Packet Sniffing (Port Mirroring, Inline Appliances) Sensor for Wanguard and Wansight

OVERVIEW: The Packet Sensor component of Wanguard and Wansight is a packet sniffer that inspects IP packets and generates detailed traffic analytics. At its core, it contains a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses. Sophisticated statistical algorithms integrate traffic data to build an accurate and detailed picture of real-time and historical traffic flows across the network.

KEY FEATURES
AND BENEFITS:
  • Contains a completely scalable IP traffic analysis engine able to monitor, in real-time, tens of thousands of IPv4 and IPv6 addresses and ranges
  • Management and reporting through an advanced web-based Console with a unified, holistic presentation
  • Detects all bandwidth-related traffic anomalies (when used with a Wanguard license), such as:
    • Distributed Denial of Service (DDoS) attacks, unknown volumetric DoS attacks
    • NTP amplification attacks, generic UDP floods, ICMP floods, SMURF attacks
    • SYN floods, TCP/UDP port 0, LOIC, peer-to-peer attacks
    • Scans and worms sending traffic to illegal or unallocated addresses, missing traffic to/from critical services
  • Per-endpoint flexible threat reaction options (when used with a Wanguard license), such as:
    • Activate on-premise DDoS attack mitigation with Wanguard Filter
    • Send remotely-triggered BGP blackhole announcements (RTBH) using FlowSpec (RFC 5575) or null-routing communities
    • Send BGP off-/on-ramp traffic diversion announcements to on-premise / on-cloud DDoS mitigation services
    • Email alerts with user-defined dynamic templates
    • Send custom Syslog messages to remote log servers or SIEM systems
    • Capture a sample of traffic for forensic investigation
    • Extend the built-in capabilities by executing custom scripts with access to an easy-to-use API exposing 80+ internal parameters
  • Provides traffic accounting reports and per-IP, subnet or IP group graphs for each of the following traffic decoders (classes): total, tcp, tcp+syn, tcp+rst, tcp+ack, tcp+syn+ack, tcp-null, udp, icmp, other, bad, flows, flows+syn, http, https, ssl, mail, dns, sip, ntp, rdp, snmp, ssh, ipsec, ssdp, quic, memcached, facebook, youtube, netflix, hulu. Supports custom decoders
  • Generates tops and graphs for talkers, external IPs, IP groups, autonomous systems (GeoIP based), transit autonomous systems (based on BGP MTR files), countries (GeoIP based), TCP ports, UDP ports, IP protocols, and more
  • Set the short-term accuracy of bandwidth graphs between 5 seconds and 10 minutes. Set the long-term accuracy to any number of years
  • Users can save packet dumps for forensic investigation, network-wide situational awareness and to aid network troubleshooting. Packet dumps can be downloaded or viewed online in a Wireshark-like interface. Displays packet captures in hexadecimal raw and ASCI data for inclusion in regular expressions
  • Supports running in a clustered mode where multiple Packet Sensor instances are load-balanced on different CPU cores or servers
  • Deploy any number of instances on servers across the network
  • Can use libpcap, DPDK, PF_RING (vanilla or ZC) and Netmap for packet sniffing on >40 Gbit interfaces with no packet losses
  • Can act as a passive sniffer, or as a transparent bridge or (pseudo) Layer 3 device by forwarding packets between ports
  • Supports MPLS processing in mirror mode, VLAN and double-VLAN tag stripping, PPPoE and GRE decapsulation
  • Easy and non-disruptive installation on commodity hardware
  • The most affordable distributed packet sniffing-based traffic analysis and DDoS detection tool on the market

DATASHEET:

Traffic Capturing
Technology:
  • Packet Sniffer running on: Linux servers deployed in the main data path, routers, firewalls or other appliances
  • Port Mirroring (SPAN - Switched Port Analyzer, RSPAN, Roving Analysis Port)
  • Sampled Port Mirroring
  • Network TAP
Capacity per Sensor Instance:   40 Gigabit Ethernet, >30 Mpackets/s, unlimited number of connections between IPs
DDoS Detection Time: ≤ 1 second
IP Graphing Accuracy: ≥ 5 seconds
Traffic Validation Options: IP classes, MAC addresses, VLANs, BPF

MINIMUM SYSTEM
REQUIREMENTS:
   

Capacity:     10 Gbit/s (~14 Mpkts/s) 40 Gbit/s (~30 Mpkts/s)
Architecture: Intel Xeon 64 bit, dedicated server Intel Xeon 64 bit, dedicated server
CPU: 2.4 GHz 10-core Xeon E5-2640v4 2.4 GHz 12-core Xeon E5-2680v4
RAM: 8 GB DDR4 quad-channel 16 GB DDR4 quad-channel
Network Cards: 1 x 10 GbE adapter (Myricom, Intel 82599+ or DPDK supported chipset)
1 x Fast Ethernet for management
1 x 40 GbE adapter (Intel XL710+ or other DPDK supported chipset)
1 x Fast Ethernet for management
Operating System*:  RHEL / Rocky / Alma 8 or 9; Debian 10 to 12;
Ubuntu Server 16 to 22
RHEL / Rocky / Alma 8 or 9; Debian 10 to 12;
Ubuntu Server 16 to 22
Disk Space: 10 GB (including OS) 10 GB (including OS)
* Other Linux distributions might work but have not yet been tested.

In switched networks, only the packets for a specific device reach the device's network card. If the server running the Packet Sensor is not deployed in-line (in the main data path), then a network TAP or a switch or router that offers a monitoring port or mirroring port must be used.

Packet Sensor can run load-balanced over multiple CPU cores only when used with:
  • Intel 82599 chipset network adapters, such as Intel X520, Intel X540, HP X560 or Silicom PE310G4DBi9-T
  • Myricom network adapters having a Sniffer 10G license
  • PF_RING (with or without ZC) high-speed packet I/O framework
  • Netmap high-speed packet I/O framework
  • Any network adapter supported by DPDK
You can increase the packet analysis capacity to 100 Gbit/s or more by defining a freely-provided Sensor Cluster component that will aggregate multiple Packet Sensors running on different servers equipped with 10 or 40 Gbit/s network adapters.

ADDITIONAL
INFORMATION:
You can download and try Packet Sensor for 30 days by requesting an evaluation license.
You can purchase Packet Sensor licenses through the Online Store.
Frequently asked questions are answered in the User Guide and Knowledge Base.
If you need any further information, do not hesitate to contact us.

  OUR CLIENTS  

  • Telecom Operators: HUAWEI | VODAFONE | ORANGE | JT GLOBAL | BITE LITHUANIA | MOLDTELECOM | JUPITER TELECOMMUNICATIONS

  • Internet Service Providers: GOOGLE FIBER | YELLOWFIBER | SKYLOGIC EUTELSAT | 1&1 VERSATEL | NETCOLOGNE | SOLCON NETHERLANDS

  • Cloud / VPS Hosting Providers: DIGITALOCEAN | LEASEWEB | FLEXENTIAL | WEEBLY | VPS.NET | EAPPS | SERVERPOINT

  • Software & Services: IBM CORPORATION | MOZILLA CORPORATION | NAMECHEAP | GANDI SAS | ALLEGRO | MBANK | TF1 FRANCE

  • Security / Anti-DDoS Services: GIGENET | DDOS-GUARD | BLACKLOTUS | KODDOS | ROKASECURITY | DOSARREST | SERVERIUS

  • Data Centers: EQUINIX | PHOENIXNAP | CORE-BACKBONE | BSO NETWORK | ASCENTY | PLUSSERVER | MYLOC MANAGED IT