Packet’s don’t lie - unless ..

  • You don’t know where they came from
  • You don't how they were captured
  • You don't know whether filters were applied or there was any packet loss.

In short, if you don’t have context to go along with the packet data the packets themselves don't give you the entire picture.

What is Provenance?

Provenance™ is a mechanism for adding context to network packet capture data automatically as the packets are captured – like the meta data in digital images. It stores this context information in sequential records written into the packet stream as the packets are recorded – so the context always lives with the packet data.

Provenance is a feature supported by both Endace DAG cards and EndaceProbe™ Network Analytics Platform. Like pcapng the next generation pcap format, Provenance provides a mechanism for adding context to network packet capture data. But it differs in a significant way from pcapng in its basic design.

Whereas pcapng allows metadata to be added in header blocks, Provenance writes contextual data into sequential records in the packet stream as the packets are recorded. This makes it ideal for recording data that can vary over the course of the packet capture - such as optical power levels or the amount of clock drift from a time signal source.

Provenance is written into recorded packet streams that use ERF (Extensible Record Format) format and Provenance records can be read directly in tools, such as Wireshark, that support ERF format packet capture files.

Using Provenance to meet MiFID II Timing Requirements

Under MiFID II's RTS-25 regulations, clocks used for time stamping must be accurately synchronized to Coordinated Universal Time (UTC) and accurate to within one microsecond or better. And clocks must not diverge from UTC by more than 100 microseconds. Provenance can record timing accuracy on a continuous basis every second, making it ideal for ensuring compliance with RTS-25.

Learn more