Need Assistance?

Newsletter

For a Free Quote...

How it Works

NetFort LANGuardian - How It Works

Download LANGuardian Trial LANGuardian Web Demo

LANGuardian passively captures the traffic flowing through your network switch, analyzes it using deep packet inspection techniques, and stores the results in a database. A web-based user interface provides access to the traffic data in the database. As it works on traffic data, there is no client software to install, no interaction with the devices on the network, and no impact on network performance.

  • Traffic capture

  • Deep packet inspection

  • Traffic database

  • Web-based interface

LANGuardian captures network traffic from a SPAN or mirror port on your network switch. You connect the mirror port to a dedicated network adapter on the server – physical or virtual – where LANGuardian is installed. Depending on how you configure the SPAN port, LANGuardian can capture LAN, WAN, and Internet traffic.

Deployment diagram - LANGuardian on a network with a single core switch.

NetFort LANGuardian 

Deployment diagram - LANGuardian deployment on a network with multiple core switches.

 NetFort LANGuardian

Deployment diagram - LANGuardian deployment in a VMware environment

 NetFort LANGuardian

Configuring a SPAN port

Configuring a SPAN port on your switch involves the following steps:

  1. Identify an unused switch port to designate as a monitoring port for LANGuardian.
  2. Identify the switch ports you want to monitor (these are often called source ports).
  3. Configure the switch to associate the source ports with the monitoring port.

The switch will send a copy to the monitoring port of all data flowing through the source ports. LANGuardian captures the data from the monitoring port for analysis. The actual data itself is not affected and there is no performance impact. Most network switches have a SPAN port (some manufacturers call it a monitoring port or mirroring port) and configuration instructions can usually be found in the switch documentation. If you have a Cisco switch, you can download our free SPAN Port Configurator to help you configure it. Our support team has experience of configuring all kinds of switches – if you need help, please contact us.

Sensors

During installation, you connect a network interface card (NIC) on the LANGuardian system to a SPAN port on your network’s core switch. The LANGuardian software uses the term sensor to represent this physical connection between the core switch and the LANGuardian system. There are some situations where you might want to create more than one sensor in LANGuardian. In these situations, you can create more than one SPAN port on your switch, and connect each SPAN port to the LANGuardian system. For example, you might want to monitor Internet traffic separately from internal network traffic. In this case you would need two SPAN ports on your switch, and these would be represented as two sensors in the LANGuardian software. You would need three NICs on your LANGuardian system – one to connect to the SPAN port monitoring Internet traffic, one to connect to the SPAN port monitoring internal network traffic, and one to deliver the browser-base user interface.

By inspecting the content of traffic packets as well as inspecting the header, LANGuardian can capture and display very detailed information about the traffic on your network. LANGuardian DPI operates on two levels. Content-based application recognition identifies traffic by application, even when unusual or dynamic port numbers are used. Targeted protocol decoding provides total visibility into the most commonly used network traffic protocols – web traffic, file share traffic, and email.

LANGuardian content-based application recognition

Content-Based Application Recognition (CBAR) is a new LANGuardian feature that takes traffic-based application recognition to a new level. With support for hundreds of the most common applications and protocols, and a unique deep packet inspection algorithm, CBAR delivers greater accuracy and fewer false positives than other approaches to application recognition.

LANGuardian targeted protocol decoding

Targeted protocol decoding provides total visibility into the most commonly used network traffic protocols – web traffic, file share traffic, and email. The NetFort DPI algorithm extracts detailed information from the traffic packets and combines it with information from other sources such as DNS and Active Directory to give you a single point of access to everything you need to know about activty on your network.

LANGuardian stores traffic data in a secure, hardened, and highly-optimized database designed for very fast storage and retrieval of traffic data. The LANGuardian database makes it possible to view historical as well as real-time network activity.

More about the traffic database

Real-time network activity data is indispensable for troubleshooting and resolving immediate problems. With its alerting capability, LANGuardian can even notify you about potential problems before they happen. Historical data is indispensable for network forensics, and for identifying network issues and trends that cannot be identified using real-time data alone.

LANGuardian content-based application recognition

Content-Based Application Recognition (CBAR) is a new LANGuardian feature that takes traffic-based application recognition to a new level. With support for hundreds of the most common applications and protocols, and a unique deep packet inspection algorithm, CBAR delivers greater accuracy and fewer false positives than other approaches to application recognition.

LANGuardian targeted protocol decoding

Targeted protocol decoding provides total visibility into the most commonly used network traffic protocols – web traffic, file share traffic, and email. The NetFort DPI algorithm extracts detailed information from the traffic packets and combines it with information from other sources such as DNS and Active Directory to give you a single point of access to everything you need to know about activty on your network.

The LANGuardian user interface provides hundreds of built-in reports with graphs, charts, and drilldown capabilities. You can also create your own custom reports, and enable alerting so that you are notified when specified events occur. The LANGuardian user interface has three components:

  • Use the search panels to search for information on network activity specific to a user, IP address or subnet, file name, or website.
  • The dashboards contain general reports on overall network activity, from which you can drill down to more detailed information.
  • As you become more familiar with LANGuardian, you can access detailed reports directly from the Reports menu or Report Finder.

NetFort LANGuardian - Bandwidth Troubleshooting NetFort LANGuardian - How it Works
NetFort LANGuardian - How it Works NetFort LANGuardian - How it Works

More about how it works

See the Architecture page for a more detailed description of how LANGuardian works.

Find out more

If you have any questions about how LANGuardian can meet your requirements, please contact us. If you would like to see LANGuardian in action, please try our online demo system or download a free 30-day trial to try it on your own network with your own data.