Packet Sniffing (Port Mirroring, Inline Appliances) Sensor for WANGUARD and WANSIGHT

The Sniffing Sensor provided by WanGuard and WanSight is a packet sniffer that inspects IP packets and generates detailed traffic analytics. In switched networks, only the packets for a specific device reach the device's network card. If the server running the Sniffing Sensor is not deployed in-line (in the main data-path), then a network TAP or a switch or router that offers a monitoring port or mirroring port must be used.
At its core, the Sniffing Sensor contains a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses. Complex statistical algorithms integrate traffic data to build an accurate and detailed picture of real-time and historical traffic flows across the network.
  • The Sensor contains a completely scalable IP traffic analysis engine able to monitor tens of thousands of IPv4 and IPv6 addresses and IP blocks in real time
  • Management and reporting are done from a single web-based Console with a unified, holistic presentation
  • Detects all bandwidth-related traffic anomalies (when used by WanGuard):
    • Distributed Denial of Service (DDoS) attacks, unknown volumetric DoS attacks
    • NTP amplification attacks, generic UDP floods, ICMP floods, SMURF attacks
    • SYN floods, TCP/UDP port 0, LOIC, peer-to-peer attacks, etc.
    • Scans and worms sending traffic to illegal or unallocated addresses, missing traffic to critical services
  • Per-endpoint flexible threat reaction options (when used by WanGuard):
    • Activate WanGuard Filter for DDoS attack mitigation
    • Send remotely-triggered black hole announcements, BGP off-/on-ramp traffic diversion announcements
    • Alert the NOC staff by email using user-defined email templates
    • Send custom Syslog messages to remote log servers or SIEM systems
    • Capture a sample of traffic for forensic investigation
    • Extend the built-in capabilities with customized scripts that can access an easy-to-use API
  • Provides traffic accounting reports and per-IP / subnet / IP Group graphs for each of the following traffic types: total, tcp, tcp+syn, udp, icmp, other, bad, flows, flows+syn, http, https, ssl, mail, dns, sip, ntp, rdp, snmp, ssh, ipsec, facebook, youtube, netflix, hulu, and more to come
  • Generates tops and graphs for talkers, external IPs, IP groups, autonomous systems (based on GeoIP), countries (based on GeoIP), TCP or UDP ports, IP protocols, and more
  • The short-term accuracy of bandwidth graphs can be set between 5 seconds and 10 minutes
  • Users can save packet dumps for forensic investigation or for aiding network troubleshooting. Packet dumps can be downloaded or viewed online in a Wireshark-like interface. Packet captures can be displayed in hexadecimal raw data and ASCII data for inclusion in regular expressions
  • Supports running in a clustered mode with collected data aggregated from multiple Sniffing Sensors. Instances can be load-balanced on different CPU cores or servers
  • Any number of instances can be deployed on servers across the network
  • Can use PF_RING (v.5 w/o DNA) for packet sniffing on 10 Gbit interfaces with no packet losses
  • Supports MPLS and VLAN tag stripping
  • Easy and non-disruptive installation on commodity hardware
  • The most affordable distributed packet sniffing-based traffic analysis and DDoS detection tool on the market


Traffic Capturing Technology:
  • Packet Sniffer running on in-line Linux servers, routers, firewalls or other appliances
  • Port Mirroring (SPAN - Switched Port Analyzer, RSPAN, Roving Analysis Port)
  • Network TAP
Capacity / Sensor Instance: 10 Gigabit Ethernet , >1,500,000 endpoints*
DDoS Detection Time: ≤ 5 seconds
IP Graphs Accuracy: ≥ 5 seconds
Traffic Validation Options: IP classes, MAC addresses, VLANs, BPF
* An endpoint is an IP address that belongs to your network. The software is not limited by the number of connections between IPs.


Packet Sniffing Capacity:     1 Gbit Ethernet 10 Gbit Ethernet
Architecture: x86 (32 or 64 bit) x86 (64 bit), No VMs
CPU: 2.4 GHz dual-core Xeon 2.8 GHz quad-core Xeon
RAM: 1 GB 2 GB
Network Cards: 1 x Gigabit Ethernet
1 x Gigabit Ethernet for management
1 x 10 GbE card with chipset Intel 82599 or better
1 x Gigabit Ethernet for management
Operating System*:  RHEL / CentOS 5 or 6, Debian 6 or 7, Ubuntu Server 12, OpenSUSE 12 or 13 RHEL / CentOS 5 or 6, Debian 6 or 7, Ubuntu Server 12, OpenSUSE 12 or 13
Disk Space: 10 GB (including OS) 10 GB (including OS)
* Other Linux distributions might work but have not yet been tested.


You can download and use the Sniffing Sensor for 30 days by requesting an evaluation license.
Sensor licenses can be purchased directly from our online store.
The answers for several frequently asked questions are listed in the Knowledge Base.
If you need any further information, do not hesitate to contact us.