This site uses cookies for anonymized analytics. For more information or to change your cookie settings, view our Cookie Policy.

LANGuardian System Architecture

LANGuardian from NetFort turns raw network traffic data into valuable information, giving you actionable knowledge that helps you run your network more effectively. LANGuardian’s system architecture has four main components:

  • Traffic collection engine – captures traffic from a SPAN port or other traffic source
  • Traffic analysis engine – applies deep packet inspection techniques to consolidate and correlate the data collected by the traffic collection engine
  • Traffic database – stores the consolidated and correlated traffic data
  • Reporting engine – queries the traffic data and presents it to the user by means of built-in and custom reports delivered as HTML, PDF, or email

Sensors to capture network traffic

During installation, you connect one of the network interface cards on the LANGuardian system to the monitoring port on your network’s core switch. LANGuardian automatically creates a sensor to associate that NIC with the software. LANGuardian instantly begins capturing network traffic and you can see the results in your web browser.

There are some situations where you might want to monitor traffic in multiple data centers but you require a single interface to see what is happening across your network. For this we have a remote sensor option which can be linked back to one central LANGuardian. Multiple remote sensors can be deployed as physical or virtual appliances. This architecture will deliver a single reference point for all user and network information.

Deep packet inspection engine

LANGuardian’s DPI engine performs two sequential checks on traffic packets. Content-based application recognition recognizes hundreds of applications and protocols regardless of the ports they use. Targeted protocol decoding performs deeper analysis of the most commonly occurring network traffic types – webfile share, and email traffic.

If the application recognition check fails, the DPI engine stores the packet in the database as unrecognized traffic. If the application recognition check succeeds, the DPI engine goes on to check for the existence of a targeted protocol decoder. As a result, traffic stored in the LANGuardian database is divided into three categories:

  • Unrecognized– traffic for which no CBAR application fingerprint or targeted decoder is available. For this traffic, LANGuardian stores the 5-tuple that uniquely identifies the TCP/IP connection (source IP address, source port, destination IP address, destination port, and protocol) and additional information such as the username and DNS details.
  • Recognized– traffic for which a CBAR application fingerprint is available. For this traffic, LANGuardian stores the same information as it does for unrecognized traffic, along with additional information about the application associated with the traffic.
  • Decoded– traffic that uses a protocol for which a LANGuardian decoder exists. For this traffic, LANGuardian stores the same information as it does for recognized traffic, along with additional information specific to the protocol:
Email: Sender, recipient, and subject information
Web: URL of every page visited and file downloaded
Windows file share: File name, file size, and details of every action performed

The traffic analysis engine aggregates all of this information into its own proprietary internal flow representation, and stores it in the LANGuardian database. Before storing traffic data in its database, LANGuardian consolidates it using an innovative flow representation that discards unnecessary information and makes the best possible use of the available storage.


Database delivers advanced analytics

LANGuardian stores traffic data in a secure built-in database that is the basis for the advanced analytics available through the LANGuardian browser-based interface. Other ways LANGuardian data can be accessed include alerts and scheduled reports. Through a REST API, you can integrate LANGuardian data with other applications such as SolarWinds NPM, Splunk, McAfee and Microsoft Excel.

3rd Party Integrations

LANGuardian provides rich syslog output and a full REST API interface for rapid integration with 3rd party products, such as SolarWinds Orion, Splunk or Aruba Clearpass NAC.

With integrations, NetFort Metadata is available for use cases including a single pane of glass view, to enhanced correlation for security event detection, to active control on your network.

NetFort LANGuardian runs on Centos 7 and can also be embedded onto SD-WAN, channel bonders and other devices or cloud application servers.

Zero network impact

As it works exclusively on traffic data captured from a monitoring (SPAN) port, there is no client software to install, no interaction with the devices on the network, and no impact on network performance.  LANGuardian is scalable, so it works on any size of network, from a small office with 50 users to a global enterprise with multiple locations.

Strengthen your security with LANGuardian

The detailed network activity data and comprehensive reporting capabilities of LANGuardian strengthen your organization’s overall security posture. What’s more, LANGuardian has features specifically designed to address IT security.

Network Security Monitoring

Intrusion detection


Find out more

Any questions? Contact us

Want to see LANGuardian in action? See our online demos

Better yet, why not try it on your own network, risk-free? Download a no-cost 30-day trial copy

Take the next step to securing your network. Talk to NetFort today. Contact us at or call us at

+1 646 452 9485 or +353 91 426 565 in EMEA.