Solution Service

NX-C6000 / NX-C6500 Network Forensic & IDS

NX-C6000/NX-C6500 is a "network forensic and IDS" system targeted for VoIP/IMS core network. Operators can reduce time and effort to analyze security threats as well as detecting silent network failure. NX-C6000/NX-C6500 is the ultimate suite for VoIP service operations and maintenance.


Visualization & Detection
  • Reveal anomaly messages and conditions in real-time.
  • Search and view call sequence of SIP/(※) H.323/Diameter messages captured via mirror port or TAP device. Search items menu (SIP header values etc.) can be modified.
  • List out top-caller/callee per src/dst IP address, originator/terminator, etc. with specified filters.
  • Monitor traffic by graph (select message type, SIP methods, request/response, IP address, VLAN IDs etc.).
  • Trigger SNMP alarms by increase/decrease of traffic (400% increase traffic compared to average of the last 5 weeks etc.).
  • Trigger Immediate SNMP alarms on SIP anomaly message (inspected by RFC compliant BNF syntax + "user defined" signature matching).
  • (※)Optional license required for H.323 and Diameter support.
Efficiency of Monitoring IMS/VoIP Network
  • Early detection of network failure.
  • Record specific calls (support lawful interception).
High Performance
  • Forensic and IDS function
    ・Capture up to 15,000 SIP msg./sec (approx. 1,300M msg. /day).
    ・Peak performance : 33,600 msg./sec when real-time processing is delayed.
     Behavior Definition over peak performance can be customized on visual GUI.
    ・No limitation on the maximum number of storable messages.
    ・All dependent on disk storage (able to store to multiple partitions).
  • IDS function only
    ・90,000 msg./sec
Operation Productivity Improvement
  • Start operations from your configured alarms, not by customer informants.
  • Productivity improvement leads to cost reduction of resources, better response time, and customer satisfaction.
  • Multiple Language Support on GUI operation.
Verification Efficiency
  • Analysis of UNI compatibility on SIP terminals.
  • SIP anomaly detection on imported PCAP files.
  • Distinguish differences of SIP processing depending on product versions.

Network Connectivity

NX-C6000 is applicable to most VoIP networks. Using a mirror port or TAP device insures "no impact" to the VoIP service.



NX-C6000 consists below components to support flexibility for customer's necessities. Optional service is available to transfer information (from CERT etc.) on the current VoIP related security threats and additional signature rules, in order to recognize illegal SIP messages that pinpoint vulnerabilities of the SIP servers.

IDS Function for VoIP/IMS Network Security Threats
  • Real-time detection of anomaly messages and conditions.
  • Importing signature files to find security threats on VoIP/IMS network.
  • Creating custom signatures on NX-C6000 GUI.
Message Capture
  • Capture SIP/H.323/Diameter/SIP-T messages to database storage.
  • Combined NextGen SBC NX-B5000 and NX-C6000 analyze traffic on TCP/TLS network environment.
  • Equipped with congestion control, NX-C6000 withholds database storage processing based on CPU usage.
Message Search
  • Search messages via IP address, method, header parameters etc.
  • Full text search available for SIP messages.
  • Save search history for long-term investigation.
Statistics & Graph
  • On-demand Statistics and Graph viewer for message traffic.
Message Count & Compare
  • Message Type Counter (e.g. SIP Method/Request/Response header parameters, etc.).
  • Compare (increase/decrease) SIP traffic (Max/Min/Avg.) with the past records.
SIP Message Real-time Analysis
  • Real-time analysis for SIP anomaly detection. Analysis inspection is based on RFC compliant (Or non-compliant) BNF Syntax and "user defined" signature mapping.
Alarm Notification
  • Trigger SNMP trap message from the results of "Increase/Decrease of SIP messages" or by "Immediate SIP Message anomaly detection".
Top-List Viewer
  • Monitor most frequent messages at each interval (1H/2H/4H/24H). Selecting phone numbers can detect recurring calls leading to call fraud. And the most frequent are international calls.
Voice Quality Measurement
  • Show R-value/MOS-value per network/user groups by monitoring jitter and packet loss.
External Command Execution
  • Execute external commands (e.g. executing shell or controlling L2SW ACLs, commands to SIP server) to prevent servers from DoS or illegal SIP message attacks.

Distributed Architecture (NX-C6500)

NX-C6500 is an extended (expanded?) model of NX-C6000 that separates the capture and the control functions to an individual server. By deploying probes (NX-C6500p) to each site and by managing the probes with the central controller (NX-C6000c), it enables scalability support for the large VoIP and mobile carrier VoLTE networks.

  • Facilitate early detection of node errors on large scale networks.
  • C improve centralization and productivity of VoIP network surveillance.

Web Interface Image

Message Search Screen
Explore by various message header parameters combined with AND/OR conditions. Menu contents may be customized before deployment.
Call Flow Diagram Screen
View call flow diagram and message details. Messages are selected for the "call" using standard Call-ID header or combining with Calling/Called party number and Call Identifier for SIP/H.323 interconnection.
Statistics Graph Screen
Create and monitor traffic statistics on-the-fly. Each user can have personalized graphs for various purposes.