OORIGIN Audit is a passive network monitoring software powered by powerful DPI technology. It inspects your IPv4 traffic and classifies it into flows, describing the protocols, application events, and associated metadata.


Passive network visibility, traffic analysis up to OSI layer 7


2800 applications and protocols, A.I and heuristics analysis


Detect unauthorized devices, applications and traffic


PCI Compliance, ISO 27001, GDPR and others

OORIGIN Audit offers the clarity of event logs with the details of full packet capture to empower your IT security Audits.


  • Full passive probe
  • Integrates with your SIEM
  • Detect encrypted protocols
  • Run on low end X86 hardware
  • Reduce size of forensic data
  • Output Json, Syslog UDP


Device inventory: Analyze devices communicating on your network and discover shadow
Device profiling: Server, NAS, computer, printer, router, IoT, industrial, network activity profiling
IT Policy enforcement: To verify end-user’s adherence to IT policies (ex: gaming, mine bitcoins)
Cyber investigation: Investigate cyber incident with the level of details of a full capture log
Data Retention: Store the network activity logs for future investigations
Regulatory Compliance:   GDPR, ISO27001 and PCI security audits

Configurable alerts

IT RISK:  Protocol or application used is an IT Risk
IT BREACH:  Protocol or application used is an IT Policy breach
NEW DEVICE:  A new device was is communicating on your network

Threat intelligence

IP ANONYMS:  IPs from anonymizing services (TOR, proxies)
IP THREATS:  IPs reported from cyber-attacks, spyware, and viruses
IP CRIME:  IPs reported from malware, botnets and C2C servers

Network activity is categorized

 Why monitoring a network is important?

The network is the life line of the IT infrastructure. When networks fail, the business operations stop; Networks are dynamic environments. Network IT Administrators are continually asked to add new users, technologies and applications to their networks and now let even users connect their own devices. These changes can impact their ability to deliver consistent, predictable network performance and security.

  What is DPI?

Deep packet inspection (DPI) is a technique for inspecting data in order to identify and filter out malware and other unwanted traffic. Each data packet includes both its own content and a set of headers that control how it is handled by routers and other devices as it is transmitted across the internet. DPI is a method that inspects not only the packet’s multiple headers, but also the actual data content of the packet. Network activity logs with DPI technology is a precious time machine, you can search for protocol compliance, viruses, spam, intrusions, etc.

  Why DPI is important?

Deep Packet Inspection enables advanced network management and enforce the IT infrastructure security. DPI is used in a wide range of enterprise-level applications, by telecommunications service providers, and by governments. In the age of evolving advanced threats and 0-day attacks, Network activity logs with DPI engine is a critical and fundamental aspect of an effective network security strategy. This makes OORIGIN a critical tool for advanced IT security.

Data acquisition methods

OORIGIN Audit software capture IP Network traffic 10/100/1G, multiple options are possible, select the one that fit your need. Network test access points (TAP) and port mirroring (SPAN) are the two most common access methods of LIVE packet capture for the use of analysis in data monitoring. There are significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of the network traffic. Consider SPAN limitation, packets are randomly dropped when the SPAN ports become oversubscribed.

Passive network TAP

A TAP (Test Access Points ) is a hardware device that allows network traffic to flow from ports A to B, and B to A without interruption, and creates an exact copy of both sides of the traffic flow, continuously, 24/7 without compromising network integrity. The duplicate copy can be used for monitoring, security or analysis. Set the TAP in Aggregation Mode. Network TAPs have no IP address, no MAC address and cannot be hacked.

Switch port mirroring

Port Mirroring also known as SPAN (Switched Port Analyzer), sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed. SPAN sessions do not interfere with the normal operation of the switch; Remotely configurable from any system connected to the switch; Disallows bidirectional traffic on that port to protect against backflow of traffic into the network.

Pcap file

For an efficient IT audit Pen testing approach and analysis of firewalls | antivirus |network equipment logs are not enough. The workplace evolved, a traditional office building where employees converge from 9 to 5 pm was simple to Audit, but this era is ended; now your IT is connected to multiple office branches with suppliers located worldwide, use of cloud services and remote workers become a common corporate practice to attract talents, and all this comes with new cyber risks. OORIGIN Audit is an advanced network monitoring solution powered by a DPI technology until now reserved for government or very large corporation. It offers you a complete network visibility up to OSI layer 7 of your IT infrastructure. OORIGIN Audit is a must have tool for your IT Team