Endace probe integration¶
Endace captures packets on the network. Searching through what can be thousands of packets or more in the packet capture (pcap) can be very time consuming and tedious. Using Plixer Scrutinizer’s flow collection with the Endace probe integration, finding the specific packet capture detail that correlates to the flow data in question is simplified.
With this integration, Plixer Scrutinizer allows the user to quickly filter down to to certain flow data related to the issue, then the Endace probes can be selected from the reporting menus to download just the packets related to the specific flow data observed in Plixer Scrutinizer.
Setting up Endace packet capture integration¶
In order to configure Plixer Scrutinizer to download the packet captures from Endace probes, the probe must first be added (enabled) via the interactive scrut_util utility on the Plixer Scrutinizer appliance.
To access these commands, open the interactive scrut_util prompt by running:
Then, in the SCRUTINIZER> prompt, use the following commands to configure the probes.
- Add a probe:
SCRUTINIZER> endace add
- Remove a probe:
SCRUTINIZER> endace remove
- Change/update a probe:
SCRUTINIZER> endace update <host_ip> <port> <endace_user> <endace_pass>
Accessing Endace probes in Plixer Scrutinizer¶
There are three ways to access the probes from within Plixer Scrutinizer:
You can get more details regarded the violations from the Alarms. This can be done be using the following instructions to access Endace reports from violated alarms.
- Select the Alarms tab
- If looking for a specific Alarm type
- Select Views > Bulletin Board by Policy.
- Select the Policy Violated desired to retrieve the packet details
- Or expand the Violators list for that policy and select the violator.
- If looking for a specific violator
- Select Views > Bulletin Board by Violator;
- Select the violator address to get the packet details,
- Or expand the Policies Violated list and select the Policy that packet details are desired for.
- In the Bulletin Board Events page, click the dropdown arrow between the Board Name and Message columns
- Select Endace Probes. Any relevant details from the alarm are pre-populated. This is useful because the actual packets from the conversations that triggered alarms become available.
- Click Search.
- Download the pcap and open in your favorite packet analyzer.
Reports with IP addresses¶
The reports with IP addresses option allows the user to select the source or destination IP Address (or DNS Name) from a report and get information from the Endace probes.
To investigate the conversation further, launch the Flow report.
- Start within a report that includes source and destination IP addresses.
- Select an IP address from the report.
- Select Other Options from the drop-down menu.
- Select Endace Probes. Any relevant details from the conversation are pre-populated. This is useful because the user can get to the actual packets from the conversation.
- Click Search.
- Download the pcap and open it in the packet analyzer.