3. Choosing a Method of Traffic Monitoring¶
A Wanguard Sensor refers to a Sensor component licensed with a Wanguard license, enabling full functionality including DDoS detection and mitigation. A Wansight Sensor is a Sensor component licensed with a Wansight license, which focuses on traffic monitoring only, without DDoS-related features.
The term Sensor encompasses four software components that share a similar feature set but differ in how they gather traffic information:
► Flow Sensor analyzes Netflow® (including jFlow, NetStream, cflowd), sFlow®, and IPFIX flow packets. Routers and switches can export aggregated traffic data as flows to Flow Sensor, significantly reducing the volume of data sent compared to raw traffic. This makes Flow Sensor ideal for monitoring remote or high-traffic networks. The trade-off is a certain delay in reporting real-time statistics due to flow-based aggregation.
► Packet Sensor analyzes IP packets directly. It can be deployed in-line within the main data path or connected to a mirrored port or network TAP. In switched networks, a Packet Sensor sees only traffic directed to its network interface. When not deployed in-line, a TAP or a device with a “monitoring” or “mirroring” port must be used to forward copies of the desired traffic. Packet Sensor provides detailed, packet-level visibility without the delays inherent in flow-based methods.
► SNMP Sensor monitors bandwidth usage on a per-port basis via the SNMP Protocol. This approach queries network devices (such as routers, switches, and servers) to retrieve interface traffic counters. Although SNMP offers only basic bandwidth measurements without IP-level details, it is resource-efficient and introduces minimal load on the network and devices.
► Sensor Cluster aggregates existing Sensor data (from Packet Sensors, Flow Sensors, and SNMP Sensors) into a unified domain for anomaly detection and IP-level graphing. By summing up traffic data from multiple Sensors, a Sensor Cluster enables consolidated visibility, anomaly detection, and reporting across various traffic collection points.
3.1. Comparison between Packet Sniffing, Flow Monitoring, and SNMP Polling¶
Packet Sensor |
Flow Sensor |
SNMP Sensor |
|
|---|---|---|---|
Traffic Monitoring Technology |
Sniffing packets passing an in-line appliance; Port mirroring (SPAN, Roving Analysis Port); Network TAP |
NetFlow version 5, 7 and 9 (jFlow, NetStream, cflowd); sFlow version 4 and 5; IPFIX |
SNMP version 1; SNMP version 2c; SNMP version 3 |
Maximum Traffic Capacity per Sensor |
100 GigE |
multiples of 100 Gbps |
multiples of 100 Gbps |
DDoS Detection Time |
≤ 1 seconds |
≥ flow ageing time (≥ 1-30 seconds usually) |
≥5 seconds |
IP Graph Granularity |
≥ 5 seconds |
≥ 20 seconds |
N/A (SNMP offers no details about IPs) |
Traffic Validation Options |
IP classes, MAC addresses, VLANs, BPF |
IP classes, Interfaces, AS Numbers, Ingress/Egress |
Interfaces |
Packet Dumps |
Yes |
No |
No |
Flow Collector |
No |
Yes |
No |
Packet Sensor is recommended when real-time DDoS detection is essential or when raw packet captures are required for forensic analysis and troubleshooting. Because it inspects every packet entering the network, a Packet Sensor must typically run on a high-performance server.
Flow Sensor processes pre-aggregated traffic data exported by routers and switches. This approach enables a single Flow Sensor to monitor multiple high-speed interfaces (10/40/100 GbE) using lower-end hardware. However, Flow Sensor has several drawbacks:
✘ Delayed Visibility: Flow data is aggregated over time, introducing a flow-aging delay before traffic patterns become visible. This slower detection speed can affect real-time responsiveness.✘ Reduced Accuracy: Because data is often sampled rather than capturing every packet, traffic readings may be slightly less accurate.✘ Increased Device Load: Enabling flow export can raise CPU usage on the network device if flow processing isn’t hardware-accelerated.✘ Risk of Dropped Flows: During large, spoofed DDoS attacks that saturate the device’s TCAM, flow records can be lost.
SNMP Sensor is useful primarily for monitoring devices that cannot export flow data or mirror packets, or for verifying the accuracy of flow-based statistics. While it provides only basic interface-level bandwidth information, comparing SNMP metrics with flow data can help ensure data integrity.
Note
Flow Sensors and Packet Sensors can be deployed together to achieve redundancy and high availability. Using both technologies simultaneously provides a richer dataset—packet captures for forensic analysis and flow records for efficient long-distance monitoring.