Deployment & Sizing Guide

Deployment & Sizing Guide

WireTrace v1.2.4 is designed for lightweight deployment across environments of all sizes - from a single OT network segment to enterprise-wide multi-site installations. Platform images build in under 60 seconds for rapid updates and patches. This guide provides infrastructure sizing recommendations for the WireTrace Server (including the AI agent with 21 query tools, ransomware detection, file activity monitoring, and active enrichment services) and DPI Sensor based on environment scale, monitored bandwidth, and retention requirements.

Server Sizing

The WireTrace Server runs the analytics engine (411 classification rules, 68 device types), ransomware detection (12 kill chain rules), file activity monitoring (6 protocols), vulnerability tracking, change management, compliance evidence generation, AI agent (21 query tools, streaming reports), active enrichment services (SNMP polling, L2 topology), web interface, and all data stores. Adaptive storage retention keeps data as long as disk allows across five priority tiers - core data (assets, connections) never auto-deleted. Server sizing depends primarily on the number of monitored assets.

Profile Assets CPU RAM Disk Retention Typical Environment
Small Up to 500 4 vCPU 16 GB 200 GB SSD 90 days Single OT site, small hospital wing, branch office
Medium 500 – 2,000 8 vCPU 32 GB 500 GB SSD 180 days Manufacturing plant, mid-size hospital, campus network
Large 2,000 – 10,000 16 vCPU 64 GB 1 TB SSD 365 days Multi-building campus, large hospital, utility SCADA
Enterprise 10,000 – 50,000 32 vCPU 128 GB 2 TB+ NVMe 365+ days Multi-site enterprise, large utility, national infrastructure

Disk sizing based on typical protocol distribution. Environments with heavy DNS/HTTP traffic may require additional storage. SSD required for all profiles; NVMe recommended for Large and Enterprise.

Sensor Sizing

Each DPI Sensor captures and parses traffic from a SPAN port or network TAP. Sensor sizing depends on the monitored link bandwidth and the number of active protocols. Sensors are lightweight by design - most environments are served by the Standard profile.

Profile Monitored Bandwidth CPU RAM Disk Typical Environment
Standard Up to 200 Mbps 4 vCPU 8 GB 40 GB OT network segment, clinical VLAN, branch office
Enhanced 200 Mbps – 1 Gbps 8 vCPU 16 GB 80 GB Campus core, data center segment, distribution switch
High-Throughput 1 – 5 Gbps 16 vCPU 32 GB 160 GB Internet edge, aggregation layer, high-traffic segments
Ultra 5 – 10 Gbps 32 vCPU 64 GB 200 GB Core backbone, 10G TAP, high-density data center

Sensor disk is used for local buffering during brief connectivity interruptions with the server. Sensors do not store long-term data.

Deployment Profiles

Single-Site OT

Small Server + 1 Standard Sensor

One OT network with a single SPAN port. Typical for a manufacturing plant, water treatment facility, or substation. 4 vCPU / 16 GB server + 4 vCPU / 8 GB sensor. Deployed in under 15 minutes.

Hospital / Clinical

Medium Server + 2–4 Standard Sensors

Multiple clinical VLANs across departments. One sensor per network segment. 8 vCPU / 32 GB server + 2–4 sensors at 4 vCPU / 8 GB each. Covers biomedical, radiology, pharmacy, and general IT.

Campus / Multi-Building

Large Server + 4–8 Sensors (mixed)

Campus network with OT, IT, and IoT segments. Mix of Standard and Enhanced sensors for different segments. 16 vCPU / 64 GB server. Centralized analytics with distributed capture.

Enterprise / Multi-Site

Enterprise Server + 10+ Sensors

Multiple geographic locations with remote sensors connecting to a centralized server. 32 vCPU / 128 GB server. Each site has 1–3 sensors. Supports tens of thousands of assets across sites with year-long retention.

wiretrace.io | [email protected]Page 1 of 2
Deployment & Sizing Guide

Operating System & Virtualization

RequirementSupported Options
Server OSUbuntu 22.04 LTS, Ubuntu 24.04 LTS
Sensor OSUbuntu 22.04 LTS, Ubuntu 24.04 LTS (same as server, or dedicated)
VirtualizationVMware ESXi 7.0+, KVM/QEMU, Microsoft Hyper-V, Proxmox VE, Oracle VirtualBox
Runtime DependenciesIncluded with the WireTrace installer. Pre-installed automatically if not present.
Physical DeploymentSupported on any x86_64 hardware meeting the sizing requirements above

Network Requirements

RequirementDetails
Sensor Capture InterfaceDedicated NIC connected to a SPAN port or network TAP. Promiscuous mode enabled. No IP address assigned on the capture interface.
Sensor Management InterfaceSeparate NIC with IP connectivity to the WireTrace Server. Used for data transport and sensor management.
Server ↔ SensorTCP connectivity on configured port. Bandwidth: typically 1–10 Mbps per sensor depending on traffic volume.
Web UI AccessHTTPS (port 443) from management workstations to the WireTrace Server.
InternetNot required. All features including the AI agent operate fully air-gapped. Optional internet access enables vulnerability feed updates and security advisory sync.
DNSOptional. Used for vulnerability feed resolution and OIDC SSO if configured. Not required for core functionality.

Storage & Retention Guidance

WireTrace v1.2.4 features adaptive storage retention: disk-usage-based retention replaces fixed day-based policies. Data is kept as long as disk allows. Five priority tiers ensure core data (assets, connections) is never auto-deleted while lower-priority data (raw protocol logs) is cleaned first when disk pressure rises. The following estimates assume typical mixed OT/IT protocol distributions.

Assets90-Day Retention180-Day Retention365-Day Retention
50040 – 80 GB80 – 150 GB150 – 300 GB
2,000100 – 200 GB200 – 400 GB400 – 750 GB
10,000300 – 500 GB500 GB – 1 TB1 – 2 TB
50,000500 GB – 1 TB1 – 2 TB2 – 4 TB

Estimates are for structured metadata, not raw packet captures. WireTrace stores parsed protocol fields, not full PCAPs. Actual storage depends on protocol mix and traffic volume.

Deployment Checklist

Server

  • VM or physical host provisioned per sizing profile
  • Ubuntu 22.04 or 24.04 LTS installed
  • SSH access for installer execution
  • SSD storage mounted (NVMe for Large/Enterprise)
  • Network connectivity to all sensor hosts
  • HTTPS port (443) accessible from management network

Sensor (per unit)

  • VM or physical host provisioned per sensor profile
  • Ubuntu 22.04 or 24.04 LTS installed
  • Capture NIC connected to SPAN/TAP (promiscuous mode)
  • Management NIC with connectivity to server
  • Activation token from the WireTrace Server
  • No internet required - sensor operates fully offline

Need Help Sizing Your Deployment?

Contact the WireTrace team for a customized sizing recommendation based on your environment.   [email protected]

wiretrace.io | [email protected]Page 2 of 2