LANGuardian Architecture

NetFort LANGuardian Architecture




LANGuardian captures and analyzes the data packets flowing through the core switch on your network, stores the details in a database, and presents the data through a browser-based user interface. You can deploy LANGuardian on any size of network from a small office to a global enterprise.

LANGuardian gives you access to historical as well as real-time network activity data. Real-time data enables you to troubleshoot and resolve problems as they occur. Historical data is indispensable for network forensics, and for identifying network issues and trends that cannot be identified using real-time data alone.

  • System architecture

  • Packet capture 

  • Database

  • Security

  • Sensors

  • Information architecture

The LANGuardian system architecture has four main components:

  • Traffic collection engine – captures traffic from a SPAN port or other traffic source.
  • Traffic analysis engine – applies deep packet inspection techniques to consolidate and correlate the data collected by the traffic collection engine.
  • Traffic database – stores the consolidated and correlated traffic data.
  • Reporting engine – queries the traffic data and presents it to the user by means of built-in and custom reports delivered as HTML, PDF, or email. A REST API enables integration of LANGuardian data with other applications such as SolarWinds NPM and Microsoft Excel.

LANGuardian system architecture block diagram

NetFort LANGuardian

Traffic analysis engine (DPI) close-up


The DPI engine inspects network traffic, extracts information from it, and stores the details in the LANGuardian database.

The DPI engine performs two sequential checks on traffic packets: application recognition and targeted protocol decoding. If the application recognition check fails, the DPI engine stores the packet in the LANGuardian database as unrecognized traffic. If the application recognition check succeeds, the DPI engine goes on to check for the existence of a targeted protocol decoder.

As a result, traffic stored in the LANGuardian database is divided into three categories:

  • Unrecognized – traffic for which no CBAR application fingerprint or targeted decoder is available. For this traffic, LANGuardian stores the 5-tuple that uniquely identifies the TCP/IP connection (source IP address, source port, destination IP address, destination port, and protocol) and additional information such as the username and DNS details.
  • Recognized – traffic for which a CBAR application fingerprint is available. For this traffic, LANGuardian stores the same information as it does for unrecognized traffic, along with additional information about the application associated with the traffic.
  • Decoded – traffic that uses a protocol for which a LANGuardian decoder exists. For this traffic, LANGuardian stores the same information as it does for recognized traffic, along with additional information specific to the protocol:
    • Email- Sender, recipient, and subject information
    • Web- URL of every page visited and file downloaded.
    • Windows file share- File name, file size, and details of every action performed.

The traffic analysis engine aggregates all of this information into its own proprietary internal flow representation, which it stores in the LANGuardian database.

Optional modules

A standard NetFort LANGuardian installation gives you the ability to capture, store, and monitor network activity data.

We also offer a range of optional modules that you can use to find out even more about what is happening on your network.

Packet capture – deep packet inspection

NetFort LANGuardian provides full packet capture and deep packet inspection (DPI) of network traffic. It implements packet capture at full wire speed and does not slow down the network. Because it works exclusively on traffic data captured from a monitoring (SPAN) port, there is no client software to install, no interaction with the devices on the network, and no impact on network performance. LANGuardian is also scalable and can be deployed anywhere from a single office to a global corporate network.

LANGuardian DPI operates on two levels. Content-based application recognition recognizes hundreds of applications and protocols regardless of the ports they use. Targeted protocol decoding performs deeper analysis of the most commonly occurring network traffic types – web, file share, and email traffic.

Content-based application recognition

Content-Based Application Recognition (CBAR) combines a unique DPI algorithm with detailed understanding of the underlying protocols to analyze and report on network traffic from an application perspective – regardless of the ports involved. CBAR recognizes hundreds of applications and protocols, and delivers greater accuracy with fewer false positives than other approaches to application recognition.

Targeted protocol decoding

Targeted protocol decoding provides total visibility into the most commonly used network traffic protocols – web traffic, file share traffic, and email. The NetFort DPI algorithm extracts detailed information from the traffic packets and combines it with information from other sources such as DNS and Active Directory to give you a single point of access to everything you need to know about activty on your network.

  • Web activity: top websites visited, most active users, bandwidth consumed.
  • File share activity: files added and deleted, largest files, prohibited file types.
  • Email: top senders, top recipients, number of messages sent by each user.

More on traffic protocol decoding: Web activity | File activity | Email

LANGuardian stores traffic data in a secure built-in database that is the basis for the advanced analytics available through the LANGuardian browser-based interface, as well as the other ways in which LANGuardian data can be accessed, such as alerts, scheduled reports, and integration with environments such as SolarWinds, Splunk, and McAfee.

Before storing traffic data in its database, LANGuardian consolidates it using an innovative flow representation that discards unnecessary information and makes the best possible use of the available storage.

The detailed network activity data and comprehensive reporting capabilities of LANGuardian strengthen the overall security posture of an organization, but LANGuardian also has features designed to specifically address IT security.

Network behavior analysis

LANGuardian uses several pre-processors to perform stateful protocol analysis and normalization of the requests and responses in a session or connection. This enables LANGuardian to identify threats that can escape detection when data packets are analysed individually – for example, port scans, IP stack fingerprinting, TCP protocol anomalies, RPC anomalies, and HTTP-based attacks.

Because LANGuardian records the source IP, destination IP, protocol and port details of the traffic it analyzes, it can detect port-scanning (connections to multiple ports on a single host) and port-sweeping (connections to the same port on multiple hosts) activity on the network. It is possible to customize the detection triggers based on the characteristics of the environment being monitored, so that legitimate scanning activity does not raise alerts.

LANGuardian network behaviour analysis also provides a strong line of defence against zero-day threats. Its ability to detect anomalous behavior, combined with proactive alerting and reporting, acts as an early-warning system for identifying and dealing with viruses and malware in the time before they become known to anti-virus and threat management systems.

Intrusion detection

NetFort offers an optional security module that adds an intrusion detection system (IDS) to LANGuardian. The LANGuardian IDS is based on Snort, the open source IDS. LANGuardian adds the ability to store security events in the LANGuardian database, effectively extending Snort to provide back-in-time as well as real-time intrusion detection.

During installation, you connect one of the NICs on the LANGuardian system to the monitoring port on your network’s core switch. LANGuardian automatically creates a sensor to associate that NIC with the software. LANGuardian instantly begins capturing network traffic and you can view the results in your web browser.

There are some situations where you might want to create more than one sensor in LANGuardian. In these situations, you need a monitoring port on your switch for each sensor, and a corresponding NIC on your LANGuardian system. For example, if you have three sensors, you would need three monitoring ports on your switch and four NICs on your LANGuardian system – one for each of the three sensors, and one to deliver the browser-based user interface.

LANGuardian transforms raw network traffic data into valuable information and presents it to you as actionable knowledge that enables you to run your network more effectively.

LANGuardian information architecture block diagram

NetFort LANGuardian- Data Architecture

Find out more

If you have any questions about how LANGuardian can meet your requirements, please contact us. If you would like to see LANGuardian in action, please try our online demo system or download a free 30-day trial to try it on your own network with your own data.

Contact Us


Telnet Networks Inc.
100 Strowger Blvd, Suite 118, Brockville, ON, K6V 5J9, Canada


(800) 561-4019



For More Information about Telnet Networks, our products, or our services, or to request a quote please feel free to contact us directly.