Endace probe integration


Endace captures packets on the network. Searching through what can be thousands of packets or more in the packet capture (pcap) can be very time consuming and tedious. Using Plixer Scrutinizer’s flow collection with the Endace probe integration, finding the specific packet capture detail that correlates to the flow data in question is simplified.

With this integration, Plixer Scrutinizer allows the user to quickly filter down to to certain flow data related to the issue, then the Endace probes can be selected from the reporting menus to download just the packets related to the specific flow data observed in Plixer Scrutinizer.

Setting up Endace packet capture integration

In order to configure Plixer Scrutinizer to download the packet captures from Endace probes, the probe must first be added (enabled) via the interactive scrut_util utility on the Plixer Scrutinizer appliance.

To access these commands, open the interactive scrut_util prompt by running:


Then, in the SCRUTINIZER> prompt, use the following commands to configure the probes.

  • Add a probe:
SCRUTINIZER> endace add
  • Remove a probe:
SCRUTINIZER> endace remove
  • Change/update a probe:
SCRUTINIZER> endace update <host_ip> <port> <endace_user> <endace_pass>

Accessing Endace probes in Plixer Scrutinizer

There are three ways to access the probes from within Plixer Scrutinizer:

  1. Vendor Specific Menu
  2. Violated Alarms
  3. Reports with IP Addresses

Vendor specific menu

From the Status tab > Vendor Specific menu, select an Endace Probes option. This option allows the user to access the Endace device without being in a report. This is especially handy when the users already knows the IP addresses, protocol, and ports. Take the following steps to access Endace packet captures via the Endace Probes option.

  1. Select the Status tab
  2. Select the Vendor specific menu.
  3. Select the Endace probes menu entry.
  4. Complete the following fields:
  • Initiator IP
  • Target IP
  • Protocol
  • Initiator and Target Port fields are optional
  1. Click Search.
  2. Download the pcap and open it in the desired packet analyzer.

Violated alarms

You can get more details regarded the violations from the Alarms. This can be done be using the following instructions to access Endace reports from violated alarms.

  1. Select the Alarms tab
  2. If looking for a specific Alarm type
  1. Select Views > Bulletin Board by Policy.
  2. Select the Policy Violated desired to retrieve the packet details
  3. Or expand the Violators list for that policy and select the violator.
  1. If looking for a specific violator
  1. Select Views > Bulletin Board by Violator;
  2. Select the violator address to get the packet details,
  3. Or expand the Policies Violated list and select the Policy that packet details are desired for.
  1. In the Bulletin Board Events page, click the dropdown arrow between the Board Name and Message columns
  2. Select Endace Probes. Any relevant details from the alarm are pre-populated. This is useful because the actual packets from the conversations that triggered alarms become available.
  3. Click Search.
  4. Download the pcap and open in your favorite packet analyzer.

Reports with IP addresses

The reports with IP addresses option allows the user to select the source or destination IP Address (or DNS Name) from a report and get information from the Endace probes.

To investigate the conversation further, launch the Flow report.

  1. Start within a report that includes source and destination IP addresses.
  2. Select an IP address from the report.
  3. Select Other Options from the drop-down menu.
  4. Select Endace Probes. Any relevant details from the conversation are pre-populated. This is useful because the user can get to the actual packets from the conversation.
  5. Click Search.
  6. Download the pcap and open it in the packet analyzer.