FMADIO Security Container is based on the Linux Container and FMADIO Ring buffer components. For more details
Dataflow
The data pipeline for processing packets is shown below
.png?sv=2022-11-02&spr=https&st=2025-07-01T04%3A58%3A47Z&se=2025-07-01T05%3A09%3A47Z&sr=c&sp=r&sig=jrMnKb%2FAamibFa%2FS92FcH92%2FEumlSpNY8G2IaEEUi38%3D)
Brief explanation of each component
Network Switch Packet Broker
Typically FMADIO devices are listening from a network switch’s SPAN / Mirror port, or receiving copies of the data from a Network Packet Broker.
FMADIO Interface
This is the physical capture interface, physically plugged into a network Switch or network Packet Broker. This is typically fiber on a n SFP+/SFP28/QSFP+/QSFP28 high speed network interface
FMADIO Capture
Core capture function of the FMADIO system. It consists of Custom FPGA network cards and high performance software to achieve 10-200Gbps of loss less packet capture.
FMADIO Storage
This provides the large storage for the capture system, see FMADIO Storage for more details. This is 1TB - 1PB worth of high speed raw hardware storage
FMADIO Push LXC
Provides an (optionally) filtered version of the raw data on the storage system. Sending that data downstream for processing. In this case its going to the Security container.
Suricata
We use the opensource Suricata IDS for both protocol decode and as a high speed signature engine. This takes the packets sent from the Push LXC and directly ingests them into Suricata for processing. The output is a raw JSON log file.
JSON Log
This is the Suricata EVE JSON log format. Its a rich protocol output in netsted JSON format.
FMADIO Log Processor
Taking the raw EVE JSON log format, our custom log filter will extract appropriate fields and structures and insert them into the Clickhouse Database. This allows us to take unstructured EVE JSON data, and convert it into a structured SQL Schema.
Clickhouse Database
The FMADIO Security container runs a native Clickhouse SQL database within the LXC. This allows fast retrieval and analysis of the processed data.
Grafana Visualization
Finally we provide rich default dashboards for visualizing and monitoring the processed network traffic in the NOC or SOC operations centers.