This section describes common terms used in NetMon's functional architecture.

NetMon Term


AgentA software component that receives data remotely from the NetMon appliance and then sends it to LogRhythm Enterprise for further processing.
ApplicationNetwork protocols or web applications that NetMon identified using pattern matching and heuristic modeling, as well as signatures.
Deep Packet Inspection (DPI)A process whereby NetMon analyzes network data using a variety of methods, including pattern matching, heuristic modeling, signatures for session identification, application identification, and metadata extraction.
EngineThe Packet Processing component that classifies data during Deep Packet Inspection.
EventA Syslog message to LogRhythm Enterprise.

A collection of activity by a single user on a single application. The flow contains source and destination information, bytes and packet counts transferred in both directions, application identification, and many other metadata fields. Long-running flows send updates every 10 minutes by default, but that value can be changed. Each flow has a unique identifier that links multiple intermediate flows together. In NetMon, the terms flow and session are essentially the same concept; however, a single session can be contained within multiple flows.

LayoutSaved queries and charts, which provide a view into specific data. For example, the Packet Layout shows graphs and tables relating to packets processed in the network.
LoggerThe Flow Output component that processes the metadata into flows.
Lucene SearchAn open-source text retrieval library released under the Apache Software License. NetMon queries are performed using Lucene search.
MetadataData generated during packet processing, appropriate to each application. For example, metadata might include the login, command, and file name from the file transfers or messages inside an Internet Relay Chat (IRC).
PCAP FileAn industry-standard format for containing packet capture data. PCAP data includes the raw packets for a flow. NetMon stores raw packets from the network tap in PCAP files.
Session / Half SessionA session is a bi-directional flow of packets between one client and one server. A half session defines one direction of that flow, on either the client or server side.
SIEMSecurity Information and Event Management. LogRhythm Enterprise is a security intelligence and log management platform that delivers advanced cyber threat defense, detection, and response to protect networks from a rapidly evolving threat landscape.
SyslogAn open-source protocol for passing data to a Syslog server. NetMon transfers data to LogRhythm Enterprise (or to a third-party system) using the Syslog protocol.