Endace probe integration¶
Endace captures packets on the network. Searching through what can be thousands of packets or more in the packet capture (pcap) can be very time consuming and tedious. Using Scrutinizer’s flow collection with the Endace probe integration, finding the specific packet capture detail that correlates to the flow data in question is simplified.
With this integration, Scrutinizer allows the user to quickly filter down to to certain flow data related to the issue, then the Endace Probes can be selected from the reporting menus to download just the packets related to the specific flow data observed in Scrutinizer.
Setting up Endace packet capture integration¶
In order to configure Scrutinizer to download the packet captures from Endace probes, the probe must first be added (endabled) via the Interactive scrut_util.exe utility on the Scrutinizer appliance.
To access these commands, open the Interactive scrut_util prompt by running:
Then, in the SCRUTINIZER> prompt, use the following commands to configure the probes.
Add a probe:
SCRUTINIZER> endace add
Remove a probe:
SCRUTINIZER> endace remove
Change/update a probe:
SCRUTINIZER> endace update <host_ip> <port> <endace_user> <endace_pass>
Accessing Endace probes in Scrutinizer¶
There are three ways to access the probes from within Scrutinizer:
You can get More details regarded the violations from the Alarms. This can be done be using the following instructions to access Endace reports from violated alarms.
- Select the Alarms tab
- If looking for a specific Alarm type
- Select Views > Bulletin Board by Policy.
- Select the Policy Violated desired to retrieve the packet details
- Or expand the Violators list for that policy and select the violator.
- If looking for a specific violator
- Select Views > Bulletin Board by Violator;
- Select the violator address to get the packet details,
- Or expand the Policies Violated list and select the Policy
- that packet details are desired for.
- In the Bulletin Board Events page, click the dropdown arrow between the Board Name and Message columns
- Select Endace Probes. Any relevant details from the alarm are pre-populated. This is useful because the actual packets from the conversations that triggered alarms become available.
- Click Search.
- Download the pcap and open in your favorite packet analyzer.
Reports with IP addresses¶
The reports with IP addresses option allows the user to select the source or destination IP Address (or DNS Name) from a report and get information from the Endace probes.
To investigate the conversation further, launch the Flow report.
- Start within a report that includes source and destination IP addresses.
- Select an IP address from the report.
- Select Other Options from the drop-down menu.
- Select Endace Probes. Any relevant details from the conversation are pre-populated. This is useful because the user can get to the actual packets from the conversation.
- Click Search.
- Download the pcap and open it in the packet analyzer.