We didn’t think Splunk could do DPI. Our testing proved it can!

By: Alistair Meakin, MarQuest

As a certified Splunk partner, and provider of network operations and security consultancy, MarQuest has extensive knowledge of the benefits Splunk brings to network operations (NetOps) and security operations (SecOps) teams. Curious about the Endace Fusion Connector for Splunk, we completed an independent evaluation of it to assess its usability and benefits. By installing, deploying and using the application, we looked for answers to the following questions:

  • Is the application likely to add value to IT operations?
  • How usable is the application?

A little background

As you’ve guessed by the title, we were impressed by what we found, but let’s start with the real issue at hand – forensics packet capture.  Determining what happened to cause a network incident, particularly those that damages end user experience or compromise security, is critical. Forensics packet capture is the heartbeat of post-incident analysis. A significant challenge for retrieving relevant data from a forensics capture can be the issue of finding small amounts of data from very large data sets – the “needle in the haystack.” Moreover, with 10Gb Ethernet (10GbE) and more and more mobile devices used for business, where smaller flows are created, actually collecting all the network traffic can be an issue.


We deal with networks all day and all night and know that Splunk is a very useful tool for NetOps and SecOps teams. A Splunk dashboard, either customized or from specific apps, shows high level information created from a network incident, such as a service level agreement (SLA) non-compliance or a suspected distributed denial-of-service (DDoS) attack.

Typically, following notification of an incident, NetOps or SecOps staff will gather data packets from the infrastructure, particularly in cases where bit-level information may be useful. Since packet analysis systems generally run independently from any log collation systems, the engineer needs the time of the event from the logs, then determines which protocol ports are relevant and then manually data mines any available packet captures, repeating this process until a root cause or critical item of information is identified. We’ve experienced lengthy delays in resolving an incident, sorting through piles of data.

Wouldn’t it be nice…

We’ve often yearned for a way to make the process of identifying packets related to a log event faster. The payoff would be huge in time savings to our clients. Also, if the system for obtaining packets could be simplified, a skilled analysis can be presented with packets from a non-specialist and so could work more efficiently.

Enter the Endace Fusion Connector for Splunk

We now present our findings of the Endace Fusion Connector for Splunk! It not only achieves this objective by providing an automatic packet forensics search directly from an event reported by Splunk, but it results in a 50 percent reduction in the time taken to get  to the information and insight you need to make an informed and effective decision!

For example, if a server reports high interface usage, packets for this server, starting before the event and finishing afterwards, are needed for analysis. Without the Endace Fusion Connector for Splunk, I had to search Splunk for the event time, location and IP address details and then manually search for and recovering the associated packets from the Endace probe.  This took me around 2 ¾ minutes, even when I instinctively knew the process. When I then enabled the Endace Fusion Connector for Splunk, the time taken reduced to about 75 seconds, an impressive time saving of around 55 percent.

We took our measurements from real-world operations and can see how the time saving easily could be a critical factor in preventing a seemingly benign security attack from escalating into a serious incident. We were also impressed with the ease with which packet captures can be obtained with the Endace Fusion Connector for Splunk. Knowledge of the forensics analyser is not required and the process of obtaining packets is just a few clicks in the Splunk GUI, freeing up senior personnel up for more productive activities.


Leave a Reply