WireTraceWireTrace v1.2.4 is designed for lightweight deployment across environments of all sizes - from a single OT network segment to enterprise-wide multi-site installations. Platform images build in under 60 seconds for rapid updates and patches. This guide provides infrastructure sizing recommendations for the WireTrace Server (including the AI agent with 21 query tools, ransomware detection, file activity monitoring, and active enrichment services) and DPI Sensor based on environment scale, monitored bandwidth, and retention requirements.
The WireTrace Server runs the analytics engine (411 classification rules, 68 device types), ransomware detection (12 kill chain rules), file activity monitoring (6 protocols), vulnerability tracking, change management, compliance evidence generation, AI agent (21 query tools, streaming reports), active enrichment services (SNMP polling, L2 topology), web interface, and all data stores. Adaptive storage retention keeps data as long as disk allows across five priority tiers - core data (assets, connections) never auto-deleted. Server sizing depends primarily on the number of monitored assets.
| Profile | Assets | CPU | RAM | Disk | Retention | Typical Environment |
|---|---|---|---|---|---|---|
| Small | Up to 500 | 4 vCPU | 16 GB | 200 GB SSD | 90 days | Single OT site, small hospital wing, branch office |
| Medium | 500 – 2,000 | 8 vCPU | 32 GB | 500 GB SSD | 180 days | Manufacturing plant, mid-size hospital, campus network |
| Large | 2,000 – 10,000 | 16 vCPU | 64 GB | 1 TB SSD | 365 days | Multi-building campus, large hospital, utility SCADA |
| Enterprise | 10,000 – 50,000 | 32 vCPU | 128 GB | 2 TB+ NVMe | 365+ days | Multi-site enterprise, large utility, national infrastructure |
Disk sizing based on typical protocol distribution. Environments with heavy DNS/HTTP traffic may require additional storage. SSD required for all profiles; NVMe recommended for Large and Enterprise.
Each DPI Sensor captures and parses traffic from a SPAN port or network TAP. Sensor sizing depends on the monitored link bandwidth and the number of active protocols. Sensors are lightweight by design - most environments are served by the Standard profile.
| Profile | Monitored Bandwidth | CPU | RAM | Disk | Typical Environment |
|---|---|---|---|---|---|
| Standard | Up to 200 Mbps | 4 vCPU | 8 GB | 40 GB | OT network segment, clinical VLAN, branch office |
| Enhanced | 200 Mbps – 1 Gbps | 8 vCPU | 16 GB | 80 GB | Campus core, data center segment, distribution switch |
| High-Throughput | 1 – 5 Gbps | 16 vCPU | 32 GB | 160 GB | Internet edge, aggregation layer, high-traffic segments |
| Ultra | 5 – 10 Gbps | 32 vCPU | 64 GB | 200 GB | Core backbone, 10G TAP, high-density data center |
Sensor disk is used for local buffering during brief connectivity interruptions with the server. Sensors do not store long-term data.
One OT network with a single SPAN port. Typical for a manufacturing plant, water treatment facility, or substation. 4 vCPU / 16 GB server + 4 vCPU / 8 GB sensor. Deployed in under 15 minutes.
Multiple clinical VLANs across departments. One sensor per network segment. 8 vCPU / 32 GB server + 2–4 sensors at 4 vCPU / 8 GB each. Covers biomedical, radiology, pharmacy, and general IT.
Campus network with OT, IT, and IoT segments. Mix of Standard and Enhanced sensors for different segments. 16 vCPU / 64 GB server. Centralized analytics with distributed capture.
Multiple geographic locations with remote sensors connecting to a centralized server. 32 vCPU / 128 GB server. Each site has 1–3 sensors. Supports tens of thousands of assets across sites with year-long retention.
WireTrace| Requirement | Supported Options |
|---|---|
| Server OS | Ubuntu 22.04 LTS, Ubuntu 24.04 LTS |
| Sensor OS | Ubuntu 22.04 LTS, Ubuntu 24.04 LTS (same as server, or dedicated) |
| Virtualization | VMware ESXi 7.0+, KVM/QEMU, Microsoft Hyper-V, Proxmox VE, Oracle VirtualBox |
| Runtime Dependencies | Included with the WireTrace installer. Pre-installed automatically if not present. |
| Physical Deployment | Supported on any x86_64 hardware meeting the sizing requirements above |
| Requirement | Details |
|---|---|
| Sensor Capture Interface | Dedicated NIC connected to a SPAN port or network TAP. Promiscuous mode enabled. No IP address assigned on the capture interface. |
| Sensor Management Interface | Separate NIC with IP connectivity to the WireTrace Server. Used for data transport and sensor management. |
| Server ↔ Sensor | TCP connectivity on configured port. Bandwidth: typically 1–10 Mbps per sensor depending on traffic volume. |
| Web UI Access | HTTPS (port 443) from management workstations to the WireTrace Server. |
| Internet | Not required. All features including the AI agent operate fully air-gapped. Optional internet access enables vulnerability feed updates and security advisory sync. |
| DNS | Optional. Used for vulnerability feed resolution and OIDC SSO if configured. Not required for core functionality. |
WireTrace v1.2.4 features adaptive storage retention: disk-usage-based retention replaces fixed day-based policies. Data is kept as long as disk allows. Five priority tiers ensure core data (assets, connections) is never auto-deleted while lower-priority data (raw protocol logs) is cleaned first when disk pressure rises. The following estimates assume typical mixed OT/IT protocol distributions.
| Assets | 90-Day Retention | 180-Day Retention | 365-Day Retention |
|---|---|---|---|
| 500 | 40 – 80 GB | 80 – 150 GB | 150 – 300 GB |
| 2,000 | 100 – 200 GB | 200 – 400 GB | 400 – 750 GB |
| 10,000 | 300 – 500 GB | 500 GB – 1 TB | 1 – 2 TB |
| 50,000 | 500 GB – 1 TB | 1 – 2 TB | 2 – 4 TB |
Estimates are for structured metadata, not raw packet captures. WireTrace stores parsed protocol fields, not full PCAPs. Actual storage depends on protocol mix and traffic volume.
Contact the WireTrace team for a customized sizing recommendation based on your environment. [email protected]