Configuring Endace Probe Integration¶
Endace captures packets on the network. Searching through what can be thousands of packets or more in the packet capture (pcap) can be very time consuming and tedious. Using Scrutinizer’s flow collection with the Endace probe integration, finding the specific packet capture detail that correlates to the flow data in question is simplified.
With this integration, Scrutinizer allows the user to quickly filter down to to certain flow data related to the issue, then the Endace Probes can be selected from the reporting menus to download just the packets related to the specific flow data observed in Scrutinizer.
Setting up Endace Packet Capture Integration¶
In order to configure Scrutinizer to download the packet captures from Endace probes, the probe must first be added (endabled) via the Interactive scrut_util.exe utility on the Scrutinizer appliance.
To access these commands, open the Interactive scrut_util prompt by running:
Then, in the SCRUTINIZER> prompt, use the following commands to configure the probes.
Add a probe:
SCRUTINIZER> endace add
Remove a probe:
SCRUTINIZER> endace remove
Change/Update a probe:
SCRUTINIZER> endace update <host_ip> <port> <endace_user> <endace_pass>
Accessing Endace Probes in Scrutinizer¶
There are three ways to access the probes from within Scrutinizer:
More details can be investigated on the Alarms generated. This can be done be using the following instructions to access Endace Reports from Violated Alarms.
Select the Alarms tab
If looking for a specific Alarm type
- Select Views>>Bulletin Board by Policy
- Select the Policy Violated desired to retrieve the packet details
- Or expand the Violators list for that Policy and select the Violator that packet details are desired for.
If looking for a specific Violator
- Select Views>>Bulletin Board by Violator
- Select the Violator Address to get the packet details
- Or expand the Policies Violated list and select the Policy that packet details are desired for
In the Bulletin Board Events page
Click the dropdown arrow between the Board Name and Message columns
Select Endace Probes
- Any relevant details from the alarm are pre-populated. This is useful because the actual packets from the conversations that triggered alarms become available.
Download the pcap and open in your favorite packet analyzer.
Reports with IP Addresses¶
The Reports with IP Addresses option allows the user to select the source or destination IP Address (or DNS Name) from a report and get information from the Endace probes.
To investigate further into a conversation, launch the flow report, this is a great option.
Start within a report that includes source and destination IP Addresses
Select an IP Address from the report
Select Other Options from the dropdown menu
Select Endace Probes from the Other Options menu
- Any relevant details from the conversation are pre-populated. This is useful because the user can get to the actual packets from the conversation.
Download the pcap and open it in the desired packet analyzer.