DockOS is a ready-to-deploy “open source toolkit” that will get you up and running with open source tools in minutes. It is a Linux virtual machine image that is fully open source (source code is available), free-of-charge and can be extended by adding additional open source tools or custom code.

Eliminate time-consuming installation and build tasks with a pre-built VM image configured with recent versions of popular open-source network monitoring tools, and optimized for high performance on any EndaceProbe in your network. Deploying open-source network monitoring software has never been easier.

DockOS comes as a standard VM image that can be deployed on all EndaceProbe™ Network Analytics Platforms,

Download datasheet

Pre-Installed Applications

DockOS comes with a number of commonly-used applications pre-installed as well as some standard Endace applications. It also includes a DAG-enabled libpcap library that allows any libpcap-enabled application to be hosted in DockOS and take advantage of DAG's accelerated throughput.



SNORT® is an open source network intrusion prevention system and network intrusion detection system.

It performs a variety of protocol analysis including:

  • Content searching and marching
  • Detection of attacks and probes such as:
    • Buffer overflow
    • Stealth port scans
    • CGI attacks
    • SMB probes
    • OS Fingerprinting attempts

SNORT offers users community support, rule subscriptions and a knowledge base including deployment and set up guides, and whitepapers.



Suricata™ is a robust network threat detection engine. It’s capable of real time intrusion detection, inline intrusion prevention, network security monitoring and offline pcap processing.

Suricata works by inspecting network traffic using extensive rules and a signature language, which is reinforced by Lua scripting for detecting complex threats. It uses standard input and output formats, including YAML and JSON, and integrates with other tools such as:

  • SIEMs e.g. Splunk
  • Logstash
  • Elasticsearch
  • Kibana


Wireshark is a widely-used network protocol analyzer and shows you what’s happening on your network at a packet level. It’s the de facto standard across commercial, non-profit enterprises, government agencies and, educational institutions.



The (formerly Bro IDS) offers a different take on intrusion detection systems by also providing a comprehensive platform for general network traffic analysis.

Built on 15 years of research, Zeek is relied upon by many scientific environments (its community includes: major universities, research labs, supercomputing centers and many large commercial enterprises) to secure network infrastructure.

Endace Trafstat


Trafstat is an Endace application that collects and analyses traffic statistics from an ERF file or directly from the vDAG card stream. Trafstat then creates a traffic profile that returns information about traffic flows in the data. This information includes:

  • Average bandwidth used
  • Peak bandwidth
  • TCP / UDP port numbers
  • Number of concurrent flows
  • Average flowrate
  • Packet rate

Trafstat uses the 9-tuple of an IP packet extension header to generate a corresponding flow hash.

Trafstat can output into two different formats, depending on your requirements:

  • stdout printed to your console.
  • .csv files

Input/Output Options

There are a variety of I/O options that can be used by applications hosted in Application Dock, from VirtIO for maximum application compatibility to vDAG for accelerated performance. Which I/O option you choose will depend upon your need for high-speed performance and your ability to customize the application you are hosting.


The libpcap library is a portable packet capture library supporting many platforms, and is widely used by network monitoring and security applications in order to access the raw network packets.

A DAG-enabled libpcap library is pre-installed, allowing libpcap based applications zero-copy access to network packets with full stack bypass. Both nanosecond and microsecond libpcap timestamps are supported.

Both the vDAG and vNIC modes support libpcap based applications.

For applications which dynamically link to libpcap or can be recompiled, the vDAG mode native libpcap provides the best performance. For applications which statically link to libpcap, or where recompilation is not possible, the vNIC mode provides excellent compatibility.


To optimize performance, virtual DAG drivers are pre-installed in DockOS, providing the same APIs as physical DAG cards. DockOS VMs can leverage zero-copy packet capture for high bandwidth applications.

The vDAG mode retains the original ERF time stamps from the EndaceProbe. These ERF time stamps can be converted to microsecond or nanosecond format by libpcap when needed

Applications can make use of the native DAG capture API and tools. A DAG native Snort DAQ module is provided for zero-copy IDS.


VirtIO is a family of paravirtualized device drivers optimized for data transfer to and from virtual machines. Rather than emulating a specific legacy hardware device, VirtIO provides simplified and abstracted device models to improve compatibility and performance.

EndaceProbe Application Dock supports VirtIO drivers. This simplifies application deployment by maximizing Application Dock’s compatibility with pre-existing applications and VMs that you might wish to host in the Application Dock environment.

The VirtIO-net device can be used by Application Dock VM guests to provide network interfaces for management traffic, as well as for standard packet capture, without requiring the installation of proprietary drivers.

This makes it possible to host almost any application in Application Dock, ensuring compatibility with most packet-processing applications that can run on a Linux platform. EndaceProbe Datapipes can forward live captured traffic, or replay pre-recorded network traffic to hosted Application Dock VMs using VirtIO-net devices.

If accelerated IO performance is needed, the Endace vDAG device, also included in Dock OS, offers a high-speed IO option.


EndaceProbe vNIC virtual network devices can be presented to Dock VMs as emulated NICs, such as e1000, or paravirtualized VirtIO-Net devices. These virtual NICs can be used with any applications that require either raw NICs or Linux network interfaces.

The vNIC mode does not retain the original EndaceProbe ERF timestamps, instead the VM applies local software time stamps for each packet.

Examples include libpcap, AF_PACKET sockets, netlink/netfilter, and Linux kernel networking. This can be useful when running ‘shrink-wrapped’ appliance VMs where it is not possible to add device drivers or reconfigure software.