EndaceProbe Capabilities

EndaceProbes support a broad range of features, functions
and capabilities to improve network visibility.

EndaceProbe Capabilities

EndaceProbe™ Network recorders are based on high-performance server hardware tightly integrated with Endace DAG™ technology, our own proprietary operating system (OSm) and an application layer comprising EndaceVision™ and custom or third-party applications running in the Application Dock VM based hosting environment on EndaceProbes.

100% accurate line rate packet capture

Leveraging the power of DAG technology, EndaceProbes capture every packet from the wire, regardless of packet size or line rate at speeds up to and including 40Gbps natively. When used with EndaceAccess™ Network Visibility Head-Ends, EndaceProbes can also provide full visibility into 100Gbps links.

Unlike NIC-based solutions, DAG technology uses powerful direct memory access (DMA) techniques to acquire and move packets from the wire directly into host memory using minimal CPU resources. By reducing the processing cycles required to acquire packets, applications hosted on the system can be given more resources to work with.

Find out about DAG.

Highly accurate time stamping at the interface

For traders concerned with minimizing latency, and anyone interested in forensic packet reconstruction, highly accurate time stamping of captured packets is essential. The DAG technology that underpins every EndaceProbe attaches a nanosecond accurate time stamp to every packet. Time stamps have a resolution of +/- 7.5 nanoseconds and an accuracy of +/- 50 nanoseconds. Using timing input technologies the time stamps on many EndaceProbes can be synchronized to within a few nanoseconds.

At 10Gbps, without nano-second-levels of accuracy, it's possible for anything up to 1500 packets to be given the exact same time stamp, which makes accurate reconstruction and forensic examination of traffic very challenging.


EndaceProbes allow captured packets to be recorded to local disk for retrospective analysis by a range of different tools. Writing packets to disk at high line rates is a significant technical challenge and requires careful selection and optimization of system components.

EndaceProbes support up to 192TB of local storage (offering several days of storage in most cases) and line rate write-to-disk at up to 40Gbps. A choice of SAS or SSD based EndaceProbe models are available to suit a wide range of throughput performance, storage, and space requirements.

Real-time protocol identification

Knowing exactly which application a packet relates to is essential for effective diagnostics and troubleshooting. The integrated Deep Packet Inspection (DPI) engine makes EndaceProbes "application aware". Every flow captured by EndaceProbes is given an application classification which is added into the metadata database that underpins EndaceVision.

The application identification algorithm can accurately identify nearly 600 different applications. Endace provides a continual update service to ensure that the currency of the library is maintained.

About DPI on EndaceProbes

Packet filtering, replication and de-duplication

Different tools require different packet inputs to provide visibility into different things. To ensure that applications operate at maximum efficiency, Endace Systems are able to filter (and drop) packets based on a wide range of different parameters at all levels of the OSI stack.

Because Endace Systems are multi-application capable there's often a requirement to send the same packet to two different places. To fulfill this requirement, EndaceProbes support packet replication and, where necessary, de-duplication.

Eventing engine

The Eventing Engine is an important part of the system design that enables Endace Network Monitoring visibility modules and third-party applications to share information amongst tools and to communicate up through EndaceVision.

The Engine enables workflows to be smoothed and Mean Time to Resolution to be reduced. The Event Recording Trigger can extend the capacity of the local on-system storage by only writing packets to local disk that relate to a specific event. By using the Event Trigger, only the needles are stored and the haystack is removed.

Traffic indexing

As packets are recorded from the network they are indexed in real-time. The index is stored locally on every EndaceProbe (in addition to the captured packets) and includes a wide range of essential metadata including application type, IP addressing, MAC address, time stamp, etc. that enables engineers to quickly isolate packets of interest from anywhere across the network.

The packet index is the power behind EndaceVision, the powerful network visualization, packet search and retrieval application bundled with every EndaceProbe.

Find out more about EndaceVision

Central management and access security

Every element of an Endace Monitoring and Recording Fabric shares a common management interface that enables the health, status and performance of every system to be monitored from a central point. Central management enables all Endace Systems (EndaceProbes, EndaceFlow™ NetFlow Generators and EndaceAccess™ Network Visibility Head-Ends) to reside comfortably in a lights-out, data center environment.

At the heart of a monitoring and recording fabric is an EndaceCMS™ Central Management Server which provides the central management capability.

In addition to central management, every Endace System supports RBAC and TACACS access as well as full audit reporting of end-user activity and Syslog.

Packet forwarding

In certain use cases, there's a requirement to get packets off EndaceProbes and saved elsewhere. EndaceProbes support a programmable XML interface that enables recorded packets to be filtered and exported in near real time. Packets can be exported at speeds up of up to 10Gbps in either ERF or PCAP formats.

NetFlow generation

For a complete packet-and-flow monitoring fabric, EndaceFlow™ NetFlow Generators can be combined with EndaceProbes to deliver highly accurate NetFlow® V5, V9 or IPFIX. NetFlows can be either pure (unsampled) or sampled NetFlows and can be exported as a TCP stream via the management LAN. EndaceFlows are capable of generating 100% accurate NetFlow at a sustained rate of up to 30Gbps

Find out about EndaceFlow

Support for custom and third-party applications

Endace Application Dock™ is an integral part of a visibility fabric and enables virtual images of any custom or compatible third-party applications to be installed on an EndaceProbe.

Running in Application Dock ensures the software application can access a 100% accurate filtered stream of packets and, as a result, provide more reliable and predictable outputs. EndaceProbes allow up to six applications to be hosted simultaneously depending on the specification of the EndaceProbe model and the resource requirements of the hosted application.

Find out about Application Dock.