Technical Architecture

Platform Architecture Overview

WireTrace is a distributed sensor-server architecture designed for passive network intelligence. Sensors capture and parse traffic at the wire level using a high-performance DPI engine; the server performs classification, analytics, threat detection, and compliance evidence generation. Fully on-premises. Air-gap deployable. No cloud dependency.

Data Flow

SPAN / TAP

Passive mirror
of network traffic

DPI Sensor

Native DPI engine
250+ protocol parsers

Stream Transport

Structured JSON
encrypted pipeline

Analytics Server

Classification
Threat detection
Compliance engine

Web UI / API

Dashboard
Reports & REST API

Core Components

DPI Sensor

High-performance native deep packet inspection engine optimized for real-time protocol analysis. Captures traffic from SPAN port or network TAP and parses 250+ protocols, extracting structured fields: commands, parameters, certificates, device identity, and metadata. Zero packets transmitted on the monitored network.

  • Passive capture from SPAN/TAP — zero network impact
  • Protocol-aware field extraction (commands, values, identity)
  • HMAC-signed payloads for transport integrity
  • Deployed in under 60 seconds via activation token
  • Runs as a lightweight container in host network mode

Analytics Server

Centralized intelligence engine that processes parsed protocol data into actionable outcomes. Multi-signal weighted classification, behavioral baselines, vulnerability correlation, IoC matching, and compliance evidence generation. Multi-tenant architecture with role-based access control.

  • Asset classification via weighted voting (protocol + MAC + DHCP + behavior)
  • Behavioral baselines per device, per protocol
  • CVE matching via NVD, CISA KEV, EPSS scoring
  • IoC matching from STIX/TAXII threat intelligence feeds
  • Continuous compliance evidence generation
  • Real-time WebSocket notifications

Data Stores

Relational Database

Primary structured store for asset inventory, connection state, classification history, security observations, threat detections, compliance evidence, and tenant configuration.

In-Memory Stream & Cache

High-throughput stream transport for the sensor-to-server data pipeline. In-memory caching for high-frequency dashboard queries and API response acceleration.

Object Store

S3-compatible local storage for raw parsed data, protocol captures, and generated reports. Runs entirely on-premises — no external cloud dependency.

Deployment Models

Single-Site Deployment

One server, one or more sensors on the same network. All components run as containers orchestrated via a standard compose file. Self-extracting installer — fully deployed in under 10 minutes. No internet required.

Multi-Site / Distributed

Remote sensors connect to a centralized server over the network. Each sensor operates independently during connectivity interruptions and synchronizes when the link is restored. Supports segmented OT, campus, and branch office topologies.

wiretrace.io | sales@wiretrace.ioPage 1 of 2
Technical Architecture

Security Architecture

Transport Security

  • Sensor-to-server communication cryptographically signed
  • Per-sensor unique cryptographic secret
  • Activation token enrollment for new sensors
  • TLS encryption for all API and UI communications

Platform Security

  • Asymmetric cryptography license validation
  • JWT authentication with RSA key pairs
  • Role-based access control (RBAC)
  • Multi-tenant data isolation
  • LDAP / Active Directory / OIDC SSO
  • CSRF protection with sensor M2M exemption

Protocol Intelligence Engine

The DPI sensor parses protocols at the application layer, extracting structured fields specific to each protocol. This is not signature matching or port-based identification — it is full payload dissection with protocol-aware field extraction.

Industrial / OT

Modbus function codes and register values, S7Comm PLC parameters, DNP3 control commands, EtherNet/IP CIP messages, IEC 104 telecontrol, OPC-UA, PROFINET, BACnet, GOOSE, and more+

Healthcare / IoMT

DICOM imaging commands, HL7 clinical messaging, Philips Respironics, Draeger, GE CARESCAPE, Hamilton, Masimo, Abbott i-STAT, and more+ vendor-specific medical protocols

Enterprise / IT / IoT

TLS certificate extraction (subject, issuer, validity, chain), DNS queries, DHCP fingerprints, LLDP/CDP switch port mapping, SSDP/mDNS device announcements, SMB, SSH, RDP, and more+

Integration Points

REST API (all endpoints) Syslog Forwarding CEF / SIEM STIX / TAXII Webhooks Email Alerts CSV Export Firewall Rules (PAN-OS, FortiGate) LDAP / AD / OIDC SSO

Supported Environments

Operating System

Ubuntu 22.04 LTS and 24.04 LTS. Server and sensor run as containers on any Docker-compatible host.

Virtualization

VMware ESXi, KVM/QEMU, Hyper-V, Proxmox. Physical or virtual deployments supported. Cloud VMs for server; bare-metal or VM for sensors.

Network

Passive capture from SPAN port or network TAP. No inline deployment. Air-gap supported — no internet dependency for any feature.

For detailed infrastructure sizing by environment size (assets, bandwidth, retention), refer to the WireTrace Deployment & Sizing Guide.

Ready to Evaluate?

Request a technical demonstration or proof-of-value deployment.   wiretrace.io  |  sales@wiretrace.io

wiretrace.io | sales@wiretrace.ioPage 2 of 2