dagsnap -o /tmp/tracefile

dagsnap -o C:\tmp\tracefile

The output can then be opened in Wireshark to examine the type of traffic. You may need to convert the format of the file from ERF to PCAP using the utility dagconvert:

Dagconvert -T erf:pcap  -i <infile> -o <outfile>

Note: Be sure to stop the Monitor before running the Dagsnap utility.

Since Dagsnap is only a utility, it does not have the caching features of the Endace card.  Therefore, if the traffic is too high, Dagsnap may create a corrupt file which cannot be read.

If no traffic is seen from the dagsnap, check the configuration of the Endace card.  If it is set to auto-negotiate and so is the TAP\SPAN, then this can cause a conflict.  Setting the Endace card to no auto-neg may resolve this.

On windows, the dagsnap utility makes changes at the kernel level.  Therefore, the server will need to be restarted.