Software architecture

The Network Capture Application uses the following services to perform the capture process.

The core capture processes captures, reassembles, post-processes, and delivers the reassembled HTTP/HTTPS hits to the Discover Transport Service, which is hosted on another server. The five core processes in order of processing during capture are named captured, listend, reassd, pipelined, and deliverd.

Table 1. DNCA process descriptions
Process	Description
`Captured`	`Captured` is the top-level capture process. It is the parent of several children processes, which include `listend`, `reassd`, `pipelined`, and `deliverd`. Its two main roles are to create capture instances and create and manage its children processes. A capture instance is a pair of `listend` and `reassd` processes that capture and reassemble network traffic. Upon starting, `Captured` creates all configured capture instances as child processes. It then creates the `pipelined` and `deliverd` processes as child processes. `Captured` restarts their children processes when they terminate unexpectedly or when its maintenance script determines an unhealthy condition.
`Listend`	Captures network traffic packets from the configured primary and secondary interfaces and send them to the reassembly process, `Reassd`. `Listend` is essentially a packet sniffer. It uses the configured and ignored traffic to determine the packets to capture. `Listend` buffers the packets that it sends to `Reassd` in memory to accommodate small delays in the ability of `Reassd` to read the packets. `Listend` additionally provides packet archiving to record the captured packets to files on the local hard disk.
`Reassd`	Reassembles TCP packets, decrypt SSL traffic, and initially parse the resulting HTTP requests and responses. `Reassd` retrieves packets for reassembly from its communication pipe with the `listend` process. After it parses an HTTP request and response pair, `reassd` sends the reassembled hit to `pipelined`. `Reassd` is the core process of DNCA and is usually the most CPU-intensive process because of its HTTP and SSL processing.
`Pipelined`	Retrieves the reassembled HTTP request and response from `reassd`, format them into a Discover hit, and perform any configured post processing. The post-processing can include dropping hits that are based on configurable options, data compression/decompression, privacy block and filtering, and instructing `deliverd` to send the hit to a workstation. The workstation runs the Discover Transport Service, which is typically the Unica Discover server. Note: The DNCA supports the creation of multiple instances of the `pipelined` process.
`Routerd`	Transparently load balances (TLB) incoming network packets and connections to the multiple `Reassd` process instances. By distributing network traffic more evenly across all `Reassd` instances, it increases the efficiency of the system's cpu cores to improve overall performance. This process module is present only if TLB mode is enabled.
`Tcld`	Provides TCL-based script processing to handle the management of the Discover hits for specialized delivery with the `deliverd` process. This process can accept Discover hits from one or more `pipelined` source processes.
`Deliverd`	Delivers the Discover formatted hits to one or more Discover Transport Services on remote workstations as instructed by `tcld`. `Tcld` is responsible for deciding whether a hit must be sent and to whom it must be sent. Establishes the network connection and sending the hits over the network to the Discover Transport Service. It can optionally communicate with the Discover Transport Service using an SSL connection to provide a secure channel.
`Failoverd`	This optional process is present if failover is enabled and running on an instance of the Unica Discover Network Capture Application. This process sends heartbeat signals to the `failoverd` processes on other DNCA instances in the environment. This process runs independently of the other DNCA processes.
`Memcached`	The `Memcached` process provides a global in-memory caching system to the DNCA. `Memcached` is primarily used to store SSL session information for later access by all `Reassd` instances in processing SSL decryption (resumed SSL sessions). This process module is present only if TLB mode is enabled.