Architecture

Building a Distributed City-Wide Sensor Mesh

One of the most frequent requests we get from enterprise security teams is the ability to monitor multiple frequency bands across large geographic areas. Sticking a single engineer on a roof with a laptop and a spectrum analyzer doesn't scale.

Mycelium includes a native peer-to-peer encrypted mesh that every node joins automatically. Nodes on the same LAN discover each other within seconds. Nodes across subnets connect with a single command. Once connected, any node can route decoded data directly to a tool on any other node — no TCP socket configuration, no hardcoded IP addresses in scripts.

The Scenario: Campus-Wide Multi-Band Monitoring

Imagine a corporate campus where we need to simultaneously monitor three distinct environments: incoming ADS-B flight traffic (1090 MHz), local facility IoT sensors (433 MHz), and maritime AIS tracking from a nearby port (162 MHz).

Instead of deploying three expensive workstations, we deploy three $30 RTL-SDR dongles attached to Raspberry Pis. These are our "Agent Nodes." A single server in the security operations center runs the "Collector" — the tool that receives, tags, and logs all incoming data.

Step 1: The Agent Node Script

Each edge agent decodes its signal locally and uses Send_To_Tool with a NODE:TOOL address to push decoded data directly to the collector tool on the SOC node. The Insert_Variable action tags the payload with the agent's identity before forwarding, so the collector knows which sensor each frame came from.

The only site-specific value in the agent script is the collector's node name — soc_node — which resolves automatically through the mesh. No IP addresses, no port numbers.

Step 2: The Collector Script

Back in the security operations center, the Mycelium collector uses Receive_From_Tool to dequeue data arriving from any edge agent. The Extract_Variable action peels the agent tag back out, and Report_JSON formats everything into a structured log for Elasticsearch or Splunk.

The Architecture

Because Mycelium separates the ingestion layer (the SDRs) from the processing layer (the directives), and because the mesh handles all routing transparently, this architecture scales to as many agents as needed. Adding a fourth agent on a new frequency band requires only a new script on a new Pi — the collector automatically receives its data without any reconfiguration.

digraph { graph [bgcolor="transparent" fontname="Inter" rankdir=TB pad=0.5] node [fontname="Inter" fontsize=11 fontcolor="#e2e8f0" style=filled fillcolor="#1a1033" color="#8b5cf6" penwidth=1.5 margin="0.2,0.12" shape=box] edge [color="#8b5cf6" fontcolor="#a78bfa" fontname="Inter" fontsize=9 arrowsize=0.8] subgraph cluster_a1 { label="Agent 1: Aviation (1090 MHz)" fontcolor="#e2e8f0" color="#8b5cf6" style=dashed bgcolor="#0f0a1e" sdr1 [label="RTL-SDR" shape=cylinder] ch1 [label="Mycelium"] sdr1 -> ch1 [label="Decode"] } subgraph cluster_a2 { label="Agent 2: IoT (433 MHz)" fontcolor="#e2e8f0" color="#8b5cf6" style=dashed bgcolor="#0f0a1e" sdr2 [label="RTL-SDR" shape=cylinder] ch2 [label="Mycelium"] sdr2 -> ch2 [label="Decode"] } subgraph cluster_a3 { label="Agent 3: Maritime (162 MHz)" fontcolor="#e2e8f0" color="#8b5cf6" style=dashed bgcolor="#0f0a1e" sdr3 [label="RTL-SDR" shape=cylinder] ch3 [label="Mycelium"] sdr3 -> ch3 [label="Decode"] } subgraph cluster_brain { label="SOC — soc_node" fontcolor="#e2e8f0" color="#22c55e" style=dashed bgcolor="#0f0a1e" collector [label="collector tool\nReceive_From_Tool"] extract [label="Extract_Variable"] siem [label="Elasticsearch / SIEM" shape=cylinder] collector -> extract -> siem } ch1 -> collector [label="NODE:TOOL mesh routing\n(Insert_Variable + Send_To_Tool)" style=dashed color="#22c55e"] ch2 -> collector [label="NODE:TOOL mesh routing" style=dashed color="#22c55e"] ch3 -> collector [label="NODE:TOOL mesh routing" style=dashed color="#22c55e"] }

Forwarding to Non-Mycelium Systems

When the destination is a system that doesn't run Mycelium — a raw Elasticsearch ingest endpoint, a legacy SIEM, or a third-party data pipeline — the TCP_Send and UDP_Send directive actions are still available and work exactly as before. The two approaches are complementary: use NODE:TOOL routing to move data between Mycelium nodes, and use network actions to push data out to external consumers.

Licensing for Scaled Deployments

Deploying a mesh of dozens or hundreds of sensor nodes is a powerful strategy, and Mycelium's licensing model is designed to support this scale. While individual nodes can be licensed on a per-device basis, this distributed architecture is the primary driver for our Tiered Enterprise Licensing.

  • Lab License: Ideal for a single research laboratory or operational unit. Provides unlimited Mycelium instances within a specific, physically co-located environment, enabling you to saturate that specific space with as many sensors as required.
  • Program License: Designed for multi-site operations or specific aerospace programs. This allows for unlimited node deployments across the entire footprint of a named program, regardless of geographic location.

Conclusion

The native mesh turns each Mycelium deployment into a cooperative network rather than a collection of independent sensors. Edge nodes route their data to wherever it needs to go — without TCP socket bookkeeping, without hardcoded IPs, and without any central broker. Security teams get total situational awareness across their entire physical footprint from a single pane of glass.

For a deeper look at the mesh networking layer — including encrypted key exchange, MeshSDR for RF-over-mesh simulation, and the Colony topology map — see the native mesh networking walkthrough.



← Back to Blog