Network Intelligence
The Network Intelligence tab presents a high-level cluster graph that groups all IP addresses in a capture into named clusters, making it easier to understand traffic between organisations, countries, subnets, or device classes at a glance.
Cluster Graph
Each cluster node represents a group of IPs. Edges between clusters represent observed conversations between IPs in those groups. Clicking a cluster opens a side panel listing the individual IPs it contains, with per-IP metrics and a conversation list.
Grouping Strategies
Select a strategy from the Group by dropdown:
Strategy |
How IPs are grouped |
|---|---|
ASN / Organization |
Autonomous System Number from ipinfo.io geo enrichment. Only available for IPs enriched online; offline DB-IP fallback does not provide ASN. |
Country |
Country code from ipinfo.io (online) or DB-IP Lite (offline). Switches the canvas to the SVG world map view (see Country Map View below). |
City |
|
Subnet /24 |
First three octets of the IP (e.g. |
Subnet /16 |
First two octets of the IP (e.g. |
Device Type |
Predicted device class from the multi-signal classifier (Router, Mobile, Server, etc.) — see Geolocation & Device Classification for the scoring algorithm. |
Network Labels |
Custom CIDR-to-label mappings defined in the Network Labels tab of the Custom Detection Rules modal — see Custom Signature Rules. Only conversations where at least one endpoint is a labelled IP are shown; unlabelled-only traffic is suppressed. |
Color Modes
Two color modes are available via the Color by toggle:
Traffic — cluster nodes are shaded on a blue heatmap proportional to their
totalBytesrelative to the busiest cluster. Darker = more traffic.Risk — clusters with at least one nDPI risk flag show a red warning badge. Nodes without risk flags are neutral grey.
Cluster Side Panel
Clicking a cluster opens a panel on the right showing:
The cluster label and IP count.
A per-IP breakdown sortable by Traffic (bytes), Conversations, Risk flags, or Unique peers.
A conversation list for the selected cluster, filtered by the active Network Intelligence filters (same filter set as the Conversations tab).
Filters
The Network Intelligence tab exposes the full conversation filter panel (IP, port, protocol, application, country, device type, risk, custom signatures, etc.), identical to the Conversations tab. Filters apply to both the cluster graph and the side-panel conversation list.
Country Map View
When Group by = Country is selected, the React Flow canvas is replaced with a static SVG world map rendered from a bundled Natural Earth 110m TopoJSON file (no tile server or internet connection required).
Each country with observed traffic displays a cluster marker positioned at the country’s geographic centroid.
Marker size and shade reflect traffic volume (heatmap) or risk presence, consistent with the cluster graph color mode.
Click a country marker to drill down: the map fetches city-level clusters for that country and displays them as smaller markers at their city coordinates.
Click a city marker to open the cluster side panel for that city.
The Internal Network cluster (RFC-1918 addresses) floats as a fixed card outside the map since it has no geographic position.
A back button exits the drilled-down city view and returns to the country level.