How Thales reduced costs and shortened their SW
development cycle using Xena Ethernet
traffic generators & test automation.


In modern warfare, the ability to gather, process, and act upon real-time data can mean the difference between victory and defeat. From surveillance to logistics management, operations rely heavily on the seamless flow of information between decision logic, connected sensors, and weapon systems.

To support these information driven operations, the number of (sub)systems that need to be connected is growing rapidly. Whereas these systems used to be directly connected via simple coax cables, these days information typically flows through high-bandwidth IP-networks. This poses a security risk, as an adversary might infiltrate the network and try to sabotage the system.

To prevent cyberattacks infiltrating the complete network, these networks are compartmentalized into security information domains, typically called red and black domains. Sensors producing high speed data and actuators requiring low latency and jitter control information are typically placed in the black domain. Decision control systems that process data from sensors and control the actuators accordingly are typically placed in the red domain. Real-Time Gateways (RTG) are installed to connect these systems while mitigating cyber-attacks. The role of the RTG is to prevent protocol attacks and data leakage by only allowing certain types of data to pass from one security sub-domain to another.

Given the critical role in cyber security and critical location within a system, testing the reliability and performance of RTGs is a vital part of the product development process.

Thales is a leading defense and cybersecurity supplier renowned for innovative solutions and expertise in safeguarding critical infrastructure. One of Thales’ key cyber security products is the CYBELS RTG which protects and controls data going from low security untrusted domains to higher security trusted domains. CYBELS RTG can handle up to 40Gb of traffic per second.

In secure maintenance mode, the CYBELS RTG offers the flexibility for a wide range of filtering rules and protocols using filter definition language. A dedicated out-of-band management interface is available to securely configure the filtering rules. As soon as the RTG enters its operational run-time mode, these filtering rules are fixed, and assurance is delivered for what has been set.

The Challenge

Conventional network analysis methods lack precision and could not generate sufficient traffic to fully test the RTG on heavy workloads. Verifying the true performance of the Thales CYBELS RTG was a critical milestone during development.

“Using reliable, high-precision network analysis tools is necessary to validate the deterministic behavior of our products since they are often applied in critical applications”, says Alex van der Linden, System Architect for secure products at Thales. Key criteria for the test equipment were:

  • Support for up to 40Gbps bandwidth
  • Precise timing to ensure accurate verification of latency and jitter performance
  • Ability to generate deterministic streams from pre- generated packet data
  • Support for multiple users so test equipment could be used for multiple test beds simultaneously

Thales already had test equipment suitable for lower bandwidth traffic generation. However, initial pricing estimates indicated that upgrading this equipment to 40Gbps would be prohibitively expensive. Thales therefore started looking for a new solution to test the performance of the CYBELS RTG.

Standard Linux tools like tcpdumb are a simple way of analyzing network traffic, but not adequate for the precise and thorough testing Thales required for the CYBELS RTG.

Making an application in the Linux kernel based on DPDK to create network traffic was a better approach. By adding time stamps to each packet, it was possible to measure round trip delays. However, the Linux-OS scheduling was inconsistent in the packet ordering and because it is crucial to verify that the RTG does not swap packets, this test tool failed as it swapped packets itself.

However, the Linux tools made it very easy to use Python to build packets that represented the data Thales wanted to send through the RTG filters. This meant it would be ideal if the test equipment also offered an easy way to insert packet data generated by the Linux tool into the test equipment.

The Solution

Thales found the Xena’s Z10 Odin and Z100 Loki traffic generators from Teledyne LeCroy were much more economical than upgrading their existing test equipment to 40Gbps.

Furthermore, the Xena OpenAutomation (XOA) Python API offered an easy interface to their existing test scripts.

The XenaManager software made it easy to set up and run packet streams at wire-speed on each traffic generator port with full control of the packet payload and headers. Here the latency measurement accuracy was as low as +/- 8 ns and jitter measurements compliant to MEF10 standard with 8 ns accuracy.

Furthermore, Xena OpenAutomation (XOA), the free open-source automation and scripting framework conveniently included a Python API meaning Thales could write their own scripts directly.

To verify the Xena traffic generators could perform the tasks required, it was agreed to loan Thales some demo equipment for initial evaluation. Teledyne LeCroy also had an application engineer help port Thales’ Python scripts to fit the Teledyne LeCroy XOA scripting environment.

The evaluation was successful, and Thales decided to purchase several Z10 and Z100 modules in a B2400 chassis.

“It was a straightforward business case to switch to Teledyne LeCroy,” says Alex van der Linden. “The equipment was much less expensive than the alternative and the Python API was exactly what we needed, and much faster and easier to use compared to the tool from our existing supplier.”

Thales used Scapy to generate the packets and then copied those into streams created by the Xena traffic generators using the XOA Python API. In this way Thales were able to obtain the same functionality as with the Linux tools in almost the same way.

Thales also found the reporting of test results through the XOA Python API very easy to work with.


Modern military communication systems connect sensors, weapon systems and data processing logic via high-bandwidth IP-networks. To mitigate the risk of cyberattacks, the network is typically separated into security sub-domains. This is done using Real-Time Gateways, like the Thales CYBELS RTG, to filter data flowing between the domains.

Since the Thales CYBELS RTG is part of mission-critical networks it is crucial to validate the performance of the RTG with data traffic that mimics real-world scenarios.

Thales found that the Xena Z10 Odin and Z100 Loki traffic generators together with the free, open- source XOA Python API was the perfect solution for their performance tests. The solution was less expensive than upgrading their existing test environment while the Python API made creating the test streams easy.

Migrating from Thales’ previous test environment to the Teledyne solution went smoothly with around 3-man months of work required for all tests.

The Xena solution from Teledyne LeCroy saved Thales a significant amount of time in the development of the CYBELS RTG, by enabling almost all issues in the code to be found and fixed before final validation testing.

White Papers