Top menu

DeviceLock EtherSensor - Server-Based Network Traffic Monitoring and Analysis

DeviceLock EtherSensor, an optional network resident server module of DeviceLock DLP, is a high-performance network event and message extraction system that enables organizations to implement comprehensive monitoring, capturing, and analysis of corporate network traffic in real-time with the aim of reconstructing, filtering, and collecting transmitted application-level data objects (messages, files, posts, etc.), their metadata, as well as logging relevant events. EtherSensor-collected messages, metadata, and logs can be delivered to the central log database of DeviceLock DLP, as well as to any Security Operations Center subsystems including SIEM, eDiscovery, UEBA, and more. DeviceLock EtherSensor supports streamed traffic processing in 20 Gbps+ channels while running on dedicated or virtualized Windows servers. EtherSensor only takes up a small server footprint while ensuring minimal resource consumption with the desired level of network communications monitoring.

A hybrid DeviceLock DLP solution with the DeviceLock EtherSensor server

By tapping corporate network traffic in the server mode, DeviceLock EtherSensor can capture and log network events, as well as reconstruct and collect messages and files of several thousand Internet services without involving DeviceLock Agents in order to monitor internal and external data exchanges via email, webmails, social networks, instant messengers, job seeking services, blogs, and forums. Files transferred by corporate users through HTTP and FTP protocols, as well as those uploaded to cloud storage, can also be captured and logged. Collected events and data are stored in the DeviceLock DLP central log database for further analysis, which would include indexing and full-text searching with the DeviceLock Search Server component of the DLP Suite.

Advantages of Hybrid DeviceLock DLP Solution

The coordinated use of DeviceLock Agents enforcing full-function preventive DLP controls on their host computers in combination with a network-resident DeviceLock EtherSensor that monitors, captures, and analyzes all traffic in the corporate office, enables organizations to implement an effective hybrid DLP solution with the following additional benefits:

  • The combination of two complementary DLP-architectures - endpoint agents and network resident servers - allows for IT security departments to design and implement more flexible DLP policies with extra detection and protection options for a variety of data leak prevention use case scenarios. In turn, this dual layer protection optimizes network DLP controls over corporate data-in-motion and increases the performance and reliability of DeviceLock DLP based solutions.
  • The hybrid DeviceLock DLP solution solves the intrinsic limitation of pure endpoint-based DLP systems - the inability to monitor, analyze and log network traffic of those unmanaged computers and mobile devices used inside the corporate network which cannot be otherwise protected by resident endpoint DLP agents.
  • Concurrently, the hybrid DLP architecture reduces the computational load on personal computers by dynamically splitting CPU-intensive traffic monitoring and data extraction of different network protocols and services between endpoint and network-resident DLP components. For instance, the DeviceLock Agents ability to automatically switch from its offline to online DLP policy when the host computer is connected inside the corporate network also dynamically switches the load of monitoring and logging network communications of this computer from its resident DeviceLock Agent over to the DeviceLock EtherSensor installed in the network.
  • The unified central audit and shadow log database filled in with events and data from network communications captured by both endpoint DLP agents and network DLP servers allows for censoring more data leak channels and for detecting, tracing, and mitigating a wider range of corporate data security policy violations.

How DeviceLock EtherSensor Works

DeviceLock EtherSensor performs the following three primary tasks:

  • Passively intercepts (captures) raw data link layer (L2) network traffic, with zero loss of packets, from several network interfaces or PCAP files. This process does not involve DeviceLock Agents.
  • Analyzes captured traffic at L2-L7 OSI model levels, extracts application-level objects (messages, files, metadata, events, etc.), and filters them according to policies configurable from the central management console. Filtering policies can include both contextual controls (for network-level parameters, object size and types, data flow directions, etc.) and content-aware rules (for data and metadata - e.g. messages, files, forms, posts, subjects, file names, etc.).
  • Stores processed data and event logs in the DeviceLock Enterprise Server database.

DeviceLock EtherSensor data sources:

  1. Network traffic from either a network tap or the Ethernet port of an active network appliance where network traffic duplication from specific ports is configured (mirroring, rx and tx packets). In the very same way, DeviceLock EtherSensor can receive network traffic from various external sources, such as SSLSplitter and next-generation firewalls (e.g. Palo Alto Networks, FortiGate) - when a copy of decrypted SSL/TLS traffic is delivered to a network interface of DeviceLock EtherSensor.
  2. Plain HTTP and FTP traffic received over the ICAP protocol from external proxy servers capable of decrypting HTTPS or FTPS sessions (e.g. SQUID, Blue Coat Proxy SG, Cisco WSA, Webwasher, FortiGate, Entensys UserGate, etc.).
  3. PCAP files can be used for processing the traffic stored to the local directory in pcapng and tcpdump/libpcap formats.
  4. Data from local and remote Lotus Notes Transaction Log directories can be copied by DeviceLock EtherSensor in order to monitor, reconstruct, and analyze messages from the Lotus Notes system. At the same time, unencrypted Lotus Notes traffic can be captured and processed in real-time for extracting Lotus Notes events, messages, calendar events, etc.
  5. A custom plug-in for Microsoft Lync (Microsoft Skype for Business) server with Edge role can use the ICAP protocol to copy LYNC messages to DeviceLock EtherSensor for monitoring, capturing, and processing.

Facebook message interception by DeviceLock EtherSensor

The fundamental feature of DeviceLock EtherSensor is its non-intrusion in the traffic delivery of the monitored network. EtherSensor captures traffic passively, so it does not affect network infrastructure in any way. The only requirement of its normal operations is to allow access to the network traffic using a mirror port or network sniffer. DeviceLock EtherSensor works independently from DeviceLock Agents and ensures full monitoring of network traffic of up to 20 Gbps bandwidth while detecting and extracting data from several thousand Internet services. In order to further reduce processing expenses, raw traffic data captured from network interfaces and PCAP files can be pre-filtered by the built-in Berkeley Packet Filter module for excluding garbage traffic and unwanted data from further analysis.

Network Communications Controlled by DeviceLock EtherSensor

DeviceLock EtherSensor monitors, captures raw traffic, and extracts application-level data from the following network communications:

Social Media: various data (authentication credentials, text messages, comments, etc.) from social media communications: social networks including Facebook, Instagram, Twitter, LinkedIn, MySpace,,,, etc.; phpbb-, ipb-, vbulletin-, and mybb-based forums; SMS/MMS web-based messaging services (including over 500 domains).

Email: email messages and attachments transmitted over SMTP, POP3, and IMAP4 protocols.

Webmail: outgoing and incoming messages and attachments from the following webmail services: Gmail, Yahoo Mail, Hotmail (,, etc. (over 40 domains), as well as all services based on the SquirrelMail core.

IBM (Lotus) Notes: Lotus Notes events and data, including messages and attachments, calendar events, etc. For encrypted traffic, messages are extracted from the Lotus Notes Transaction Log. These methods do not affect the operation of Lotus Notes.

Instant Messages: messages and files sent and received via instant messaging services over Skype (including MS Lync/Skype for Business), XMPP/Jabber, IRC, MSN, Yahoo, and OSCAR protocols.

File Transfer: files transferred over HTTP, FTP, SMB/CIFS, and WebDAV protocols.