IntroSpect is made up of three Nodes. One Analyser Node, three or more Compute Nodes and optionaly one or more Packer Proccessor Nodes.
The Analyser Node is a combination of Analyst / Admin interface and Network Device Interface. For this conversation lets focus on the Network Device interface. The AN is able to use syslog to harvest logs from some devices and also receive logs from a SIEM like Splunk. It also receives logs and Meta-Data from the optional Packet Proccessor. The AN then populates all this into the databases on the Compute Nodes.
The Compute Nodes hold, index and manipulate the databases - these are the workers that run the various AI and Machine Learning engines.
Now lets look at the Packet Proccessor. The PP is optional in that if you are only monitoring a single site and the AN/CN is at that site then all log collection can be done by the AN at the site. You will need to add a PP at remote sites to collect logs at those sites and the PP will transfer the logs to the AN. However, there is one function of the PP does that the AN/CN will not do. You must have a PP for network traffic evaluation.
The Packet Proccessor has a Deep Packet Inspection engine (read resource hog here) for analizing network traffic and generating Meta-Data which is sent to the AN. So if you are going to take advantage of one of the most powerful tools in IntroSpect and analyse live network traffic YOU NEED A Packet Proccessor even in a Single Site Configuration.
I hope this helps