Why should customers use an Endace Card? What are the benefits?
Endace Cards are recommended for those customers with traffic over 45Mb/s reaching the monitor machine. Note that the rate at which Symantec DLP can detect in real time is significantly lower than what it can aquire from the wire. However, not all customers demand detection in real time, and Network Monitor is able to queue traffic well ahead of how quickly detection can process it.
Additional reasons for an Endace:
Burst rates may be far higher than sustained rate in typical Mbps bandwidth terms. Bursts can exceed software capture capabilities even if the average utilization seems well within capabilities.
Many customers are simply unable to filter upstream and, therefore, deliver a significant amount of "noise" in their feeds. They may also simply prefer to control their filtering on the monitor itself rather than conditioning the feed upstream.
40-45Mbps is mentioned at times as recommended traffic, but this is essentially decomposed message data. This does not necessarily correlate directly to stream bandwidth.
Some customers simply want the assurance that they will never miss a packet.
You can obtain Endace-like performance with a NIC if the OS is Linux. The native capture layer for Linux monitors in will provide an alternative in many circumstances.
Overall, though, if a site is willing and able to split, filter, or otherwise condition the offered load such that one or more monitors receive clean, low-rate feeds, then that is a perfectly acceptable deployment scenario.
Imported Document ID: TECH218706
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe