NetMon Architecture Terminology
This section describes common terms used in NetMon's functional architecture.
NetMon Term | Definition |
---|---|
Agent | A software component that receives data remotely from the NetMon appliance and then sends it to LogRhythm Enterprise for further processing. |
Application | Network protocols or web applications that NetMon identified using pattern matching and heuristic modelling, as well as signatures. |
Deep Packet Inspection (DPI) | A process whereby NetMon analyzes network data using a variety of methods, including pattern matching, heuristic modelling, signatures for session identification, application identification, and metadata extraction. |
Engine | The Packet Processing component that classifies data during Deep Packet |
Event | A Syslog message to LogRhythm Enterprise. |
Flow | A collection of activity by a single user on a single application. The flow contains source and destination information, bytes and packet counts transferred in both directions, application identification, and many other metadata fields. Long-running flows send updates every 10 minutes by default, but that value can be changed. Each flow has a unique identifier that links multiple intermediate flows together. In NetMon, the terms flow and session are essentially the same concept; however, a single session can be contained within multiple flows. |
Layout | Saved queries and charts, which provide a view into specific data. For example, the Packet Layout shows graphs and tables relating to packets processed in the network. |
Logger | The Flow Output component that processes the metadata into flows. |
Lucene Search | An open-source text retrieval library released under the Apache Software License. NetMon queries are performed using Lucene search. |
Metadata | Data generated during packet processing, appropriate to each application. For example, metadata might include the login, command, and file name from the file transfers or messages inside an Internet Relay Chat (IRC). |
PCAP File | An industry-standard format for containing packet capture data. PCAP data includes the raw packets for a flow. NetMon stores raw packets from the network tap in PCAP files. |
Session / Half Session | A session is a bi-directional flow of packets between one client and one server. A half session defines one direction of that flow, on either the client or server side. |
SIEM | Security Information and Event Management. LogRhythm Enterprise is a security intelligence and log management platform that delivers advanced cyber threat defence, detection, and response to protect networks from a rapidly evolving threat landscape. |
Syslog | An open-source protocol for passing data to a Syslog server. NetMon transfers data to LogRhythm Enterprise (or to a third-party system) using the Syslog protocol. |