitate to contact us.