If you are using an Endace card for capturing traffic on a Symantec DLP Monitor, you may need to make some configuration changes to the card in order to capture traffic. I recently acquired an Endace DAG 3.7 GP and installed it in my Monitor server. Please note that the DAG 3.7GP drivers will only work on Windows 2000 or 2003. If you attempt to run the card on Windows 2008, even in TEST MODE, you will see the following errors in the PacketCapture.log file
-----------------------------------------------------------
08/22/12 06:15:40 [0x00000a30] INFO StreamManager - StreamManager() StreamManager created [.\StreamManager.cpp(142)]
08/22/12 06:15:40 [0x00000a30] WARN PacketDriverFactory - Endace is enabled, but the Endace DAG driver is not supported on the current platform and will not function. [.\PacketDriverFactory.cpp(255)]
08/22/12 06:15:40 [0x00000a30] ERROR PacketCaptureMain - Packet Capture was unable to activate Endace device support. Please see PacketCapture.log for more information. [.\PacketCaptureMain.cpp(1819)]
08/22/12 06:15:40 [0x00000a30] INFO PacketCaptureMain - getSpoolDirectory() Got spool directory: C:/packet_spool [.\PacketCaptureMain.cpp(1240)]
----------------------------------------------------------
Once you have the card installed You will see the PacketCapture service start, but the Endace card is not capturing traffic. Upon further inspection, you will notice the link lights on the Endace DAG are not on.
C:\Endace\dag-3.3.1\bin>dagconfig default
Card Information:
Firmware: dag37gepci_erf_v2_2 3s1500fg456 2005/05/31 15:44:53 (factory)
Serial : 5642
MAC Address A : 00:00:00:00:00:00
MAC Address B : 00:00:00:00:00:00
Port A: auto_neg 1000
Port B: auto_neg 1000
GPP0:
varlen slen=1544 align64
Port A: drop_count = 0
GPP1:
varlen slen=1544 align64
Port B: drop_count = 0
PCI Burst Manager:
33MHz
buffer_size=64 rx_streams=2 tx_streams=1 nodrop nooverlap
Memory Streams:
mem=24:16:24
TERF:
terf_strip32
Mux:
steer=stream0 noifaceswap
CHECK DAG CARD STATUS
C:\Endace\dag-3.3.1\bin>dagconfig -d dag0 -s
Port link auto_neg_complete
A 1 1
B 1 1
C:\Endace\dag-3.3.1\bin>dagsnap -d0 -v -o tracefile
dagsnap: verbose: 0.001 MiBytes 0.000 MiBytes 0.000 MiBytes/sec (0 Megabps)
dagsnap: verbose: 0.001 MiBytes 0.000 MiBytes 0.000 MiBytes/sec (0 Megabps)
dagsnap: verbose: 0.002 MiBytes 0.001 MiBytes 0.001 MiBytes/sec (0 Megabps)
After starting the Monitor service and connecting to Protect Management Server:
C:\Endace\dag-3.3.1\bin>dagconfig
Card Information:
Firmware: dag37gepci_erf_v2_2 3s1500fg456 2005/05/31 15:44:53 (factory)
Serial : 5642
MAC Address A : 00:00:00:00:00:00
MAC Address B : 00:00:00:00:00:00
Port A: noauto_neg 10
Port B: noauto_neg 10
GPP0:
varlen slen=1544 align64
Port A: drop_count = 0
GPP1:
varlen slen=1544 align64
Port B: drop_count = 0
PCI Burst Manager:
33MHz
buffer_size=64 rx_streams=2 tx_streams=1 nodrop nooverlap
Memory Streams:
mem=64:0:0
TERF:
terf_strip32
Mux:
steer=stream0 noifaceswap
CHECK DAG CARD STATUS
C:\Endace\dag-3.3.1\bin>dagconfig -d dag0 -s
Port link auto_neg_complete
A 0 0
B 0 0
This indicates the Endace card is offline.
If you read the PacketCapture.log files, you can see the card is active:
08/22/12 11:05:42 [0x00000160] INFO PacketDriver - generalInitialize() Dag adapter dag0 succesfully started. [.\PacketDriverDag.cpp(592)]
08/22/12 11:05:42 [0x00000930] INFO PacketCapture - Beginning capture on device dag0 [.\PacketCapture.cpp(215)]
08/22/12 11:05:42 [0x00000160] INFO MonitorReactor - Starting Monitor Reactor. [.\MonitorReactor.cpp(107)]
08/22/12 11:05:42 [0x00000160] INFO PacketCaptureMain - start() Packet Capture has started. System Event logged. [.\PacketCaptureMain.cpp(1750)]
SOLUTION: The issue is the Monitor configuration routine is setting a parameter that is causing the Endace card to lose the link connection to your SPAN or TAP. In my case, setting the card to no_autoneg (No Auto-Negotiate) caused the card to go offline. To fix the issue, you need to isolate the Endace configuration change made by the Symantec Monitor and correct it using the daxextraconfig.bat file. In this case, I needed to set the card back to auto-negotiate, so I added call dagconfig auto_neg at the end of the batch file. Once I implemented the change, the card started to capture traffic.