WireTrace is designed for lightweight deployment across environments of all sizes — from a single OT network segment to enterprise-wide multi-site installations. This guide provides infrastructure sizing recommendations for the WireTrace Server and DPI Sensor based on environment scale, monitored bandwidth, and data retention requirements.
The WireTrace Server runs the analytics engine, classification pipeline, threat detection, compliance evidence generation, web interface, and all data stores. Server sizing depends primarily on the number of monitored assets and desired data retention period.
| Profile | Assets | CPU | RAM | Disk | Retention | Typical Environment |
|---|---|---|---|---|---|---|
| Small | Up to 500 | 4 vCPU | 16 GB | 200 GB SSD | 90 days | Single OT site, small hospital wing, branch office |
| Medium | 500 – 2,000 | 8 vCPU | 32 GB | 500 GB SSD | 180 days | Manufacturing plant, mid-size hospital, campus network |
| Large | 2,000 – 10,000 | 16 vCPU | 64 GB | 1 TB SSD | 365 days | Multi-building campus, large hospital, utility SCADA |
| Enterprise | 10,000 – 50,000 | 32 vCPU | 128 GB | 2 TB+ NVMe | 365+ days | Multi-site enterprise, large utility, national infrastructure |
Disk sizing based on typical protocol distribution. Environments with heavy DNS/HTTP traffic may require additional storage. SSD required for all profiles; NVMe recommended for Large and Enterprise.
Each DPI Sensor captures and parses traffic from a SPAN port or network TAP. Sensor sizing depends on the monitored link bandwidth and the number of active protocols. Sensors are lightweight by design — most environments are served by the Standard profile.
| Profile | Monitored Bandwidth | CPU | RAM | Disk | Typical Environment |
|---|---|---|---|---|---|
| Standard | Up to 200 Mbps | 4 vCPU | 8 GB | 40 GB | OT network segment, clinical VLAN, branch office |
| Enhanced | 200 Mbps – 1 Gbps | 8 vCPU | 16 GB | 80 GB | Campus core, data center segment, distribution switch |
| High-Throughput | 1 – 5 Gbps | 16 vCPU | 32 GB | 160 GB | Internet edge, aggregation layer, high-traffic segments |
| Ultra | 5 – 10 Gbps | 32 vCPU | 64 GB | 200 GB | Core backbone, 10G TAP, high-density data center |
Sensor disk is used for local buffering during brief connectivity interruptions with the server. Sensors do not store long-term data.
One OT network with a single SPAN port. Typical for a manufacturing plant, water treatment facility, or substation. 4 vCPU / 16 GB server + 4 vCPU / 8 GB sensor. Deployed in under 15 minutes.
Multiple clinical VLANs across departments. One sensor per network segment. 8 vCPU / 32 GB server + 2–4 sensors at 4 vCPU / 8 GB each. Covers biomedical, radiology, pharmacy, and general IT.
Campus network with OT, IT, and IoT segments. Mix of Standard and Enhanced sensors for different segments. 16 vCPU / 64 GB server. Centralized analytics with distributed capture.
Multiple geographic locations with remote sensors connecting to a centralized server. 32 vCPU / 128 GB server. Each site has 1–3 sensors. Supports tens of thousands of assets across sites with year-long retention.
| Requirement | Supported Options |
|---|---|
| Server OS | Ubuntu 22.04 LTS, Ubuntu 24.04 LTS |
| Sensor OS | Ubuntu 22.04 LTS, Ubuntu 24.04 LTS (same as server, or dedicated) |
| Virtualization | VMware ESXi 7.0+, KVM/QEMU, Microsoft Hyper-V, Proxmox VE, Oracle VirtualBox |
| Container Runtime | Docker Engine 24+ with Compose V2. Pre-installed by the WireTrace installer if not present. |
| Physical Deployment | Supported on any x86_64 hardware meeting the sizing requirements above |
| Requirement | Details |
|---|---|
| Sensor Capture Interface | Dedicated NIC connected to a SPAN port or network TAP. Promiscuous mode enabled. No IP address assigned on the capture interface. |
| Sensor Management Interface | Separate NIC with IP connectivity to the WireTrace Server. Used for data transport and sensor management. |
| Server ↔ Sensor | TCP connectivity on configured port (default 6379). Bandwidth: typically 1–10 Mbps per sensor depending on traffic volume. |
| Web UI Access | HTTPS (port 443) from management workstations to the WireTrace Server. |
| Internet | Not required. All features operate fully air-gapped. Optional internet access enables NVD/CVE feed updates. |
| DNS | Optional. Used for NVD feed resolution and OIDC SSO if configured. Not required for core functionality. |
Data retention is configurable per deployment. The following estimates assume typical mixed OT/IT protocol distributions. Environments with predominantly high-volume protocols (DNS, HTTP) will trend toward the higher end.
| Assets | 90-Day Retention | 180-Day Retention | 365-Day Retention |
|---|---|---|---|
| 500 | 40 – 80 GB | 80 – 150 GB | 150 – 300 GB |
| 2,000 | 100 – 200 GB | 200 – 400 GB | 400 – 750 GB |
| 10,000 | 300 – 500 GB | 500 GB – 1 TB | 1 – 2 TB |
| 50,000 | 500 GB – 1 TB | 1 – 2 TB | 2 – 4 TB |
Estimates are for structured metadata, not raw packet captures. WireTrace stores parsed protocol fields, not full PCAPs. Actual storage depends on protocol mix and traffic volume.
Contact the WireTrace team for a customized sizing recommendation based on your environment. sales@wiretrace.io