EtherSensor - FAQ
Get notified of new versions

EtherSensor - FAQ

What is EtherSensor?

EtherSensor is a server software for Microsoft Windows. It is a whole platform for automating analyzing of the network traffic.

What does it do?


  • captures network traffic passively;
  • analyzes it to extract anything useful (content, objects, events, etc.) from it; and
  • delivers analysis results to consuming systems.

EtherSensor automates all this for you for great network payloads.

Though just for onetime tasks EtherSensor might be an overkill, it still has functionality to quickly get an insight into your network traffic for further automating its handling with EtherSensor.

How EtherSensor gets network traffic?

EtherSensor can get network traffic simultaneously from multiple sources of different types:

  • Mirror ports
  • Network taps
  • ICAP-clients (many proxies are able to mirror HTTP(S) traffic through ICAP)
  • PCAP and PcapNG files (those could be recorded with tools like tcpdump or Wireshark).

Also a few integration sources are available:

  • IBM Lotus (by means of its transaction log)
  • Microsoft Skype for Business.

What are the results of EtherSensor analysis?

EtherSensor looks at objects from level 2 OSI up to level 7 (and higher, “L8” - service specific objects).

EtherSensor can provide any metadata from that objects, any content (for example message text or a file transferred). It can also generate custom events based on captured messages and other objects analysis rules defined by you.

On the highest level EtherSensor works with standard email (SMTP, POP3, IMAP4), web-mail services, social networks, blogs, forums, instant messages services, any file transfer services, job search and hiring services.

Also EtherSensor provides any network statistical information.

What delivery services are available for outgoing results?

Just like with network traffic sources you can simultaneously use multiple delivery services of multiple types:

  • Natively EtherSensor can pack anything as email message to be delivered over SMTP or IMAP;
    • This covers integration for most DLP, eDiscovery, Enterprise Search, and Enterprise Archiving solutions;
  • It can also generate and send results as customizable syslog strings. CEF format could be used if needed;
    • And this one makes results available for almost any SIEM or U(E)BA solution;
  • It can upload results as files over FTP, SMB or just save them to local file system;

A few custom delivery protocols are available:

  • InfoWatch Traffic Monitor (using Apache Thrift);
  • DeviceLock Enterprise Server delivery protocol.

We are always interested in suggestions for implementing any delivery service that you might find useful. Just email us your request at

What types of consuming systems EtherSensor could aid?

Any DLP system can get communicational information and objects from EtherSensor.

Any possible network event could be delivered to any SIEM or U(E)BA system as long as it supports incoming syslog.

eDiscovery and Enterprise Archiving solutions benefit from getting any previously unaccounted communications and files transferred over the network.

Considering the above EtherSensor is often used as a core component for network traffic analysis while building Security Operation Centers (SOC).

Is EtherSensor compatible with my favorite solution?

Most likely it is. That is possible due to implemented in EtherSensor standard delivery services (SMTP, IMAP, syslog, file drop).

The following solutions we have successfully integrated with EtherSensor by ourselves (or we’ve gotten a confirmation from our partners).

Network traffic sources

DLP solutions

Enterprise Archiving and eDiscovery solutions

SIEM, U(E)BA, log analyzer solutions

Threat detection solutions

Those lists are not complete, as we have not tried pairing EtherSensor with every existing solution. But still - most likely EtherSensor will work with anything that makes sense.

Let us know if you would like to try EtherSensor alongside something you already own:

How can I try EtherSensor?

We recommend scheduling a remote demonstration of EtherSensor which will take about half an hour. A lot will be clear after it.

If you decide to try EtherSensor on your site, we can provide you a trial license along with all the help with installation, configuring, integration and working with results.

Send your requests at We will ask you some technical and profile questions due to the reason that we cannot provide this software to anonymous users with unspecified technical environment.

What do I need to run EtherSensor?

You’ll need just a Microsoft Windows box. Either server or desktop version will do (it is better to use the most recent OS version):

  • Server: Windows Server 2012, Windows Server 2016 x64 or Windows Server 2019 x64.
  • Desktop: x64 versions of Windows 8, Windows 8.1, and Windows 10.

No special hardware is required, so EtherSensor can be ran in virtual environment (about 15% of our end users are doing exactly that).

Hardware requirements are quite modest due to well implemented internal functionality (for example we have our own high-performing IPC). But still it depends on the network traffic intensity that will be handled. For some sizing examples refer to this topic of the EtherSensor online manual.

How hard is it to install and configure EtherSensor?

Installation will take about 5 minutes of your time.

The most simple and common configuration will take another 5 minutes.

Anything not so common could be set up later one task at a time. You will need to know what you are doing but configuration process itself is easy.

Will I need to adapt my network for EtherSensor?

EtherSensor gets traffic passively, so it does not effect network infrastructure in any way.

The only thing needed is to provide copy of the network traffic to EtherSensor (using a mirror port for example).

Will there be a Linux version?

Yes, we are working on it. It is hard say anything about possible release date as we have to re-implement a lot of internal functionality (IPC, network packet capturing, etc.) for Linux as available alternatives will not be sufficient to provide required performance.

As soon as it will be ready, we will make an announcement.

Who are your customers?

Our typical customer is an organization with its own information security unit, or an MSSP/MDR company.

Often system integrator companies use EtherSensor with a number of adjacent solutions from other vendors while building SOCs for their customers.

We have customers with the number of employees (generating network traffic) from 100 to 130,000.

What is the price of EtherSensor?

EtherSensor is covered under subscription-based licensing model.

EtherSensor is licensed either by the number of supported current sessions or by the network traffic intensity (in Mbps) supported. Customers choose licensing parameter which is most beneficial to them depending on their environment.

For an approximate understanding of the price level: the license with support for 15,000 current sessions (about 1,000 users generate this much) will cost approximately $0.97 per user per month (if purchasing annually).

Of course, this is not a public offer: email us for a quote at

Are there licenses for educational or non-profit organizations?

Any academic or non-profit licenses are not available at the moment. But we are open for discussion:

Are you looking for partners?

Sure, you’re welcome to email us at

Site map | Search | Privacy Policy | Terms of Use | Contact Us
Copyright © 2000—2024 Microolap Technologies LTD. All Rights Reserved.
All trademarks are the sole property of their respective owners.