Netify's Modular Architecture
Netify is built as three modular stages: capture, processing, and export. This separation enables flexible deployments, high throughput, and rapid feature development. Capture drivers feed processor plugins, which produce telemetry and actionable datasets consumed by output plugins. The agent converts raw packets into actionable data in three stages:
- Inputs
- Capture drivers that ingest packets
- Processors
- Plugins that convert packets into telemetry, datasets, and actions
- Outputs
- Plugins that export telemetry to logs, sockets, queues, and other sinks
Inputs
Inputs ingest packets and deliver them to processors. Netify supports libpcap for portability, TPACKETv3 for high-throughput zero-copy capture, and NFQUEUE for selective inspection and hardware-friendly handoff.
Supported capture drivers:
- PCAP — portable libpcap capture
- TPACKETv3 — high-speed zero-copy ring buffer
- NFQUEUE — selective userspace queue (hardware offload friendly)
Processors
Processor plugins turn packets into metadata streams and datasets used for analytics, detection, and enforcement. Plugins can run in-process or as modular extensions to suit deployment needs.
Example processor plugins:
- Core Telemetry — flow and stats telemetry
- Aggregator — summary bandwidth data
- Network Intelligence — detection and enrichment
- Device discovery — identify hosts
- Flow Actions — policy enforcement