I have an Endace card, and I am not seeing traffic. How can I check if the issue is with the card or with the software?
Endace comes with a utility to capture traffic called dagsnap. Dagsnap will capture traffic and output it to a specified file. From the command line, type:
dagsnap -o /tmp/tracefile
dagsnap -o C:\tmp\tracefile
The output can then be opened in Wireshark to examine the type of traffic. You may need to convert the format of the file from ERF to PCAP using the utility dagconvert:
Dagconvert -T erf:pcap -i <infile> -o <outfile>
Note: Be sure to stop the Monitor before running the Dagsnap utility.
Since Dagsnap is only a utility, it does not have the caching features of the Endace card. Therefore, if the traffic is too high, Dagsnap may create a corrupt file which cannot be read.
If no traffic is seen from the dagsnap, check the configuration of the Endace card. If it is set to auto-negotiate and so is the TAP\SPAN, then this can cause a conflict. Setting the Endace card to no auto-neg may resolve this.
On windows, the dagsnap utility makes changes at the kernel level. Therefore, the server will need to be restarted.
Imported Document ID: TECH221214
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe