1. Manuals
  2. Brands
  3. Network Instruments Manuals
  4. Network Hardware
  5. GigaStor 114ff
  6. User manual

Network Instruments GigaStor 114ff User Manual

Enterprise-strength network probe appliance
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
GIGASTOR
1
rev. 1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the GigaStor 114ff and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Network Instruments GigaStor 114ff

Summary of Contents for Network Instruments GigaStor 114ff

  • Page 1 GIGASTOR ™ rev. 1...
  • Page 3 GigaStor User Guide rev. 1...
  • Page 4 Network Instruments, LLC. (“Network Instruments”) warrants this hardware product against defects in materials and workmanship for a period of 90 days from the date of shipment of the product from Network Instruments, LLC. Warranty is for depot service at Network Instruments corporate headquarters in Minneapolis, MN, or Network Instruments’ London, UK office.
  • Page 5 Limited Warranty—Software Network Instruments, LLC (“DEVELOPER”) warrants that for a period of sixty (60) days from the date of shipment from DEVELOPER: (i) the media on which the SOFTWARE is furnished will be free of defects in materials and workmanship under normal use;...
  • Page 6 The SOFTWARE is neither shareware nor freeware. The SOFTWARE is a commercial software package that is subject to international copyright laws. Single User License Grant: Network Instruments, LLC (“DEVELOPER”) and its suppliers grant to END-USER a nonexclusive and nontransferable license to use the DEVELOPER software (“SOFTWARE”) in object code form solely on a single central processing unit owned or leased by END-USER or otherwise embedded in equipment provided by DEVELOPER.
  • Page 7 UK and Europe: support@networkinstruments.co.uk Network Instruments provides technical support for a period of 90 days after the purchase of the product at no charge. After the 90-day initial support period, support will only be provided to those customers who have purchased a maintenance agreement.
  • Page 8 rev. 1...

  • Page 9: Table Of Contents

    Chapter 1: About the GigaStor GigaStor versions ............... . . 14 Chapter 2: Installing Your GigaStor Unpacking and inspecting the parts .
  • Page 10 Tapping a WAN connection ............. . . 42 T1/E1 .
  • Page 11 Chapter 7: Observer on the GigaStor Using the Observer console locally on the GigaStor ........108 Chapter 8: Probe Instances What is a probe instance? .
  • Page 12 rev. 1...

  • Page 13: Chapter 1: About The Gigastor

    Chapter 1 About the GigaStor rev. 1 Chapter 1 About the GigaStor...

  • Page 14: Gigastor Versions

    GigaStor versions The GigaStor is an enterprise-strength network probe appliance. The GigaStor combines a multi-terabyte, high-performance Redundant Array of Independent Disks (RAID) with a dedicated, high-speed network capture card in a modular, easy-to-deploy appliance. There are these versions of the GigaStor: GigaStor GigaStor Expandable Unless specifically noted, all information in this manual...
  • Page 15 possible to use the same probe to monitor different types of links as needed. For example, you can easily convert the capture card from optical to copper, allowing you to connect the GigaStor to different test access points (TAPs) or switch port analyzer (SPAN) or mirror interfaces.
  • Page 16 GigaStor versions rev. 1 Chapter 1 About the GigaStor...

  • Page 17: Chapter 2: Installing Your Gigastor

    Chapter 2 Installing Your GigaStor rev. 1 Chapter 2 Installing Your GigaStor...

  • Page 18: Unpacking And Inspecting The Parts

    The general steps to install your GigaStor are: Additional steps to complete the installation are: Unpacking and inspecting the parts Your GigaStor includes a number of components. Take a moment after unpacking the kit to locate all of the parts. Unpacking and inspecting the parts Chapter 2 Installing Your GigaStor “Unpacking and inspecting the parts”...

  • Page 19: Installing The Gigastor And Connecting The Cables

    Installing the GigaStor and connecting the cables Install the GigaStor and any expansion units into your rack using the supplied rails. Instructions for installing the rail kits are provided in the rail kit box. Install the drives into the GigaStor and any expansion units. See “Installing the drives in your GigaStor”...
  • Page 20 Ensure that each drive’s power/activity light is lit. If a drive’s light is not lit, it is likely that the drive is not seated properly. Turn off the GigaStor and reseat the drives. For more information, see “Installing the drives in your GigaStor” on page 50. Log in using the Administrator account.
  • Page 21 Figure 3 Probe Service Configuration Applet 10 The Probe Administration window opens. Click the Probe Options tab (Figure 4). 11 Change the name of the probe to something meaningful to you. The name might be the physical location of the probe. Click Apply to save your changes and close the window.

  • Page 22: Connecting Observer To The Gigastor

    This section assumes you have already installed Observer on your desktop or laptop. If not, install the software. You can download from the Network Instruments website. There are three main tasks to connect Observer to your GigaStor Redirecting the GigaStor probe Choose Start →...
  • Page 23 Type the IP address that you assigned to the GigaStor in step 7 in “Setting the GigaStor’s IP address” on page 19 and click OK. You may leave the other fields blank. If you type a name, the name will change after Observer connects to the remote probe. The GigaStor appears in the list of probes available for redirection (Figure 7).

  • Page 24: Probe Administration

    Select the probe instance and click Redirect Selected Instance. Figure 9 appears. Figure 9 Redirecting Probe or Probe Instance Choose the “Redirect to this Observer” option, then click the Redirect button. Within 30 seconds the GigaStor will connect to the local Observer. If you use NAT, see “NAT” on page 124. Close the Probe Instance Redirection window.
  • Page 25 Click Probe Administration (see Figure 7). The Probe Administration Login window opens. Figure 10 Remote Probe Administration Ensure “Login using a user account configured for this Probe” is selected and click OK. The Probe Administration window opens to the Memory Management tab (Figure 11).
  • Page 26 By default all of the installed memory on the GigaStor is dedicated for one probe instance. You must first release the memory so that you can assign the freed memory to other probe instances. With the newly renamed probe instance still selected, click Configure Memory (Figure 12) at the top of the window.
  • Page 27 Click New Instance. Figure 14 appears. You are configuring a GigaStor probe to capture data and write it to the hard drive. Therefore ensure “Probe instance” is selected in the Instance type. Type a name and description and click Next. rev.
  • Page 28 Figure 15 Edit Probe Instance: Configure Memory From the RAM that you released earlier, assign some of it to this probe instance and click Next. 10 Ensure the correct network adapter is selected and click Finish to redirect the GigaStor to your local Observer console. Figure 16 Edit Probe Instance: Connect to Console Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor...

  • Page 29: Gigastor Capture Analysis

    11 Repeat step 7 through step 10 until you have created all of your probe instances. Any unused memory should be reallocated to the packet capture buffer of the active probe instance or to the operating system. 12 Click OK to close the Probe administration windows. After a moment the GigaStor probe and any probe instances appear in the Observer Probe list found along the left side of the main Observer window.
  • Page 30 Figure 18 GigaStor Settings Schedule tab In the Schedule GigaStor Capture section, select Always. For more information about a packet capture vs. GigaStor capture, see “Packet Capture or GigaStor Capture” on page 53. In the Reserve scheduling for section, select GigaStor and click OK.

  • Page 31: Configuring Observer For Your Gigabit Device

    Configuring Observer for your Gigabit device Depending on your probe and your network, you may need to make some changes from the factory defaults. Jumbo Frame Support (Gigabit Ethernet) When a Gigabit Ethernet GigaStor is the selected probe, Observer displays an additional Gigabit tab on the Probe or Device Setup dialog.

  • Page 32: Configuring Terms Of Service And Quality Of Service Settings

    Configuring Terms of Service and Quality of Service settings The ToS/QoS settings are configured for each probe. Select the gigabit probe and right-click. A menu appears. Choose Probe or Device Settings. Click the ToS/QoS tab (Figure 20). Specify the IP precedence bits for the terms of service/quality of service for your network.

  • Page 33: Configuring Observer For Your Wan Device

    Configuring Observer for your WAN device There are a number of setup options and statistical displays unique to WAN Observer, which are described in the following subsections. Before you can analyze the WAN link, you must set some device options. You must also have the appropriate administrative privileges to change WAN device settings.

  • Page 34: Digital Ds3/E3/Hssi Probe Settings

    Digital DS3/E3/HSSI Probe Settings To access the probe settings, select the probe, right-click and choose Probe or Device Settings. Then click the DS3/E3/HSSI tab (Figure 21). Figure 21 DS3/E3/HSSI Probe Settings Table 1 describes fields in Figure 21. Table 1 DS3/E3/HSSI probe settings Setting Explanation WAN Type...

  • Page 35: Digital T1/E1 Probe Settings

    Digital T1/E1 Probe Settings To access the probe settings, select the probe, right-click and choose Probe or Device Settings. Then click the T1/E1 tab (Figure 22). Table 2 describes fields in Figure 22. Table 2 T1/E1 WAN Probe Settings Setting Explanation WAN/Frame Relay Type Choose T1 or E1 to match the type of link you are analyzing.

  • Page 36: Serial T1/E1 Probe Settings

    Serial T1/E1 Probe Settings Table 3 describes fields for a serial T1/E1 connection. Table 3 Serial T1/E1 probe settings Setting Explanation WAN/Frame Relay Type Choose T1 or E1 to match the type of link you are analyzing. Encapsulation You must set this to match the settings on the frame relay router. Fractionalized Check if your link is configured for fractionalized operation.

  • Page 37: Tapping An Ethernet Or Fibre Channel Connection

    Tapping an Ethernet or Fibre Channel connection This section describes how to connect the cables for these environments: 10/100/1000, 10GbE Optical, and Fibre Channel The optical Ethernet kit includes: To connect the TAP to the GigaStor: Insert the supplied SFP connectors (XPF connectors for 10GbE) into the open slots on the back of the Gen2 card(s).
  • Page 38 Figure 23 Gen2 card port assignments 2-port Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. TRAIGHT If you are using a switch’s SPAN/mirror port, no nTAP is THROUGH ABLE required. Simply plug any straight-through or Fibre cable between the SPAN/mirror port and one of the ports on the Gen2 capture card.
  • Page 39 Figure 24 GigaStor with an optical nTAP Optical TAP Server (DTE) Gigabit Switch (DCE) rev. 1 Gen2 GigaStor or GigaStor Expandable Tapping an Ethernet or Fibre Channel connection 10/100/1000 NIC for TCP/IP Observer Console Chapter 2 Installing Your GigaStor...

  • Page 40: Gigabit Copper

    Gigabit copper The Gigabit copper kit includes: To connect the TAP to the GigaStor: Insert the supplied SFP connectors into the open slots on the back of the Gen2 card(s). If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units”...
  • Page 41 Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. THROUGH If you are using a switch’s SPAN/mirror port, no nTAP is ABLE required. Simply plug any straight-through Ethernet cable into the SPAN/mirror port on the switch and one of the ports on the Gen2 capture card.

  • Page 42: Tapping A Wan Connection

    Tapping a WAN connection This section describes how to connect the cables for these environments: T1/E1 See “Digital” on page 42 or “Serial” on page 44 depending on your needs. Digital The digital T1/E1 kit includes: If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units”...
  • Page 43 Now that you have physically connected the cables for the GigaStor, you must now configure its software. See “Setting the GigaStor’s IP address” on page 19. Figure 27 shows the GigaStor as it would be cabled to analyze T1/E1 link with a Channel Service Unit/Data Service Unit (CSU/DSU) T1 TAP Router or T1 Line (DCE)
  • Page 44 Serial The serial T1/E1 kit includes: If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 2. Connect the TAP to the GigaStor using the serial T1/E1 WAN cable.
  • Page 45 Figure 28 WAN Serial T1/E1 TAP DT E MO DE DC E E OU TP AC TIV PO WE Serial T1/E1 TAP 10/100/1000 NIC for TCP/IP GigaStor or CSU/DSU (DTE) Router (DCE) Observer Console GigaStor Expandable Tapping a WAN connection rev.

  • Page 46: Ds3/E3

    DS3/E3 See “Digital” on page 46 or “Serial/HSSI” on page 48 depending on your needs. Digital The digital DS3/E3 kit includes: If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them.
  • Page 47 DS3 TAP IN (RX) OUT (TX) OUT (TX) IN (RX) CSU/DSU (DTE) DS3 Line (DCE) rev. 1 Figure 29 DS3/E3 TAP DC E LO S DT E OU T LO S LO F PO WE OU T LO F GigaStor or GigaStor Expandable 10/100/1000 NIC for TCP/IP...
  • Page 48 Serial/HSSI The serial DS3 kit includes: If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 2. Connect the TAP to the GigaStor using the supplied HSSI Y- cable.
  • Page 49 Figure 30 WAN HSSI HS SI OU HS SI IN HSSI TAP 10/100/1000 NIC for TCP/IP GigaStor or CSU/DSU (DTE) Router (DCE) Observer Console GigaStor Expandable Tapping a WAN connection rev. 1 Chapter 2 Installing Your GigaStor...

  • Page 50: Installing The Drives In Your Gigastor

    Installing the drives in your GigaStor AUTION ANDLING Be especially careful when handling and installing the hard RIVES drives. Proper handling is paramount to the longevity of the unit. The internal mechanism of the hard drive can be seriously damaged if the hard drive is subjected to forces outside its environmental specifications.
  • Page 51 Figure 31 shows how the drive numbers correspond to slot locations. AUTION It is important that you install the drives in the correct drive XPANDABLE RIVE slot, and in correct expansion unit if you have a GigaStor OCATION Expandable. Failure to install the drives in the proper order will result in poor read/write performance or possibly RAID array failure.

  • Page 52: Connecting The Gigastor Expandable To The Expansion Units

    Connecting the GigaStor Expandable to the expansion units After you have installed the drives Use the supplied cables to connect the expansion units to the GigaStor Expandable. Figure 32 shows how to cable the GigaStor Expandable to the expansion units. Figure 32 Cable diagram for the GigaStor Expandable Otherwise, continue with “Installing the GigaStor and connecting the cables”...

  • Page 53: Chapter 3: Packet Capture Or Gigastor Capture

    Chapter 3 Packet Capture or GigaStor Capture rev. 1 Chapter 3 Packet Capture or GigaStor Capture...

  • Page 54: Capturing Packets With The Gigastor

    Capturing Packets with the GigaStor A GigaStor can accumulate terabytes of stored network traffic. To manage the sheer volume of data, the GigaStor includes an alternative, specialized capture and analysis control panel. The GigaStor Control Panel manages the capture, indexing, and storage of large numbers of packets over long periods of time.
  • Page 55 However, if you are pushing the limits of the system on which the probe is installed by creating many probe instances, you may be able to avoid some performance problems by fine-tuning the memory allocation for each probe instance. For example, suppose you want to give a number of remote administrators access to Top Talkers data from a given probe.
  • Page 56 Packet capture buffer and statistics buffer rev. 1 Chapter 3 Packet Capture or GigaStor Capture...

  • Page 57: Chapter 4: Gigastor Control Panel

    Chapter 4 GigaStor Control Panel rev. 1 Chapter 4 GigaStor Control Panel...
  • Page 58 GigaStor in Console mode via Windows Terminal Server (or a monitor and keyboard that are physically attached). Observer works with the GigaStor just as it does any other Network Instruments probe, with some GigaStor-specific enhancements (described below). The GigaStor Control Panel is available from the probe itself (when running in Console Mode), and also from any Observer Expert or Observer Suite console when it is connected to a GigaStor.

  • Page 59: Display Controls

    etc., by clicking on the appropriate tab and selecting the items you want to see on the time line chart. Display Controls Charts and statistical tables are refreshed only when you click the Update Chart or Update Statistics button. The buttons will flash with a red border when a refresh is necessary.

  • Page 60: Right-Click Menus

    Right-click menus As with other Observer displays, the charts and tables of the GigaStor control panel offer many right-click shortcuts. Right-click menus Chapter 4 GigaStor Control Panel Right-clicking on the chart portion of the Control Panel displays the following options for navigating and displaying traffic data: Figure 34 Chart right-click menu Settings brings up GigaStor Control panel settings;...

  • Page 61: Analyze Button

    Analyze button Figure 36 GigaStor Control Panel Analyze button When you click the Analyze button to view the results, you are prompted to select how to filter the packet capture for display (Figure 37). After you click OK, any filters you have chosen are applied, and a standard decode window is displayed, unless you have checked the “Display selected filter before starting analysis”...
  • Page 62 Figure 37 GigaStor Analysis Options window Table 4 describes what the fields in the various sections control. Table 4 GigaStor Analysis Options Field section GigaStor Analysis Filter Analysis Time Range Analysis Type Forensic Analysis Analyze button Chapter 4 GigaStor Control Panel Description Choose whether to Analyze all traffic in the analysis period, Select an Observer filter to apply before decoding, or Create an analysis...

  • Page 63: Configuring The Gigastor Through The Control Panel

    Configuring the GigaStor through the Control Panel Just as with the standard Observer packet capture interface, you can set the colors of the capture graph and schedule captures to be automatically launched (or to run all the time). In addition, there are a number of GigaStor-specific settings that allow you to fine-tune performance based on your particular needs.

  • Page 64: Gigastor Options Tab

    GigaStor Options tab This tab lets you configure many options for the GigaStor. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Options tab (Figure 39). See Table 5 for a description of each field of the GigaStor Options tab. Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel Figure 39 GigaStor Options tab...
  • Page 65 Table 5 GigaStor Options tab Field Capture Buffer size Do not include traffic from Observer/ Probe local MAC address Capture partial packets Network Load rev. 1 Description Allows you to set the amount of Windows memory that Observer will dedicate to the capture buffer cache for this instance. Values are in megabytes.
  • Page 66 Table 5 GigaStor Options tab Field Start/Stop Packet Capture marker frames Wireless Channel Change Packet Sampling Capture Indexing Information Maximums Display Indexing Information Maximums Collect and Show GigaStor indexing information by Track statistics information per physical port Use physical port selections to filter statistics (requires per port tracking information) Stop capture when disk is full...

  • Page 67: Gigastor Chart Tab

    GigaStor Chart tab This tab lets you choose the appearance, colors, and scale of the GigaStor Control Panel’s time line chart. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Chart tab (Figure 40). GigaStor Outline Click Settings and the GigaStor Outline tab to modify the display of the GigaStor outline graph.
  • Page 68 Figure 41 GigaStor Outline Configuring the GigaStor through the Control Panel rev. 1 Chapter 4 GigaStor Control Panel...

  • Page 69: Capture Graph Tab

    Capture Graph tab Click Settings and the tab for the type of graph or chart for which you want to set the display properties. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Capture Graph tab (Figure 42). Table 6 Capture Graph fields Field Item...

  • Page 70: Gigastor Schedule Tab

    GigaStor Schedule tab This tab lets you schedule GigaStor packet captures to occur at preset times and days of the week. Although the dialog looks identical to the standard Packet Capture schedule tab, the two types of schedules can not be in effect at the same time. If you attempt to schedule GigaStor packet captures when standard packet captures are already scheduled (or the reverse), an error message is displayed.

  • Page 71: Statistics Lists Tab

    Adding, Modifying, and Deleting Time Intervals To add or modify a time interval to a schedule option, choose that option (in other words, Daily or the day-of-week for which you want to schedule a capture) and click the appropriate button. A time interval specification dialog is displayed that allows you to set the time period for the capture to be performed.

  • Page 72: Subnet

    Subnet You can specify subnet properties for the GigaStor. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Subnet tab (Figure 45). Use the Add, Delete, Modify, and Delete All buttons to configure the subnet settings for the GigaStor.
  • Page 73 Figure 45 GigaStor Subnet tab Figure 46 shows how the subnet settings show up in the GigaStor Control Panel. They appear on the IP Stations tab. Configuring the GigaStor through the Control Panel rev. 1 Chapter 4 GigaStor Control Panel...
  • Page 74 Figure 46 Subnet and IP Stations Configuring the GigaStor through the Control Panel rev. 1 Chapter 4 GigaStor Control Panel...

  • Page 75: Gigastor Reports

    GigaStor reports There are several default reports available for you. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Reports tab (Figure 47). Select a report name and click Edit to change the report’s characteristics (Figure 48).
  • Page 76 Use the arrow buttons to position graphs and tables on your report. Double-click a section of the report to modify its caption, detail, and number format (Figure 48). Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel Figure 48 Report Setup Figure 49 Table Setup rev.

  • Page 77: Export

    Export You can export your GigaStor-collected data on a scheduled basis. Use the Export tab to configure when and to where your data is saved or to manually export your data. Follow the instructions in “Configuring the GigaStor through the Control Panel”...
  • Page 78 Configuring the GigaStor through the Control Panel rev. 1 Chapter 4 GigaStor Control Panel...

  • Page 79: Chapter 5: Using Observer With A Wan Probe

    Chapter 5 Using Observer with a WAN Probe rev. 1 Chapter 5 Using Observer with a WAN Probe...

  • Page 80: Discover Network Names

    In general, the WAN analysis works much like Ethernet analysis. One difference is that, when appropriate, Observer identifies WAN links by their Data Link Connection Identifier (DLCI) rather than by MAC address as is done with standard protocol analysis. In addition, many WAN statistical modes break out the data by DCE, DTE, and summary to reflect the full-duplex nature of WAN links.
  • Page 81 To set the CIR for a DLCI or group of DLCIs Choose Tools → Discover Network Names. The Discover Network Names pane opens. In the pane, click the edit DLCI CIR button on the Discover Network Names mode window (Figure 51). Click Add to add a new DLCI.

  • Page 82: Wan Bandwidth Utilization

    Click OK when you are done. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. WAN Bandwidth Utilization To see the percentages of bandwidth saturation on DCE, DTE and DCE+DTE (Summary) for each configured link, choose Statistics →...

  • Page 83: Wan Vital Signs By Dlci

    WAN Vital Signs by DLCI In Observer, the Network Vital Signs display is replaced by the WAN Vital Signs by DLCI mode. This mode provides a summary of the errors occurring on a WAN link (E1/T1/DS3/E3). Choose Statistics → WAN Vital Signs by DLCI. You can choose what portion of traffic you wish to view from the list box in the upper left corner of the window: DCE, DTE, DCE plus DTE, and so forth.

  • Page 84: Wan Load By Dlci

    Table 7 WAN statistics Column Description DLCI Data Link Connection Identifier of the statistics that follow. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. DCE KBits/s Max The maximum bit rate sensed so far from the DCE side of this DLCI, in Kbits per second.
  • Page 85 Figure 55 WAN Load by DLCI The WAN Load by DLCI mode can be viewed as a dial, graph, or list display. Except for list view, there are no setup options for WAN Load by DLCI mode. Every view includes a dropdown box that lets you select which DLCI you want to monitor.

  • Page 86: Wan Top Talkers

    Figure 57 WAN Load by DLCI Graph View The WAN Load display in graph view shows these same statistics (transfer rate, CRC error rate, and FECN/BECN frame rates) as superimposed spike meters. The Committed Information Rate (CIR) is also shown, allowing you to view the network activity against the baseline performance you have contracted to receive from your WAN service provider You can select line, point, or bar-style meter, and the colors for each...

  • Page 87: Wan Filtering

    second, etc.) that apply to WAN is a subset of those available for standard network analysis. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. Choose Statistics → Top Talkers Statistics. Press Start to begin capturing load data.

  • Page 88: Triggers And Alarms

    Triggers and Alarms WAN Observer adds WAN-related criteria to the standard Triggers and Alarms mode. Click the Alarm Settings button located in the lower left corner of Observer’s main window. A dialog appears that allows you to select the probe or probes for which you want to set alarms.
  • Page 89 Select the alarms you want set. Click the Triggers tab to set the criteria by which the alarms will be triggered. rev. 1 Figure 61 Probe Alarm Settings Figure 62 Triggers tab Chapter 5 Using Observer with a WAN Probe Triggers and Alarms...
  • Page 90 Most WAN alarms can be set on the DTE or DCE side or both. The Committed Information Rate displayed is that which you set in Discover Network Names mode. See “Setting the Committed Information Rate (CIR) for a DLCI” on page 80. Click the Actions tab to define actions to launch if an alarm is triggered.

  • Page 91: Chapter 6: Forensic Analysis Using Snort

    Chapter 6 Forensic Analysis using Snort rev. 1 Chapter 6 Forensic Analysis using Snort...

  • Page 92: Starting Forensic Analysis Using Snort Rules

    Forensic Analysis, exclusive to the GigaStor version of Observer, is a powerful tool for scanning high-volume packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort rule syntax. You can obtain the rules from www.snort.org, or, if you know the Snort rule syntax, you can write your own rules.
  • Page 93 that of native Snort. When you import a set of Snort rules that includes configuration settings, Observer imports rules classifications, but uses its own defaults for the preprocessor settings. There is a difference between enabling the preprocessor and enabling logs for the preprocessor. For example, you can enable IP defragmentation with or without logging.

  • Page 94: Creating A Forensic Analysis Profile From The Gigastor Control Panel

    Figure 64 GigaStor Analysis Options - Forensic Analysis section If you already have a forensic analysis profile, you choose the profile from the Profile list (Figure 64) and click OK. For more information about the analysis output, see: Creating a forensic analysis profile from the GigaStor control panel Click the Forensics Analysis tab on the far right of the screen.
  • Page 95 Select the profile that you want or click Edit. Click the Settings Profile Edit button to view and define the fields as you need. The fields are described in full in “Forensic Analysis Profile Settings tab” on page 100. rev. 1 Figure 66 GigaStor Analysis Options Figure 67 Forensic Settings Starting Forensic Analysis using Snort rules...
  • Page 96 If this is the first time forensic analysis has been run, you must import some rules. Click the Import Snort Files button to display a file selection dialog. Browse to the directory where the rules you wish to import are located and select them. You can select multiple files using either CTRL-clicks or by simply dragging the cursor across the files you wish to select.
  • Page 97 Figure 69 Rules tab Select the boxes next to the rules you want to enable. The right- click menu has options to enable/disable all rules, and to show the actual Snort rule that was imported. It also lets you jump to web- based threat references such as bugtraq for further information about the alert.

  • Page 98: About Forensic Analysis Tab

    10 Click OK to close the Forensic Analysis Profile dialog. Click OK again to close the Forensic Settings dialog. Click OK to close the GigaStor Analysis Options dialog. Observer applies the rules and filters to the capture data and displays the results in the Forensics Summary tab. A new tab is also opened that contains the decode.

  • Page 99: About The Forensic Analysis Log Tab

    results, you may want to adjust preprocessor settings to eliminate these conditions. Intruders often attempt to exceed the limitations of forensic analysis to hide malicious content. The right-click menu lets you examine the rule that triggered the alert (if applicable). It also lets you jump to web-based threat references such as bugtraq for further information about the alert.

  • Page 100: Forensic Analysis Profile Field Descriptions

    right-click menu. You can also jump to the Decode display of the packet that triggered the alert. Forensic Analysis Profile field descriptions This section describes in detail the fields on the Settings and Rules tab. See: Forensic Analysis Profile Settings tab Figure 72 Forensic Analysis Profile Settings tab Table 8 describes the fields in the Forensic Analysis Profile Settings tab.
  • Page 101 Table 8 Forensic Analysis Profile Settings tab Field Description Settings Profile Settings Profiles provide a mechanism to save and load different preprocessor settings, and share them with other Observer consoles. IP Flow Packets belong to the same IP flow if they share the same layer 3 protocol, and also share the same source and destination addresses and ports.
  • Page 102 Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description TCP Stream Log preprocessor events—Checking this box causes forensic analysis to display Reassembly all activity generated by the TCP stream assembly preprocessor to the log. (Continued) Maximum active TCP streams tracked—If this value is set too high given the size of the buffer being analyzed, performance can suffer because of memory consumption.
  • Page 103 Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description TCP Stream Reassembly error action—Discard and flush writes the reassembled stream for Reassembly analysis, excluding the packet that caused the error. Insert and flush writes the (Continued) reassembled stream, but includes the packet that caused the error. Insert no flush includes the error-causing packet and continues stream reassembly.
  • Page 104 Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description HTTP URI Normalize percent-U encodings—Convert Microsoft-style %u-encoded Normalization characters to standard format. The second check box allows you to enable (Continued) logging when such encoding is encountered during preprocessing. Because such encoding is considered non-standard (and a common hacker trick), logging occurrences of this is recommended.
  • Page 105 Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description ARP Inspection Ethernet uses Address Resolution Protocol (ARP) to map IP addresses to a particular machine (MAC) addresses. Rather than continuously broadcasting the map to all devices on the segment, each device maintains its own copy, called the ARP cache, which is updated whenever the device receives an ARP Reply.

  • Page 106: Rules Tab

    Rules tab The web site www.snort.org provides Snort rule documentation, and downloadable rule sets. There are three sets of rules available at www.snort.org: Community Rules (which are available to anyone with a web browser), and three versions of the Vulnerability Response Team (VRT) Certified Rule Set.

  • Page 107: Chapter 7: Observer On The Gigastor

    Chapter 7 Observer on the GigaStor rev. 1 Chapter 7 Observer on the GigaStor...

  • Page 108: Using The Observer Console Locally On The Gigastor

    Using the Observer console locally on the GigaStor Depending on how you want or need to use Observer it can be either a graphic console to help you analyze your network data or it can be a probe to capture data and to which other Observer consoles can connect.
  • Page 109 In the Service Settings section, clear the “Run Probe as a Windows Service” option and click OK. This uninstalls the Network Instruments Expert Probe service from Windows. Click Start → Programs → Observer → Observer. The Network Instruments Expert Probe window opens. rev.
  • Page 110 After the Expert Probe interface is open, choose Options → Probe Options to select the Run Probe as Windows Service option. You must manually start Network Instruments Expert Probe from the Windows Service Control Manger. It may take a moment before the service starts. You may need to restart the GigaStor for the setting changes to fully set.

  • Page 111: Chapter 8: Probe Instances

    Chapter 8 Probe Instances rev. 1 Chapter 8 Probe Instances...

  • Page 112: What Is A Probe Instance

    What is a probe instance? For instructions on setting up a probe instance, see “Probe administration” on page 24. Observer uses probes to capture network data. In some cases you may want or need more than one probe in a specific location. You can achieve that through probe instances.
  • Page 113 instances to the Gen2 adapter if at all possible. A copy of all packets are sent from the adapter to every passive probe instance attached to it. If you have several passive probe instances attached to the Gen2 adapter, the Gen2’s performance is significantly affected.
  • Page 114 By default there is one active probe instance for GigaStor. It binds to the network adapter and its ports. If you have a specific need to separate the adapter’s ports and monitor them separately, you can do so through passive probe instances or you can create separate virtual adapters.

  • Page 115: Chapter 9: Gen2 Capture Card

    Chapter 9 Gen2 Capture Card rev. 1 Chapter 9 Gen2 Capture Card...

  • Page 116: Swapping The Gen2 Card's Sfp Or Xfp Interfaces

    The Gen2 card is designed and manufactured by Network Instruments and is optimized for the GigaStor. The Gen2 card comes in two, four, or eight port models. This section describes Swapping the Gen2 card’s SFP or XFP interfaces To connect the probe to a monitoring interface (TAP or SPAN/mirror) different from that shipped with the unit, simply obtain the necessary SFP for your application, remove the installed SFPs, and insert the desired interface.
  • Page 117 In this scenario, it makes sense for Observer to view Ports 1-4 as a single data stream and to separate each of the four remaining ports into separate data streams. Virtual adapters are a convenient way to accomplish this separation in real time, rather than depending on filters to sort through the traffic post-capture.
  • Page 118 Figure 78 Assign Port to Virtual Adapter: Default view Select the ports to remove and click Remove. This places them in the Available Ports list. Change the name of the adapter to something meaningful to you and click OK (Figure 79). Figure 79 Assign Ports to Virtual Adapter: Trunk Click New Adapter.
  • Page 119 Repeat step 5 through step 8 until you have created all of your virtual adapters and given descriptions to your ports. The adapters appear in the list of adapters presented when you create a probe instance. This allows you to bind the probe instance to a virtual adapter.

  • Page 120: Viewing The Gen2 Card's Properties And Finding The Board's Id

    10 Right-click the GigaStor probe and choose Administer Selected Probe from the menu. Log in to the probe. 11 Click the GigaStor Instances tab along the bottom. 12 For each virtual adapter listed as a passive probe instance that you want to promote to an active probe instance, select it, right click and choose Make Instance Active.
  • Page 121 In the tree on the left, select Device Manager. In the tree on the right, expand Network Instruments Capture Adapters (Figure 83). Figure 83 Computer Management window Choose Network Instruments Gen2 Gigabit Capture Adapter, right-click and choose Properties. Click the Current State tab (Figure 84).
  • Page 122 This tab shows all active physical ports on the Gen2 card and the board’s ID. The “Interrupt enabled” and “DMA enabled” lights are light green when Observer is running and dark green when Observer is not running. AUTION DVANCED Do not make any changes to the settings on the Advanced ETTINGS Settings tab unless directed by the Support department! The DMA buffer size and DMA copy size are optimized at the...

  • Page 123: Appendix A: Tcp/Ip Ports, Nat, And Vpn

    Appendix A TCP/IP ports, NAT, and VPN rev. 1 Appendix A TCP/IP ports, NAT, and VPN...

  • Page 124: Tcp/Ip Ports

    This section discusses the TCP/IP ports, NAT, and VPN. TCP/IP ports Observer and all Network Instruments probes use ports 25901 and 25903 to communicate. These ports are registered ports to Network Instruments. All Network Instruments probes initiate connection with Observer using port 25901.

  • Page 125: Vpn

    If the Observer is outside the network where the probe is running, you must forward port 25903 from the Observer’s address. You must use the NAT outside IP address as the probe’s IP address when trying to redirect and/or administer the probe from Observer. Using VPN is an easy way to get access to a probe on a remote LAN.
  • Page 126 rev. 1 Appendix A TCP/IP ports, NAT, and VPN...

  • Page 127: Appendix B: Gigastor, Gigastor Expandable, And Expansion Unit Cases

    Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases rev. 1 Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases...

  • Page 128: Gigastor

    GigaStor Figure 87 shows the front of the GigaStor. Table 10 GigaStor LEDs and Buttons LED/Button Description Individual Drive Activity These LEDs blink whenever there is activity on the drive in the RAID array. The lights are red when there is a problem with the drive, otherwise they are green. System Reset Button When pushed, the system resets.

  • Page 129: Gigastor Expandable

    GigaStor Expandable Controller unit Figure 88 GigaStor Expandable controller Table 11 GigaStor Expandable LEDs and Buttons LED/Button Description Power Button The power button works only when the power switch on the rear of the unit is on. Press to turn on the GigaStor. If you press and hold this button for a few seconds, the unit will do a a hard shut down.

  • Page 130: Expansion Unit

    Figure 89 shows the back of the GigaStor Expandable. Figure 89 GigaStor Expandable rear view Serial ATA Disk Interfaces (3) only available on GigaStor Exandable Power Supply On/Off Keyboard and Monitor Expansion unit GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases Gen2 Capture Card 10/100/1000 Ethernet Figure 90 Expansion unit...
  • Page 131 Table 12 Expansion Unit LEDs and Buttons LED/Button Description Individual Drive Activity These LEDs blink whenever there is activity on the drive in the RAID array. The lights are red when there is a problem with the drive, otherwise they are green. Temperature probe When lit green the unit’s temperature is within normal operating conditions.
  • Page 132 GigaStor Expandable rev. 1 Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases...

  • Page 133: Appendix C: Gigastor Portable

    Appendix C GigaStor Portable rev. 1 Appendix C GigaStor Portable...
  • Page 134 The portable GigaStor offers full-duplex packet capture and analysis at wire speed. Depending on which version you ordered, the system includes everything you need to perform continuous, in-depth analysis of one of the following topologies: The Portable Analysis Platform includes an internal probe that provides access to the network to which it is connected.
  • Page 135 Figure 92 Portable Analysis Platform System Tour Turn thumbscrews to open port access door Port layout varies by topology Your GigaStor includes a number of components. Take a moment after unpacking the system to ensure that you received all the parts. rev.

  • Page 136: Running Observer Passively

    Gigabit and Fibre Channel systems have an appropriate copper or optical nTAP installed in the drive bay on the right side of the system. WAN system TAPs are shipped separately. Running Observer passively When analyzing a link using a TAP, Observer runs “passively.” Passive operation guarantees that analysis will not affect the link;...

  • Page 137: Using The Portable Gigastor As A Probe

    Dynamic Host Control Protocol (DHCP). For most applications of Observer, you should assign an address to the analyzer rather than depending on the DHCP assignment. Using the portable GigaStor as a probe Although most administrators usually run the Observer console directly from the portable GigaStor, in some cases you may want to use the system as a distributed probe system.
  • Page 138 Using the portable GigaStor as a probe rev. 1 Appendix C GigaStor Portable...

  • Page 139: Index

    Numerics 10 Gigabit Ethernet 14, 37, 116 Gen2 card 37 GigaStor Portable 134 tapping 19 10/100/1000 37 25901 124 25903 124 alarms WAN 90 Analysis Type 62 ARP Inspection, network forensics preprocessor 105 Assign Port to Virtual Adapter 118ff Assign Ports to Virtual Adapter 118ff ATM 34–35 Board ID 120 buffer overrun 26...
  • Page 140 T1/E1 42 WAN alarms 90 WAN statistics 80, 82–83 DCE BECN under CIR 84 DCE FECN under CIR 84 DCE Kbits/s Avg 84 DCE KBits/s Max 84 denial of service 105 DHCP 137 DLCI 80–87 DLCI CIR Setup 81 DMA buffer size 122 DMA copy size 122 DMA enabled 122 see also HSSI...
  • Page 141 daughter board 38 DMA enabled 122 Fibre Channel 37 filter ports 66 Gigabit 37 Gigabit copper 40 Interrupt enabled 122 mirror port 38 passive probe instance 113 performance 113 port assignments 38ff, 40ff ports 66 probe instance warning 112 properties 120 SFP 14, 116 SPAN port 38 statistics 66...
  • Page 142 LAPB 34–35 load preprocess settings 101 preprocessor 113 MAC address 105 DLCI instead of 80 excluding 65 statistics 71 Top Talkers 86 MAC address tab 86 MAC stations 58 Make Instance Active 120ff Max Buffer Size 55, 65 megabytes 113 memory management 55 Memory Management tab 25ff mirror port 38, 41, 116–117...
  • Page 143 Probe Properties T1/E1 Tab 35 Probe Service Configuration Applet 21ff, 108ff QLogic 19 Quality of Service 32 RAID 14, 113–114, 128, 131 see also buffer active probe instance 26 buffer size 113 capture buffer size 65 formula 55 limitations 55 packet capture 55, 112 packet loss 26 probe instance 26, 59, 113...
  • Page 144 virtual adapter 114ff probe instances 119–120 Virtual Adapters tab 119ff VPN 125 alarms 80, 88 analysis 80 analyzing 33 bandwidth 80 CIR 80 congestion 84 DCE 82 DS3/E3 46 DTE 82 E1 42 filtering 87 full duplex 80 GigaStor 15 GigaStor Portable 134, 136 HSSI 49ff monitoring 15...
  • Page 145 rev. 1...
  • Page 146 © 2008 Network Instruments, LLC. All rights reserved. Network Instruments, Observer, and all associated logos are registered trademarks of Network Instruments, LLC. rev. 1...

This manual is also suitable for:

Gigastor portableGigastor expandable

Table of Contents