Network Monitor Architecture
This section provides a high-level overview of how data is processed through NetMon.
Once NetMon collects data packets from the network tap, it processes data as follows:
The Packet Processing component (also called the Engine) classifies the data during Deep Packet Inspection (DPI). In this process, the Engine analyzes network data using a variety of methods, including pattern matching, heuristic modelling, signatures for session identification, application identification, and metadata extraction. The Engine also applies packet rules before sending the processed data to the Flow Output component.
If NetMon starts to capture a long-running session in the middle of the session—after SYN and ACK have been sent—it may not be possible to identify the traffic in that session.
The Flow Output component (also called the Logger) processes the metadata into flows. Each flow (also called a session) is a collection of activities for one user and one application. A flow can include Layers 2–7, application-level information and network-level information, such as bandwidth consumed and network statistics. The Logger applies another set of output rules, which control the structuring of the information (for example, the organization of the flow, the metadata included in the flow, and so on). The Logger then sends these flows via Syslog to the LogRhythm Agent (when integrated with the LogRhythm SIEM) or to a third-party system. It also sends the flows to the Persistence component for analysis in the Web Management Interface.
The Persistence component stores network metadata, statistics, and packet captures. This self-maintaining component ensures that stored data is managed within the disk limits of the platform. Storage days for metadata vary, with ranges based on the configuration of the system. At full capacity, the component maintains approximately 30 days of data.
To analyze this data, administrators can use the Web Management interface or can query NetMon remotely using the Web API.