search cancel

How do I check for traffic on an Endace Card?

book

Article ID: 160442

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention Enforce

Issue/Introduction

I have an Endace card, and I am not seeing traffic.  How can I check if the issue is with the card or with the software?

Resolution

Endace comes with a utility to capture traffic called dagsnap.  Dagsnap will capture traffic and output it to a specified file.  From the command line, type:

dagsnap -o /tmp/tracefile

dagsnap -o C:\tmp\tracefile

The output can then be opened in Wireshark to examine the type of traffic. You may need to convert the format of the file from ERF to PCAP using the utility dagconvert:

Dagconvert -T erf:pcap  -i <infile> -o <outfile>

Note: Be sure to stop the Monitor before running the Dagsnap utility.

Since Dagsnap is only a utility, it does not have the caching features of the Endace card.  Therefore, if the traffic is too high, Dagsnap may create a corrupt file which cannot be read.

If no traffic is seen from the dagsnap, check the configuration of the Endace card.  If it is set to auto-negotiate and so is the TAP\SPAN, then this can cause a conflict.  Setting the Endace card to no auto-neg may resolve this.

On windows, the dagsnap utility makes changes at the kernel level.  Therefore, the server will need to be restarted.


Powered by Wolken Software