WireTracePlatform Architecture Overview
WireTrace v1.2.4 is a distributed sensor-server architecture designed for passive network intelligence with optional active enrichment. Sensors capture and parse traffic at the wire level using a high-performance DPI engine; the server performs classification (411 rules, 68 device types), analytics, ransomware kill chain detection (12 rules), file activity monitoring across 6 protocols, vulnerability tracking, change management, and compliance evidence generation. AI agent with 21 query tools answers natural language questions in under 200ms with streaming reports. Platform images build in under 60 seconds. Fully on-premises. Air-gap deployable. No cloud dependency.
Data Flow
SPAN / TAP
Passive mirror
of network traffic
DPI Sensor
Native DPI engine
272 protocol parsers
Stream Transport
Structured JSON
encrypted pipeline
Analytics Server
Classification
Threat detection
Compliance engine
Web UI / API
Dashboard
Reports & REST API
Core Components
DPI Sensor
High-performance native deep packet inspection engine optimized for real-time protocol analysis. Captures traffic from SPAN port or network TAP and parses 272 protocols, extracting structured fields: commands, parameters, certificates, device identity, and metadata. Zero packets transmitted on the monitored network.
- Passive capture from SPAN/TAP - zero network impact
- Protocol-aware field extraction (commands, values, identity)
- HMAC-signed payloads for transport integrity
- Deployed in under 60 seconds via activation token
- Runs as a lightweight service in host network mode
Analytics Server
Centralized intelligence engine that processes parsed protocol data into actionable outcomes. 411 classification rules with intelligent multi-signal classification across 68 device types. 12 ransomware kill chain detection rules with MITRE ATT&CK mapping. File activity monitoring across 6 protocols. Behavioral baselines, vulnerability correlation, change management, IoC matching, and compliance evidence generation. Multi-tenant architecture with role-based access control.
- 411 classification rules with multi-source passive fingerprinting and thousands of fingerprint signatures
- AI agent with 21 query tools - natural language answers in under 200ms, streaming reports, conversation memory
- 12 ransomware detection rules covering reconnaissance through exfiltration, kill chain correlation per asset
- File activity monitoring: read, write, delete, upload, download, rename across SMB, FTP, TFTP, NFS, HTTP, DICOM
- Active enrichment: SNMP (all versions), SSH service identification, AD correlation, network topology discovery
- Adaptive storage retention with 5 priority tiers - core data never auto-deleted
- Platform images build in under 60 seconds for rapid updates and patches
- Real-time WebSocket notifications
Data Stores
Relational Database
Primary structured store for asset inventory, connection state, classification history, security observations, threat detections, compliance evidence, and tenant configuration.
In-Memory Stream & Cache
High-throughput stream transport for the sensor-to-server data pipeline. In-memory caching for high-frequency dashboard queries and API response acceleration.
Object Store
S3-compatible local storage for raw parsed data, protocol captures, and generated reports. Runs entirely on-premises - no external cloud dependency.
Deployment Models
Single-Site Deployment
One server, one or more sensors on the same network. Single installer with upgrade auto-detection - fully deployed in under 10 minutes. No internet required.
Multi-Site / Distributed
Remote sensors connect to a centralized server over the network. Each sensor operates independently during connectivity interruptions and synchronizes when the link is restored. Supports segmented OT, campus, and branch office topologies.