Configuring Endace Probe Integration

Overview

Endace captures packets on the network. Searching through what can be thousands of packets or more in the packet capture (pcap) can be very time consuming and tedious. Using Scrutinizer’s flow collection with the Endace probe integration, finding the specific packet capture detail that correlates to the flow data in question is simplified.

With this integration, Scrutinizer allows the user to quickly filter down to to certain flow data related to the issue, then the Endace Probes can be selected from the reporting menus to download just the packets related to the specific flow data observed in Scrutinizer.

Setting up Endace Packet Capture Integration

In order to configure Scrutinizer to download the packet captures from Endace probes, the probe must first be added (endabled) via the Interactive scrut_util.exe utility on the Scrutinizer appliance.

To access these commands, open the Interactive scrut_util prompt by running:

/home/plixer/scrutinizer/bin/scrut_util.exe

Then, in the SCRUTINIZER> prompt, use the following commands to configure the probes.

  • Add a probe:

    SCRUTINIZER> endace add

  • Remove a probe:

    SCRUTINIZER> endace remove

  • Change/Update a probe:

    SCRUTINIZER> endace update <host_ip> <port> <endace_user> <endace_pass>

Accessing Endace Probes in Scrutinizer

There are three ways to access the probes from within Scrutinizer:

  1. Vendor Specific Menu
  2. Violated Alarms
  3. Reports with IP Addresses

Vendor Specific Menu

From the Status tab > Vendor Specific menu, there is an Endace Probes option. This option allows the user to access the Endace device without being in a report. This is especially handy when the users already knows the IP Addresses, protocol, and ports. Take the following steps to access Endace packet captures via the Endace the Probes option.

  1. Select the Status tab

  2. Select the Vendor Specific menu

  3. Select the Endace Probes menu entry

  4. Complete the following fields:

    • Initiator IP
    • Target IP
    • Protocol
    • Initiator and Target Port fields are optional
  5. Click Search

  6. Download the pcap and open it in the desired packet analyzer.

Violated Alarms

More details can be investigated on the Alarms generated. This can be done be using the following instructions to access Endace Reports from Violated Alarms.

  1. Select the Alarms tab

  2. If looking for a specific Alarm type

    1. Select Views>>Bulletin Board by Policy
    2. Select the Policy Violated desired to retrieve the packet details
    3. Or expand the Violators list for that Policy and select the Violator that packet details are desired for.
  3. If looking for a specific Violator

    1. Select Views>>Bulletin Board by Violator
    2. Select the Violator Address to get the packet details
    3. Or expand the Policies Violated list and select the Policy that packet details are desired for
  4. In the Bulletin Board Events page

  5. Click the dropdown arrow between the Board Name and Message columns

  6. Select Endace Probes

    • Any relevant details from the alarm are pre-populated. This is useful because the actual packets from the conversations that triggered alarms become available.
  7. Click Search

  8. Download the pcap and open in your favorite packet analyzer.

Reports with IP Addresses

The Reports with IP Addresses option allows the user to select the source or destination IP Address (or DNS Name) from a report and get information from the Endace probes.

To investigate further into a conversation, launch the flow report, this is a great option.

  1. Start within a report that includes source and destination IP Addresses

  2. Select an IP Address from the report

  3. Select Other Options from the dropdown menu

  4. Select Endace Probes from the Other Options menu

    • Any relevant details from the conversation are pre-populated. This is useful because the user can get to the actual packets from the conversation.
  5. Click Search

  6. Download the pcap and open it in the desired packet analyzer.