Table of Contents Chapter 1: Appliance installation................11 G3-GS-2P40-1152T..........................11 G3-GS-2P40-1152T technical specifications................11 Parts list............................13 G3-GS-2P40-1152T installation....................14 G3-GS-2P40-576T..........................16 G3-GS-2P40-576T technical specifications................16 Parts list............................18 G3-GS-2P40-576T installation....................19 G3-GS-2P40-288T........................... 22 G3-GS-2P40-288T technical specifications................. 22 Parts list............................24 G3-GS-2P40-288T installation....................25 G3-GS-8P-1152T..........................
Page 3
G3-APEX-ENT-32T..........................71 Apex technical specifications....................71 Parts list............................72 G3-APEX-ENT-32T installation....................72 VIAVI Rail Kit (G3-GS Edition).....................73 How to attach the rails......................74 How to install the system into your rack................76 How to remove the server from the rack................77 GS-2P40-576T........................... 77 GS-2P40-576T technical specifications................
Page 4
APEX-ENT-32T..........................165 Apex technical specifications....................165 Parts list............................. 166 APEX-ENT-32T installation.....................167 VIAVI Rail Kit (Gen3 Edition).....................168 How to install the rails......................168 How to remove your appliance from the rails..............170 How to remove the rails from a cabinet................170 Rail kit hardware........................171 Startup and shutdown (GS models)..................
Page 5
How to handle hard drives properly..................174 How to set the IP address (G3-GS models)................174 How to set the IP address (GS models)................. 175 Configuring the LOM or IPMI port..................176 How to configure the JBOD IPMI port (G3-GS models)............ 179 How to install the SFPs......................
Page 6
Chapter 7: Mining GigaStor Data................220 Mining data from your GigaStor.................... 220 Selecting a time frame to analyze..................223 How to reorder packets based on a trailer timestamp..........223 Analyzing data without any filters..................225 Analyzing data with filters from the Observer filter editor........225 Analyzing data with filters from the GigaStor Control Panel........
Page 7
How to reformat the RAID volume..................261 How to delete RAID sets.......................261 How to build new RAID sets....................263 How to stripe the volumes in Windows................264 How to disable the Recycle Bin for RAID................ 265 How to create folders for the RAID drives..............265 GS-8P-576T.............................265 How to delete saved network data..................
Page 8
Running Observer without reserved memory..............310 Running Observer with reserved memory............... 312 How packet capture affects RAM..................313 How to allocate the reserved RAM..................315 Recommendations for the VIAVI capture cards.............. 315 Chapter 15: Gen3 Capture Card................. 317 Hardware configuration......................317 Understanding the capture card..................317 Supported QSFP+/SFP/SFP+ media types................318...
Page 9
How to assign physical ports to probe instances............326 How to change the monitored network adapter............329 Understanding hardware acceleration...................329 How to enable hardware acceleration................330 Hardware-accelerated mode restrictions................. 333 Features that require hardware acceleration..............334 Capture card device properties....................335 General............................335 Current State..........................335 Advanced Settings........................
Page 10
One or more ports not seeing traffic................361 Temperature or voltage out of acceptable range............362 Choppy data stream......................362 CRC or TCP checksum errors, wrong packet types............362 Packet capture does not start on Gen3 capture card........... 363 Chapter 17: Backups and Restoring................. 369 Backups and Restoring......................
For the newer G3-GS models, see Observer Platform appliance installation (G3-GS models) G3-GS-2P40-1152T The G3-GS-2P40-1152T is best suited for 40 Gb data centers. G3-GS-2P40-1152T technical specifications (page 11) G3-GS-2P40-1152T technical specifications The technical specifications for the product are shown below.
Page 12
Figure 1: G3-GS-2P40-1152T Front Figure 2: G3-GS-2P40-1152T Rear System Deployment 40 Gb data center Base storage 1.2 PB Max storage 1.2 PB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable...
● license 1 Quick Start Guide ● 1 Label listing serial numbers of all JBODs for this system. This label ● appears on top of the head unit and was attached to the outside of G3-GS-2P40-1152T Chapter 1: Appliance installation...
5. Using the SAS cables, connect the RAID ports from the JBOD unit(s) to the head unit and to other JBOD unit(s). Figure 3: G3-GS-2P40-1152T Rear 6. Using an Ethernet cable, connect the ETH0 port to the network. Connecting the ETH0 port allows you to use Windows Remote Desktop or other tools to control or configure Windows or Windows applications, such as Observer Analyzer.
Page 15
Startup and shutdown (G3-GS models) (page 172). Caution: The RAID does not properly initialize if the JBOD unit(s) are not started first. If this happens, restart the head unit. SFP, SFP+, and QSFP+ transceivers are sold separately. 1. G3-GS-2P40-1152T Chapter 1: Appliance installation...
13. Turn on the head unit (A1) and wait for the RAID to initialize using the same procedure as the JBOD. 14. In Windows, change the IP address (page 174) for the ETH0 port (shown as ETH0 in Network Connections in Windows) using information supplied to you by your network administrator.
Page 17
Figure 5: G3-GS-2P40-576T Front Figure 6: G3-GS-2P40-576T Rear System Deployment 40 Gb data center Base storage 576 TB Max storage 1.2 PB G3-GS-2P40-576T Chapter 1: Appliance installation...
Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit Operating system Windows 2012 R2 Physical Height 30U (6 x 5U) Width 19 in Depth 26 in 616 lbs Weight (mounted) Weight (handling)
1 Head unit with RAID drives preinstalled ● 1 Rail kit ● 2 Power supply cables ● 2 Ethernet cables ● 1 Product Activation Information envelope containing the product ● license 1 Quick Start Guide ● 1 Label listing serial numbers of all JBODs for this system. This label ●...
Page 20
Figure 7: G3-GS-2P40-576T Rear 6. Using an Ethernet cable, connect the ETH0 port to the network. Connecting the ETH0 port allows you to use Windows Remote Desktop or other tools to control or configure Windows or Windows applications, such as Observer.
Page 21
Figure 8: Connecting the TAP to the network device, switch, and analyzer a. Connect the TX port from your server, firewall, router, or switch to the Link A port on the TAP. b. Connect the TX port from your other switch to the Link B port on the TAP. c.
17. (Optional) Change the JBOD IPMI port in the BIOS using a static IP address provided by your network administrator. 18. Double-click the Observer icon on the Desktop to start Observer. Your hardware appliance is installed and on your network. Next, give the ETH0 IP address and IPMI port address, if using, to the Observer administrator.
Page 23
Figure 10: G3-GS-2P40-288T Rear System Deployment 40 Gb data center Base storage 288 TB Max storage 1.2 PB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version G3-GS-2P40-288T Chapter 1: Appliance installation...
1 Quick Start Guide ● 1 Label listing serial numbers of all JBODs for this system. This label ● appears on top of the head unit and was attached to the outside of the head unit’s box. Use this label to sort and connect the proper JBODs to the head unit.
Page 26
Figure 11: G3-GS-2P40-288T Rear 6. Using an Ethernet cable, connect the ETH0 port to the network. Connecting the ETH0 port allows you to use Windows Remote Desktop or other tools to control or configure Windows or Windows applications, such as Observer.
Page 27
8. Install SFP transceivers (page 179) into the open slots on the back of the capture card(s). 9. If you are connecting to SPAN/mirror ports of a network switch: connect a straight-through Ethernet cable from the SPAN/mirror ports on your switch to the SFP transceivers on the capture card.
14. In Windows, change the IP address (page 174) for the ETH0 port (shown as ETH0 in Network Connections in Windows) using information supplied to you by your network administrator. The default IP address (192.168.1.10) is printed on a sticker attached to the top of the appliance.
Page 29
Figure 14: G3-GS-8P-1152T Rear System Deployment 40 Gb data center Base storage 1.2 PB Max storage 1.2 PB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit Operating system Windows 2012 R2...
Operational voltage 120V Power dissipation (watts) 4252W Relative humidity (non-condensing) 5%-85% Temperature (operating) 50°F - 95°F / 10°C - 35°C Temperature (storage) -4°F - 149°F / -20°C - 65°C If applicable, mounted weight includes any rail kits. 1. SFP may be any of Copper 10/100/1000, 1Gb SX/LX. SFP+ may be any of 10Gb SR/LR. QSPF+ may 2. ...
Page 31
2. Attach the official rail kits (page 73) to your server rack or cabinet. 3. Install the head unit (A1) into your server rack or cabinet. Use a server lift if necessary. Do not remove the RAID drives from the chassis. 4.
Page 32
Figure 16: Connecting the TAP to the network device, switch, and analyzer a. Connect the TX port from your server, firewall, router, or switch to the Link A port on the TAP. b. Connect the TX port from your other switch to the Link B port on the TAP. c.
17. (Optional) Change the JBOD IPMI port in the BIOS using a static IP address provided by your network administrator. 18. Double-click the Observer icon on the Desktop to start Observer. Your hardware appliance is installed and on your network. Next, give the ETH0 IP address and IPMI port address, if using, to the Observer administrator.
OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit Operating system Windows 2012 R2 Physical Height 32U (8 x 4U) Width 19 in Depth 26 in 816 lbs Weight (mounted) Weight (handling) 856.6 lbs Media Monitoring interfaces...
2 Power supply cables ● 2 Ethernet cables ● 1 Product Activation Information envelope containing the product ● license 1 Quick Start Guide ● 1 Label listing serial numbers of all JBODs for this system. This label ● appears on top of the head unit and was attached to the outside of the head unit’s box.
Page 36
7. (Optional) Connect an Ethernet cable from your router or switch to the LOM or IPMI port. (Optional) A Lights Out Management or IPMI port provides you a dedicated management channel for device maintenance. It allows you to monitor, start, stop, and manage your appliance remotely regardless of whether the appliance is powered on.
Caution: The RAID does not properly initialize if the JBOD unit(s) are not started first. If this happens, restart the head unit. 13. Turn on the head unit (A1) and wait for the RAID to initialize using the same procedure as the JBOD. 14.
Page 38
Figure 21: G3-GS-8P-576T Front Figure 22: G3-GS-8P-576T Rear System Deployment 40 Gb data center Base storage 576 TB Max storage 1.2 PB G3-GS-8P-576T GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit Operating system Windows 2012 R2 Physical Height 30U (6 x 5U) Width 19 in Depth 26 in 616 lbs Weight (mounted) Weight (handling)
1 Head unit with RAID drives preinstalled ● 1 Rail kit ● 2 Power supply cables ● 2 Ethernet cables ● 1 Product Activation Information envelope containing the product ● license 1 Quick Start Guide ● 1 Label listing serial numbers of all JBODs for this system. This label ●...
Page 41
Figure 23: G3-GS-8P-576T Rear 6. Using an Ethernet cable, connect the ETH0 port to the network. Connecting the ETH0 port allows you to use Windows Remote Desktop or other tools to control or configure Windows or Windows applications, such as Observer.
Page 42
Figure 24: Connecting the TAP to the network device, switch, and analyzer a. Connect the TX port from your server, firewall, router, or switch to the Link A port on the TAP. b. Connect the TX port from your other switch to the Link B port on the TAP. c.
17. (Optional) Change the JBOD IPMI port in the BIOS using a static IP address provided by your network administrator. 18. Double-click the Observer icon on the Desktop to start Observer. Your hardware appliance is installed and on your network. Next, give the ETH0 IP address and IPMI port address, if using, to the Observer administrator.
Page 44
System Deployment Multi-10 Gb data center Base storage 384 TB Max storage 768 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit Operating system Windows 2012 R2 Physical Height...
Parts list Each appliance comes packed in a number of boxes. The boxes contain the various components necessary for a successful installation. The boxes are not numbered as listed here. The numbers merely represent how many boxes you should expect and what is contained in each one. Box 1 ♦...
Page 46
Figure 27: G3-GS-8P-384T Rear 6. Using an Ethernet cable, connect the ETH0 port to the network. Connecting the ETH0 port allows you to use Windows Remote Desktop or other tools to control or configure Windows or Windows applications, such as Observer.
a. Connect the TX port from your server, firewall, router, or switch to the Link A port on the TAP. b. Connect the TX port from your other switch to the Link B port on the TAP. c. Use two analyzer cables to connect the analyzer port on the TAP to the SFP transceivers in the capture card.
Page 48
Figure 29: G3-GS-8P-288T Front G3-GS-8P-288T GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
Page 49
Figure 30: G3-GS-8P-288T Rear System Deployment 40 Gb data center Base storage 288 TB Max storage 1.2 PB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version G3-GS-8P-288T Chapter 1: Appliance installation...
1 Quick Start Guide ● 1 Label listing serial numbers of all JBODs for this system. This label ● appears on top of the head unit and was attached to the outside of the head unit’s box. Use this label to sort and connect the proper JBODs to the head unit.
Page 52
Figure 31: G3-GS-8P-288T Rear 6. Using an Ethernet cable, connect the ETH0 port to the network. Connecting the ETH0 port allows you to use Windows Remote Desktop or other tools to control or configure Windows or Windows applications, such as Observer.
Page 53
8. Install SFP transceivers (page 179) into the open slots on the back of the capture card(s). 9. If you are connecting to SPAN/mirror ports of a network switch: connect a straight-through Ethernet cable from the SPAN/mirror ports on your switch to the SFP transceivers on the capture card.
14. In Windows, change the IP address (page 174) for the ETH0 port (shown as ETH0 in Network Connections in Windows) using information supplied to you by your network administrator. The default IP address (192.168.1.10) is printed on a sticker attached to the top of the appliance.
Page 55
Figure 34: G3-GS-8P-192T Rear System Deployment Multi-10 Gb data center Base storage 192 TB Max storage 768 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit Operating system Windows 2012 R2...
Mini-SAS cable(s) ● Before installing, ensure you received all of the parts required for your system. G3-GS-8P-192T installation Getting your appliance installed is the first step to greater visibility of your network. This topic covers installing your appliance in the cabinet and connecting it to your network.
Page 58
6. Using an Ethernet cable, connect the ETH0 port to the network. Connecting the ETH0 port allows you to use Windows Remote Desktop or other tools to control or configure Windows or Windows applications, such as Observer. 7. (Optional) Connect an Ethernet cable from your router or switch to the LOM or IPMI port.
b. Wait until the blue Information LED starts to blink. c. Use the tip of your finger to press the power button once. The JBOD control board initiates the power up sequence in three seconds. Startup and shutdown (G3-GS models) (page 172).
Page 60
Figure 38: G3-GS-8P-96T Rear System Deployment 1 Gb & 10 Gb hybrid data center Base storage 96 TB Max storage 96 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit Operating system...
Input frequency 50/60Hz Input voltage 100V-240V Auto Select Operational current (amps) 6.20A 2402 BTU/hr Operational voltage 120V Power dissipation (watts) 765W Relative humidity (non-condensing) 5%-85% Temperature (operating) 50°F - 95°F / 10°C - 35°C Temperature (storage) -4°F - 149°F / -20°C - 65°C If applicable, mounted weight includes any rail kits.
Page 62
4. Using an Ethernet cable, connect the ETH0 port to the network. Connecting the ETH0 port allows you to use Windows Remote Desktop or other tools to control or configure Windows or Windows applications, such as Observer. 5. (Optional) Connect an Ethernet cable from your router or switch to the LOM or IPMI port.
G3-GS-4P-32T The G3-GS-4P-32T is best suited for medium data centers. G3-GS-4P-32T technical specifications (page 63) G3-GS-4P-32T technical specifications The technical specifications for the product are shown below. Figure 39: G3-GS-4P-32T Front Figure 40: G3-GS-4P-32T Rear System Deployment Medium data center Base storage 32 TB Max storage...
G3-GS-4P-32T installation Getting your appliance installed is the first step to greater visibility of your network. This topic covers installing your appliance in the cabinet and connecting it to your network. Caution: Do not attempt in-cabinet repairs of your appliance. The appliance is very heavy! Always use a server lift or work with a partner to install or remove the appliance from the cabinet to perform any maintenance.
Page 66
Figure 41: Connecting the TAP to the network device, switch, and analyzer a. Connect the TX port from your server, firewall, router, or switch to the Link A port on the TAP. b. Connect the TX port from your other switch to the Link B port on the TAP. c.
G3-GS-4P-16T The G3-GS-4P-16T is best suited for small data centers or at your network edge. G3-GS-4P-16T technical specifications (page 67) G3-GS-4P-16T technical specifications The technical specifications for the product are shown below. Figure 42: G3-GS-4P-16T Front Figure 43: G3-GS-4P-16T Rear System Deployment Small data center or network edge...
G3-GS-4P-16T installation Getting your appliance installed is the first step to greater visibility of your network. This topic covers installing your appliance in the cabinet and connecting it to your network. Caution: Do not attempt in-cabinet repairs of your appliance. The appliance is very heavy! Always use a server lift or work with a partner to install or remove the appliance from the cabinet to perform any maintenance.
Page 70
Figure 44: Connecting the TAP to the network device, switch, and analyzer a. Connect the TX port from your server, firewall, router, or switch to the Link A port on the TAP. b. Connect the TX port from your other switch to the Link B port on the TAP. c.
G3-APEX-ENT-32T The G3-APEX-ENT-32T is best suited for any data center. Apex technical specifications (page 71) Apex technical specifications Figure 45: G3-APEX-ENT-32T Front Figure 46: G3-APEX-ENT-32T Rear System Deployment Base storage 32 TB Max storage 32 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size...
11. Double-click the Observer icon on the Desktop to start Observer. Your hardware appliance is installed and on your network. VIAVI Rail Kit (G3-GS Edition) This rail kit is for 2U and 4U models that begin with “G3.” Decide on a suitable location for the rack unit that will hold your chassis. It should be a clean, dust-free area that is well ventilated.
“L” (Left side) and "R" (Right side). The rail is on the correct side and mounted correctly if the lettering if face-up. Figure 47: Rail kit inner assemblies VIAVI Rail Kit (G3-GS Edition) GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
Page 75
If desired, use screws (and washers) to secure the outer rails to the rack. 10. Pull out the rear of the outer rail, adjusting the length until it just fits within the posts of the rack. VIAVI Rail Kit (G3-GS Edition) Chapter 1: Appliance installation...
VIAVI (page 73) Rail Kit (G3-GS Edition) (page 73) How to install the system into your rack VIAVI products are very heavy. Always use a server lift and two people to install the systems. This section provides information on installing a chassis into a rack unit with the rails provided.
2. Press the release latches on each of the inner rails downward simultaneously and move the chassis forward in the rack. Figure 50: Removing the server from the rack VIAVI (page 73) Rail Kit (G3-GS Edition) (page 73) GS-2P40-576T The GS-2P40-576T is best suited for 40 Gb data centers.
Page 78
Figure 51: GS-2P40-576T Front GS-2P40-576T GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
Page 79
Figure 52: GS-2P40-576T Rear System Deployment 40 Gb data center Base storage 576 TB Max storage 1.2 PB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system Windows 2012 R2...
QSFP+ Accepted transceivers Performance Aggregate performance 40 Gbps Power Redundant power supply Input frequency 50/60Hz Input voltage 100V-240V Auto Select Operational current (amps) 19.7A 7385 BTU/hr Operational voltage 120V Power dissipation (watts) 2350W Relative humidity (non-condensing) 20-80% Temperature (operating) 50°F - 95°F / 10°C - 35°C Temperature (storage) -4°F - 149°F / -20°C - 65°C If applicable, mounted weight includes any rail kits.
1 JBOD Unit ● 1 Rail Kit ● 2 Power supply cables ● Mini-SAS cable(s) ● A box that contains the RAID drives for each JBOD : ♦ 24 RAID drives labeled A2-1-A2-24. ● 24 RAID drives labeled B1-1-B1-24. ● 24 RAID drives labeled B2-1-B2-24.
Page 82
Figure 53: GS-2P40-576T Rear 6. Install the RAID drives (page 172) into your appliance. The RAID is pre-built at the factory for you and each drive must be installed in a very specific location. 7. Connect all power cables for each JBOD unit. Do not turn on yet! 8.
Page 83
Figure 54: Connecting the TAP to the network device, switch, and analyzer a. Connect the TX port from your server, firewall, router, or switch to the Link A port on the TAP. b. Connect the TX port from your other switch to the Link B port on the TAP. c.
GS-2P40-288T The GS-2P40-288T is best suited for 40 Gb data centers. GS-2P40-288T technical specifications (page 84) GS-2P40-288T technical specifications The technical specifications for the product are shown below. GS-2P40-288T GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
Page 86
Figure 56: GS-2P40-288T Rear System GS-2P40-288T GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
Page 87
Deployment 40 Gb data center Base storage 288 TB Max storage 1.2 PB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system Windows 2012 R2 Physical Height...
Parts list Each appliance comes packed in a number of boxes. The boxes contain the various components necessary for a successful installation. The boxes are not numbered as listed here. The numbers merely represent how many boxes you should expect and what is contained in each one. Box 1 ♦...
Page 89
to install or remove the appliance from the cabinet to perform any maintenance. 1. Take the appliance and all other components out of the packing materials. 2. Attach the official rail kits (page 168) to your server rack or cabinet. 3.
Page 91
6. Install the RAID drives (page 172) into your appliance. The RAID is pre-built at the factory for you and each drive must be installed in a very specific location. 7. Connect all power cables for each JBOD unit. Do not turn on yet! 8.
13. Connect a monitor, keyboard, and mouse to the hardware appliance. You can use a switch if desired. (The KVM must be compatible with the operating system used on the appliance.) The user input devices or KVM switch are only temporarily needed to set the IP address, so you can disconnect them after the IP address is set.
Page 94
Figure 60: GS-8P-576T Rear System Deployment 40 Gb data center Base storage 576 TB Max storage 1.2 PB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system Windows 2012 R2...
SFP/SFP+ Accepted transceivers Performance Aggregate performance 40 Gbps Power Redundant power supply Input frequency 50/60Hz Input voltage 100V-240V Auto Select Operational current (amps) 19.7A 7385 BTU/hr Operational voltage 120V Power dissipation (watts) 2350W Relative humidity (non-condensing) 20-80% Temperature (operating) 50°F - 95°F / 10°C - 35°C Temperature (storage) -4°F - 149°F / -20°C - 65°C If applicable, mounted weight includes any rail kits.
1 JBOD Unit ● 1 Rail Kit ● 2 Power supply cables ● Mini-SAS cable(s) ● A box that contains the RAID drives for each JBOD : ♦ 24 RAID drives labeled A2-1-A2-24. ● 24 RAID drives labeled B1-1-B1-24. ● 24 RAID drives labeled B2-1-B2-24.
Page 97
Figure 61: GS-8P-576T Rear 6. Install the RAID drives (page 172) into your appliance. The RAID is pre-built at the factory for you and each drive must be installed in a very specific location. 7. Connect all power cables for each JBOD unit. Do not turn on yet! 8.
Page 98
Figure 62: Connecting the TAP to the network device, switch, and analyzer a. Connect the TX port from your server, firewall, router, or switch to the Link A port on the TAP. b. Connect the TX port from your other switch to the Link B port on the TAP. c.
GS-8P-288T The GS-8P-288T is best suited for 40 Gb data centers. GS-8P-288T technical specifications (page 99) Parts list (page 122) GS-8P-288T (page 123) installation (page 123) GS-8P-288T technical specifications The technical specifications for the product are shown below. Figure 63: GS-8P-288T Front GS-8P-288T Chapter 1: Appliance installation...
Page 100
GS-8P-288T GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
Page 120
GS-8P-288T GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
Page 121
System Deployment 40 Gb data center Base storage 288 TB Max storage 1.2 PB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system Windows 2012 R2 Physical...
Box 2 ♦ 24 RAID drives labeled A1-1-A1-24. ● TAP media kit(s) (if ordered) ● For each JBOD (2) a box that contains: ♦ 1 JBOD Unit ● 1 Rail Kit ● 2 Power supply cables ● Mini-SAS cable(s) ● A box that contains the RAID drives for each JBOD (2) : ♦...
Page 134
6. Install the RAID drives (page 172) into your appliance. The RAID is pre-built at the factory for you and each drive must be installed in a very specific location. 7. Connect all power cables for each JBOD unit. Do not turn on yet! 8.
Page 135
11. If you are connecting to SPAN/mirror ports of a network switch: connect a straight-through Ethernet cable from the SPAN/mirror ports on your switch to the SFP transceivers on the capture card. 12. If you are connecting to a network TAP (sold separately): Figure 66: Connecting the TAP to the network device, switch, and analyzer a.
Your hardware appliance is installed and on your network. Next, give the 10/100/1000 IP address and LOM port address, if using, to the Observer administrator. They need the addresses to add this GigaStor probe to Observer to capture network traffic with a probe instance. GS-8P-192T The GS-8P-192T is best suited for multi-10 Gb data centers.
Page 138
Figure 68: GS-8P-192T Rear System Deployment Multi-10 Gb data center Base storage 192 TB Max storage 768 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system Windows 2012 R2...
1 USB drive containing restore image ● 1 Product Activation Information envelope containing the product ● license 1 Quick Start Guide ● SFP transceivers (if ordered) ● Box 2 ♦ 24 RAID drives labeled A1-1-A1-24. ● TAP media kit(s) (if ordered) ●...
Page 141
Figure 69: GS-8P-192T Rear 6. Install the RAID drives (page 172) into your appliance. The RAID is pre-built at the factory for you and each drive must be installed in a very specific location. 7. Connect all power cables for each JBOD unit. Do not turn on yet! 8.
Page 142
10. Install SFP transceivers (page 179) into the open slots on the back of the capture card(s). 11. If you are connecting to SPAN/mirror ports of a network switch: connect a straight-through Ethernet cable from the SPAN/mirror ports on your switch to the SFP transceivers on the capture card.
18. (Optional) Change the LOM port (page 176) in the BIOS using a static IP address provided by your network administrator. 19. Double-click the Observer icon on the Desktop to start Observer. Your hardware appliance is installed and on your network. Next, give the 10/100/1000 IP address and LOM port address, if using, to the Observer administrator.
Page 144
Figure 72: GS-8P-96T Rear System Deployment 1 Gb & 10 Gb hybrid data center Base storage 96 TB Max storage 96 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system...
Power Redundant power supply Input frequency 50/60Hz Input voltage 100V-240V Auto Select Operational current (amps) 6.20A 2402 BTU/hr Operational voltage 120V Power dissipation (watts) 765W Relative humidity (non-condensing) 20-80% Temperature (operating) 50°F - 95°F / 10°C - 35°C Temperature (storage) -4°F - 149°F / -20°C - 65°C If applicable, mounted weight includes any rail kits.
Page 146
Caution: Do not attempt in-cabinet repairs of your appliance. The appliance is very heavy! Always use a server lift or work with a partner to install or remove the appliance from the cabinet to perform any maintenance. 1. Take the appliance and all other components out of the packing materials. 2.
b. Connect the TX port from your other switch to the Link B port on the TAP. c. Use two analyzer cables to connect the analyzer port on the TAP to the SFP transceivers in the capture card. d. If you have more than one TAP to connect, repeat the process for each TAP. 10.
Page 148
Figure 75: GS-4P-32T Rear System Deployment Medium data center Base storage 32 TB Max storage 32 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system Windows 2012 R2 Physical...
Operational voltage 120V Power dissipation (watts) 330W Relative humidity (non-condensing) 20-80% Temperature (operating) 50°F - 95°F / 10°C - 35°C Temperature (storage) -4°F - 149°F / -20°C - 65°C If applicable, mounted weight includes any rail kits. 1. SFP may be any of Copper 10/100/1000, 1Gb SX/LX. SFP+ may be any of 10Gb SR/LR. QSPF+ may 2. ...
Page 150
2. Attach the official rail kits (page 168) to your server rack or cabinet. 3. Install the empty appliance into your server rack or cabinet. 4. Install the RAID drives (page 172) into your appliance. The RAID is pre-built at the factory for you and each drive must be installed in a very specific location.
10. Connect a monitor, keyboard, and mouse to the hardware appliance. You can use a switch if desired. (The KVM must be compatible with the operating system used on the appliance.) The user input devices or KVM switch are only temporarily needed to set the IP address, so you can disconnect them after the IP address is set.
Page 152
Figure 78: GS-4P-16T Rear System Deployment Small data center or network edge Base storage 16 TB Max storage 16 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system...
Operational voltage 120V Power dissipation (watts) 307W Relative humidity (non-condensing) 20-80% Temperature (operating) 50°F - 95°F / 10°C - 35°C Temperature (storage) -4°F - 149°F / -20°C - 65°C If applicable, mounted weight includes any rail kits. 1. SFP may be any of Copper 10/100/1000, 1Gb SX/LX. SFP+ may be any of 10Gb SR/LR. QSPF+ may 2. ...
Page 154
2. Attach the official rail kits (page 168) to your server rack or cabinet. 3. Install the empty appliance into your server rack or cabinet. 4. Install the RAID drives (page 172) into your appliance. The RAID is pre-built at the factory for you and each drive must be installed in a very specific location.
10. Connect a monitor, keyboard, and mouse to the hardware appliance. You can use a switch if desired. (The KVM must be compatible with the operating system used on the appliance.) The user input devices or KVM switch are only temporarily needed to set the IP address, so you can disconnect them after the IP address is set.
Page 156
System Deployment Small data center Base storage 1 TB Max storage 1 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system Windows 2012 R2 Physical Height...
Parts list Each appliance comes packed in a number of boxes. The boxes contain the various components necessary for a successful installation. The boxes are not numbered as listed here. The numbers merely represent how many boxes you should expect and what is contained in each one. Box 1 ♦...
Figure 82: Connecting the TAP to the network device, switch, and analyzer a. Connect the TX port from your server, firewall, router, or switch to the Link A port on the TAP. b. Connect the TX port from your other switch to the Link B port on the TAP. c.
Page 159
Figure 83: GSP-8P-9T Front System Deployment Anywhere Base storage 9 TB Max storage 9 TB Lights Out Management (LOM) Redundant OS drive OS drive hot swappable OS drive size 1 TB RAID drive hot swappable RAID version Rail kit (Model 22113260) Operating system Windows 2012 R2 Physical...
Input voltage 100V-240V Auto Select Operational current (amps) 2.80A 1048 BTU/hr Operational voltage 120V Power dissipation (watts) 307W Relative humidity (non-condensing) 20-80% Temperature (operating) 50°F - 95°F / 10°C - 35°C Temperature (storage) -4°F - 149°F / -20°C - 65°C If applicable, mounted weight includes any rail kits.
Figure 84: Portable Analysis System GSP-8P-9T installation Getting your appliance installed is the first step to greater visibility of your network. This topic covers installing your appliance in the cabinet and connecting it to your network. 1. Take the appliance and all other components out of the packing materials. 2.
through a sequence and then be dark. Each light only blinks when there is activity for that specific RAID drive. 7. Ensure the time zone settings match your environment. 8. Double-click the Observer icon on the Desktop to start Observer. Your hardware appliance is installed and on your network.
Figure 86: Portable Analysis System GSP-8P-6TSSD installation Getting your appliance installed is the first step to greater visibility of your network. This topic covers installing your appliance in the cabinet and connecting it to your network. 1. Take the appliance and all other components out of the packing materials. 2.
through a sequence and then be dark. Each light only blinks when there is activity for that specific RAID drive. 7. Ensure the time zone settings match your environment. 8. Double-click the Observer icon on the Desktop to start Observer. Your hardware appliance is installed and on your network.
Width 19 in Depth 26 in 71 lbs Weight (mounted) Weight (handling) 64 lbs Media Monitoring interfaces Speed Accepted transceivers Performance Aggregate performance Power Redundant power supply Input frequency 50/60Hz Input voltage 100V-240V Auto Select Operational current (amps) 3.30A 1262 BTU/hr Operational voltage 120V Power dissipation (watts)
1 Product Activation Information envelope containing the product ● license 1 Quick Start Guide ● Box 2 ♦ 8 RAID drives labeled A1-A8. ● Before installing, ensure you received all of the parts required for your system. APEX-ENT-32T installation Getting your appliance installed is the first step to greater visibility of your network.
Your hardware appliance is installed and on your network. VIAVI Rail Kit (Gen3 Edition) The VIAVI rail kit is used with its 2U and 5U 19 inch rack-mounted appliances in four post L-bracket or U-bracket cabinets. How to install the rails...
Page 169
6. (Optional) Tighten the thumb screws. The rails are installed in your cabinet and ready to receive an Observer Platform appliance. VIAVI (page 168) Rail Kit (Gen3 Edition) (page 168) VIAVI Rail Kit (Gen3 Edition) Chapter 1: Appliance installation...
3. (Optional) Repeat for the second locking tab. The appliance has been removed from the cabinet. VIAVI (page 168) Rail Kit (Gen3 Edition) (page 168) How to remove the rails from a cabinet Each rail has two rail locks that secure it into your cabinet. These locks must be raised to release the rail from the cabinet.
The rail has been successfully removed from the cabinet. VIAVI (page 168) Rail Kit (Gen3 Edition) (page 168) Rail kit hardware VIAVI manufactures its rails using high-grade, heavy duty materials. These components comprise the rail kit. The purple-faced GigaStor contains these items. The plastic slides were attached at the factory.
Startup and shutdown (G3-GS models) There are several procedures to turn on or off your system. First use or power cord plug-in (page 172) After normal shutdown by IPMI or power button After a power loss (page 172) Power down (page 172) First use or power cord plug-in 1.
Page 173
Stickers on each drive identify which slot it should be installed in. The drive labeled 1 must be installed in the upper left slot of the appliance. 1. Make sure that the appliance is turned off. 2. Locate the drives that comprise the array. The drives are labeled to show you where they should be installed in the drive cage.
How to handle hard drives properly Be especially careful when handling and installing the hard drives. Proper handling is paramount to the longevity of the drive. The internal mechanism of the hard drive can be seriously damaged if the hard drive is subjected to forces outside its environmental specifications.
1. Log in to the Windows operating system using the Administrator account and its default password admin. You can change the Administrator account password after logging in. See the Windows documentation if necessary. 2. In Windows, choose Start > Control Panel > Network and Sharing Center > Change adapter settings.
1. Log in to the Windows operating system using the Administrator account and its default password admin. You can change the Administrator account password after logging in. See the Windows documentation if necessary. 2. In Windows, choose Start > Control Panel > Network and Sharing Center > Change adapter settings.
Page 177
Keyboard, monitor, and mouse or KVM attached to the GigaStor ♦ The static station IP, subnet, and gateway/router addresses are available ♦ and known to you. If you want to use Lights Out Management features, you must first configure the IP address for the IPMI port from the BIOS. Then, you should change the administrator password to something different than the default.
Page 178
Figure 98: BIOS IPMI: IP Address configured 7. Press F4 to save your changes and to exit the BIOS setup. The system automatically shuts down and restarts. The IPMI port is now accessible from the IP address you chose. Now you can log on to the IPMI web interface and change the default password.
How to configure the JBOD IPMI port (G3-GS models) The JBOD chassis offers intelligent management with IPMI providing hardware health monitoring and remote power control. Prerequisite(s): Your host computer must be on the same network as the JBOD IMPI interface. If necessary, change your host IP to 192.168.1.10/24.
Page 180
Your transceivers (page 318) can be inserted into any open port and in ♦ any order. You can hot-swap the connected transceivers at any time, but it is ♦ recommended you then re-launch Observer so that the new speeds can be identified.
Page 181
Figure 101: 2U capture card port assignments How to install the SFPs Chapter 1: Appliance installation...
Chapter 2: Getting started Getting started using your GigaStor A GigaStor probe is a hardware device with many terabytes of storage space to capture, store, and analyze your network traffic. Prerequisite(s): Follow these steps to get started with your GigaStor. The installation happens in two main parts.
Page 183
An understanding of the protocols that run on your network. ♦ An understanding of probe instances and why you want to use them. In ♦ particular, a GigaStor is heavily reliant on a unique probe instance called an active instance. . To get started with your GigaStor probe: 1.
Tip! All GigaStor probes come with a capture card. Details about this unique capture card, including physical port indexing or virtual adapters, is covered Hardware configuration (page 317). 8. (Optional) If you want to define the different subnets of your network so that GigaStor can track and report on them, see Defining your subnets in GigaStor (page...
GigaStor The GigaStor Software Edition (GSE) is identical in most ways to a hardware GigaStor purchased from VIAVI. However, there are differences that exist due to GSE naturally lacking GigaStor hardware components like the capture card and high-performance RAID card(s).
Page 186
Table 2. Observer or GigaStor Software Edition in a virtual server Minimum Recommended Processor / CPU Four core Six core Intel Minimum 16 GB (8 GB for 64 GB Observer and 8 GB for the operating system) Storage Packet capture - Hardware: Same Determined by your product Packet capture - GigaStor...
Maximum storage size is a measure of how much network data (in the form of packets) can be retained by the GigaStor Software Edition before the oldest GigaStor data is removed in a first-in first-out (FIFO) storage scheme. The maximum storage size is not an indication of how much disk space the GigaStor Software Edition will consume on your hard disk.
Page 188
Figure 102: GigaStor Detail and Outline Charts The GigaStor Control Panel shows traffic on a time line graph, allowing you to select packets for decoding, analysis, and display by defining the time period you want to view, and the types of packets you want to include. Use the sliders at the top of the time line chart to select the time period you are interested in analyzing, then click Update Chart and Update Reports to update everything to the new time frame.
Press the Settings button. Under General Options, clear Enable Analysis types for whichever analysis types you do not need. This will remove them from the Reports/Statistics ribbon. Use the left/right arrow on the Reports/Statistics ribbon to move it to the right to see the Maximize button if needed.
Page 190
Figure 104: GigaStor General Options Packet capture and GigaStor buffer size—This only applies to the ● active probe instance. Partial packet capture size—This only applies to the active probe ● instance. GigaStor indexing options—You may need to adjust the indexing ●...
Page 191
PC. There are many reasons why this is not a good idea but, in general, you will see varying amounts of your own data with a protocol analyzer on your own PC. This is due to the architecture of the PC and the inability of Windows to multi- task the receiving and analysis of the data going and coming from the Observer PC.
Page 192
Enable Analysis Choose whether to enable the GigaStor Control Panel to process Types: and display these types of data. By clearing these options, the corresponding tab is hidden in the GigaStor Control Panel and you cannot analyze packets for these data types: Forensic Analysis (uses Snort rules) FIX Analysis: used to process FIX financial transactions.
makes the charts display every interval in which the bits were present from your packet, not just the first interval. This setting works even if it was not enabled when the packet was captured. It can be enabled later and you will see every interval where a bit was present.
at the start of the conversation. If this combination is found, reports show this conversation by protocol name (or custom name), IANA name, or port number (based on statistics lists setting). Otherwise the conversation is not listed. If you try to analyze data prior to the time that this option was enabled, you will not see this data.
How to change the Windows administrator password The default Windows administrator user has full permissions and cannot be deleted. For these reasons, change this password as soon as possible, and you should use a very strong password. Caution: Do not forget or lose your new Windows administrator password! It cannot be recovered, and you must reformat the operating system drive.
Page 196
2. Select Change adapter settings on the left. A list of network adapters, including capture cards, is shown. 3. Right-click the management network adapter and choose Properties. The management adapter is used to get the GigaStor onto your network by giving the appliance an IP address.
Your GigaStor will stop sending NetBIOS requests. Your firewall or network monitor should be able to confirm this. How to disable Windows features Many Windows features run in the background but are not generally needed for your GigaStor. You may disable the features you deem unnecessary. Most Windows features are not needed to read or write data to the RAID drives.
Page 198
Figure 107: Windows Features Only the Windows features you want to use are remain. Hardening your GigaStor GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
Chapter 3: Hardware Settings Configuring your GigaStor Learn how to configure packet capture and buffer sizes, define subnets, and change the storage directory where packets and other data is stored. Defining your subnets in GigaStor You can specify subnet properties for the GigaStor to allow for statistical aggregation of devices within the Statistics tabs in GigaStor Control Panel.
means that information on the Statistics tab at the bottom of the GigaStor Control Panel is dependent on which physical ports are selected. 2. Click the Settings button. 3. Click the General Options tab. Setting the GigaStor general options (page 189) for a description of each field of the GigaStor General Options tab.
Page 201
2. Click the Folders tab. 3. Change the directory used for packet captures. If you are using a GigaStor hardware appliance, this should always Caution: remain set to D:\DATA. Configuring your GigaStor Chapter 3: Hardware Settings...
A probe is a hardware device on your network running VIAVI probe instance software. Each hardware probe has at least one probe instance that captures packets from your network to analyze. The probe hardware device could be an appliance purchased from VIAVI or you could install the probe software on your own hardware.
Probes monitor the following topologies: 10/100 Mb, 1/10/40 Gb Ethernet (half- and full-duplex) ♦ Wireless ( 802.11 a/b/g/n) ♦ Figure 108 (page 203) shows how probes provide visibility into your network. It may be obvious, but it also shows that you cannot see traffic on portions of your network where you do not have a probe.
Page 204
GigaStor Active GigaStor Passive Observer Probe probe instance probe instance Schedule packet capture Change directories where data is stored Able to set permissions Able to redirect to different analyzer, etc. An Observer probe is the Single Probe, Multi Probe, or Expert Probe software running on a non- 1. ...
SPAN/mirror port on a switch. The Observer software can handle fast network speeds (including 40 Gigabit), but it is the network adapter that is the bottleneck on home-grown systems. VIAVI uses a custom-designed Introducing Probes Chapter 4: About Probe Instances...
Page 206
♦ they have local expert analysis and decode capabilities in the probe that allows for remote decoding and expert analysis in real time. The Expert probe software comes pre-installed on most hardware probes from VIAVI. Hardware > GigaStor, Dual port...
Expert Probe. Simultaneous users are supported when each user has his own probe instance. 2. Only available on hardware probes from VIAVI. 3. Decoding and expert analysis are performed by the probe and a summary is sent to Observer 4. ...
Chapter 5: Deploying Probes in Your Network Decide how you will best place your probe hardware for maximum visibility. Also learn about the network ports that must be opened on your firewall to allow the probes to operate correctly. Deploying probes in your network You need visibility into every corner of the network, from the edge to the core.
display. Distributed analysis is the only practical way to make different parts of a switched or wireless network visible and therefore manageable. From a single analyzer you can monitor and view traffic from anywhere on the network where a probe has been deployed, from any type of media or topology (Ethernet, wireless, and so on).
aggregators are designed to connect to a standard NIC, which allows them only one side of the full duplex link to transmit data. A TAP, however, is designed to connect to a dual-receive capture card. By sending data on both sides of the link to the capture card, a TAP has double the transmission capability of the other options, allowing it to mirror both sides of a fully saturated link with no dropped packets and no possibility of degrading switch performance.
Open inbound and outbound TCP 80, 443, and 25901 on your firewalls for Observer Platform products version 17 and later. Port Functionality TCP 80 Requests from product to VIAVI to see if a new version or update exists. TCP 443 Secure web server traffic, including trace extraction between Observer Apex and Observer GigaStor.
Ports used by Observer products v16 and earlier Observer products v16 and earlier use many ports to communicate. If your environment includes these products, open these ports on your firewalls. Table 5. Ports used by Observer products v16 and earlier Port Functionality TCP 25901...
Chapter 6: Packet Captures Capturing packets with the GigaStor The GigaStor allows packet captures to be scheduled, trimmed (partial packet captures), and all its data can be exported for archiving. Also learn about GigaStor indexing and the difference between statistics and packets. A Observer GigaStor can accumulate terabytes of stored network traffic.
Setting a schedule for when data captures should occur One way to ensure you always have timely packet captures is to schedule them. For example, you may want to automatically start a packet capture at the beginning of business hours each day; you can accomplish this by scheduling your packet captures accordingly.
Forensics may be hindered without full payload data ● Data stream reconstruction may not work ● Most resource intensive capturing ♦ Increases CPU utilization ● To configure the GigaStor probe to trim all packet data beyond the first 64-bytes, choose and then Settings > Capture Options. In that tab, enable Capture Partial Packets (Bytes).
By default the GigaStor uses a dynamic sampling ratio for statistics. This can be changed in the GigaStor Control Panel > Settings > General tab to a fixed sampling ratio of 1, 100, or whatever you wish. Using dynamic sampling allows the GigaStor to make decisions about how sampling for statistics should be accomplished.
Page 217
Previously indexed data has no effect on any other 15 second interval, ♦ except for the need to see the SYN-SYN/ACK-ACK to begin collecting “new” server data. This means that if in one 15 second period the maximum number of entries was reached and a new conversation is started that continues into the next 15 second interval, there is nothing that prevents the subsequent 15 second interval from beginning to index the new conversation that was not indexed in the previous 15 second...
The indexed, statistical information that comes from the indexed data is not 100% accurate when compared to packet capture. More importantly, it is not intended to be. It is, however, statistically accurate. When the GigaStor attempts to analyze a packet to index, it does not analyze the packet if the packet is being analyzed by a different portion within Observer, such as Network Trending.
Page 219
8. (Optional) Choose if you want to have Observer write a progress status every 30 seconds to the Log window. 9. Click OK. Capturing packets with the GigaStor Chapter 6: Packet Captures...
Chapter 7: Mining GigaStor Data Mining data from your GigaStor Retrieving data from GigaStor and analyzing it is a primary function of the GigaStor Control Panel. You can use the information in the packet capture to identify numerous network conditions. By using filters and a specific analysis type, you can hone in on the exact information you want.
Page 221
This option: Allow you to do this: of the screen, but without using any filter. See Analyzing data without any filters (page 225). Select an existing Takes all packets in the selected time frame on the Detail Chart filter and analyzes it using the analysis type chosen at the bottom of the screen and applies the filter you select (after clicking OK).
Page 222
This option: Allow you to do this: Forensic analysis Allows you to choose a profile where you have defined which Snort rules you want to use. The results are displayed on the Forensic Analysis tab in the GigaStor Control Panel. If you chose "Expert analysis and decode"...
This option: Allow you to do this: Third Party Decoder Observer allows you to use other software to view packet decodes if you wish. You might do this because the other tool's interface or workflow. This option is only available if the Third Party Decoder option has already been enabled in and click the Third Party Decoder tab.
Page 224
Figure 111: Trailer Timestamp Settings 4. In Timestamp type, choose your switch aggregator. Timestamp types (page 224) 5. Choose what filters to apply. Trailer filters (page 225) The Decode pane displays packets in the sorted (and filtered) order based on your chosen switch aggregator.
Trailer filters Trailer filters allow you to exclude or include packets from your switch aggregator based on where the trailer occurs and other location-specific information. Trailer level Use when multiple timestamps are found in a packet to identify which timestamp to use. The levels are identified starting at the end of the packet.
Analyzing data with filters from the GigaStor Control Panel You may want to filter the data that is shown on the Detail Graph. You can do so with the filters section of the GigaStor Control Panel. You can filter data from MAC Stations tab, IP Stations tab, IP Pairs tab, and more.
Analyzing data by combining GigaStor Control Panel and Observer filters If you chose “Create analysis filter using checked GigaStor entries” Tip! and do not have any data or do not have the data you expected, it may be because you applied too many filters. Try the “Analyze all traffic in the analysis interval”...
17.2.0.0, it remains enabled at all times. No special or extra hardware is required for accelerated analysis to operate. This means both the GigaStor hardware appliances from VIAVI and GigaStor Software Edition on your own hardware can all use accelerated analysis. Likewise, the speed increase from accelerated analysis works on active instances and their passive instances.
Filter elements that support accelerated analysis GigaStor accelerated analysis supports single and multiple-element data extraction filters. If at least one of these listed element configurations is in your analysis filter, then accelerated analysis is possible. Accelerated analysis occurs when your GigaStor extraction filter has at least one of these filter elements.
Note: Stream reconstruction (including VoIP) is illegal in some jurisdictions and may be disabled by VIAVI to comply with those laws. The process described here is for reconstructing HTTP, but the process is the same for other applications, except instep 6 you would choose the appropriate menu option.
Note: Stream reconstruction (including VoIP) is illegal in some jurisdictions and may be disabled by VIAVI to comply with those laws. For security or privacy reasons or because of company policy, you may need to limit what the GigaStor probe can recreate through its stream reconstruction feature.
Page 232
Option Description A --> B Extract call(s) with pattern A in the SIP “From” field and pattern B is in a SIP “To” field. Call-ID Extract call(s) with the specified pattern in the SIP “Call-ID” field. 5. (Optional) Enable one or more search pattern modifiers: Use regular expression(s)—Perl 5 regular expressions.
Chapter 9: Forensic Analysis Examining your network traffic with forensic analysis Forensic Analysis is a powerful tool for scanning high-volume packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort rule syntax. Network forensics is the idea of being able to resolve network problems through captured network traffic.
Importing Snort rules After getting the Snort rules from http://www.snort.org, follow these steps to import them into Observer. 2. Click the Forensic Analysis tab. 3. Right-click anywhere on the Forensic Analysis tab and choose Forensic Settings from the menu. The Select Forensic Analysis Profile window opens. 4.
be available from the right-click menu. You can also jump to the Decode display of the packet that triggered the alert. Creating a Forensic Settings profile Forensics profiles provide a mechanism to define and load different pairings of settings and rules profiles. Settings profiles define pre-processor settings that let you tune performance;...
Page 236
Table 7. Forensic Settings options Field Description Settings Profile Settings Profiles provide a mechanism to save and load different preprocessor settings, and share them with other Observer. IP Flow Packets belong to the same IP flow if they share the same layer 3 protocol, and also share the same source and destination addresses and ports.
Page 237
Field Description TCP Stream Log preprocessor events—Checking this box causes forensic Reassembly analysis to display all activity generated by the TCP stream (Continued) assembly preprocessor to the log. Maximum active TCP streams tracked—If this value is set too high given the size of the buffer being analyzed, performance can suffer because of memory consumption.
Page 238
Field Description packet sizes for stream reassembly. Running the analysis with a different seed value can catch signature matches that would otherwise escape detection. Port List—Enabling the Port List option limits analysis to (or excludes from analysis) the given port numbers. HTTP URI Many HTTP-based attacks attempt to evade detection by Normalization...
Page 239
Field Description Normalize directory traversal—Directory traversal attacks attempt to access unauthorized directories and commands on a web server or application by using the /./ and /../ syntax. This preprocessor removes directory traversals and self-referential directories. You may want to disable logging for occurrences of this, as many web pages and applications use directory traversals to reference content.
Field Description monitored. For example, the VRT rules define HTTP servers as any, which results in much unnecessary processing at runtime. Address variables can reference another variable, or specify an IP address or class, or a series of either. Note that unlike native Snort, Observer can process IPv6 addresses.
Stream reconstruction (including VoIP) is illegal in some jurisdictions Note: and may be disabled by VIAVI to comply with those laws. Your company likely has an “acceptable use” policy for its network. As a network administrator, you may be asked to track a specific person's internet use. The...
Chapter 10: Microbursts Searching for microbursts For a computer network, a microburst is an unusually large amount of data in a short time frame that saturates your network and adds to latency. These bursts are seen as a spike over normal traffic when viewed on a graph. They are usually less than one millisecond long (or even shorter), and they typically occur during high traffic volume, such as after a major news event or announcement when many people are using the network simultaneously.
Page 243
when a microburst occurs, packets may be dropped, which causes them to be retransmitted and that takes several milliseconds—nearly doubling the time to complete the transaction. A 1-millisecond advantage in trading applications can be worth $100 million a year to a major brokerage firm. To prevent data loss because of microbursts, design your network so that its capacity can withstand the highest possible burst of activity in whatever a time frame you deem important (perhaps millisecond).
Using the Microburst Analysis tab in the GigaStor Control Panel To search for microbursts across a large time frame (greater than 15 minutes) you must use the Microburst Analysis tab. The Microburst Analysis tab shows you the number of microbursts Observer found in the time frame you selected.
Page 245
changes, the graphs change. Change only one option at a time, then view your changes. Screen resolution (Interval/Total Time): The screen resolution is two numbers that define the length of time shown in the Detail Chart. The first number is the interval length, which when looking at a bar chart, is each bar. The second number is the total time of all of the intervals on the chart, although if an interval does not have any bursts the interval will not have a bar.
Page 246
connections.) For this reason, you will likely see fewer microbursts than when any of the Full Duplex options are selected because the utilization threshold is higher. Note: The Data type option is unavailable when doing Microburst analysis because Microburst analysis shows the number of times or percentage of time when a microburst occurs within a duration and utilization threshold.
Page 247
Interval Interval Interval Duration Duration Duration 1,2,3 Util Util Util 5 ms 1,2,3 1,3, 1,3,4 1,3,4 1,2,4, 1,2,4 1,2,4 µs µs # of packets in 20.319 20.319 20.319 20.319 2.032 0.203 4.064 20.319 36.573 Duration Frame size is 1514, Frame bits are 12,304, Capture adapter speed is 1 Gb, and Network utilization is 1. ...
Chapter 11: Charts, Graphs, and Reports Configuring options for the GigaStor charts, graphs, and reports When updating charts and reports, keep in mind that the GigaStor Control Panel uses statistics, not packets. The indexing maximums and sampling ratio for statistics are configured in Setting the GigaStor general options (page 189) and affect what appears on the charts and reports.
Chapter 12: GigaStor in Financial Firms Using Observer in financial firms In an environment where even nanoseconds matter, a GigaStor allows you to identify when an anomaly in your network occurs and alerts you to it so that you can resolve it quickly. If you are a network administrator in a financial or trading firm, small amounts of time can mean the difference between making or losing money or making money versus making a lot of money.
that no trade or the wrong trade is placed. To partially overcome this weakness with UDP, multicast streams almost always use sequence numbers within their payload to allow detection of these events. As a network administrator in a trading firm, you likely monitor these sequence numbers quite closely looking for gaps in the numbers.
Outside of the GigaStor Control Panel, these other areas may be valuable for you when you are analyzing FIX transactions: Decode and Analysis in Observer—Allows you to decode and analyze ♦ the raw FIX information and presents it in an easy to read format. In the Decode and Analysis tab you can use filters and do post-capture analysis on specific FIX transactions that have issues.
Page 252
This option… Allow you to do this… Ignore duplicate If selected, duplicate requests are ignored. This is the default requests setting. If unchecked, duplicate requests may be present in the analysis and reduces the number of unique requests in the tracked requests.
Chapter 13: GigaStor RAID Wiping and Rebuilding You can delete and rebuild the RAID using the GigaStor Control Panel, the RAID controller card software, and Windows. You can also set up RAID notifications. GS-2P40-576T Sensitive network traffic is stored on your GigaStor. You can permanently delete this data before sending for maintenance-plan repairs or before decommissioning an old GigaStor hardware unit.
6. Disable the Recycle Bin in Windows for each RAID volume. 7. Create new data folders for network storage on the RAID. 8. Configure the GigaStor Control Panel to use additional volumes. Completing the above operations will ensure that the previously captured data, which was saved in the GigaStor RAID, is deleted in such a way that a future data recovery operation would be nearly impossible.
Page 255
Delete the existing RAID set or sets and rebuild again for future use. 1. In Windows, open the program MRAID > ArcHttpSrvGui. The program starts, but it immediately minimizes to the Windows taskbar. 2. Find the icon in the taskbar, and double-click the icon to view the Areca RAID application in a web browser.
a. In the leftmost panel, select Raid Set Functions > Delete RAID Set. b. Select the Confirm box, and click Submit. c. Repeat the process of selecting a RAID set from the list and deleting its RAID set—until all RAID sets are deleted. 8.
6. Select Confirm the Operation, and click Submit Initialization of the RAID should now begin. 7. Repeat steps step 2 through step 5 on the other two RAID controllers (each is named ARC-1883X Web Management). The RAID sets are now initializing, and this can last many hours. Return to the instructions when all initializations are finished.
Page 258
c. Divide the number of megabytes shown in Maximum available size in MB by two. “Maximum available size in MB”/2 = megabytes per partition You are just calculating a value for use in Select the amount of space in d. Type the calculated number of megabytes in the Select the amount of space in MB box.
12. Perform a quick format with these settings and values, and click Next. File system — NTFS ● Allocation unit size — Default ● Volume label — Data ● Perform a quick format — Enabled ● 13. Click Finish. After a few seconds, the E: drive should now be available to Windows. You successfully prepared the disk volumes in Windows.
Prerequisite: Expert Probe The maximum NTFS disk volume is 256 TB, but with a GigaStor you can have more storage than that by using the expanded disk arrays or striping through Windows. 1. On the GigaStor probe, click the GigaStor Instances tab. 2.
Note: If you use multiple active instances, which is not recommended, you must repeat these steps for each active instance. To delete the GigaStor saved data captured by an active instance: 2. Click Tools > Delete All Instance Capture Data, and select Yes in the resulting dialog box.
Page 262
Figure 117: Viewing the application 3. In the leftmost panel, access the first RAID controller by expanding the SAS Raid Controllers list and clicking the first link named ARC-1883X Web Management. You might be asked for credentials during this step, unless you have an active session already.
b. Select the Confirm box, and click Submit. Each RAID set has been fully deleted from the GigaStor unit. How to build new RAID sets Create a new RAID array set in the Areca interface, and then prepare the new volume in Windows so it can be read and written to.
How to stripe the volumes in Windows After you create RAID sets and volumes, you must format the disk partitions as NTFS in Windows. This allows Windows to see the disk drives and you to assign drive letters. 1. Only after initialization is complete for all RAID controllers, proceed to Control Panel >...
How to disable the Recycle Bin for RAID The Windows Recycle Bin holds deleted files that can be restored, but this consumes valuable disk space. Disable the Recycle Bin for RAID drives to ensure RAID disk space is never used for this purpose. To delete 1.
3. Within the Areca RAID Controller user interface, delete the existing RAID sets and D: volume. 4. Within the Areca RAID Controller user interface, create new RAID sets for immediate or future use. 5. Stripe the volumes using the Windows Disk Management tool. 6.
How to delete RAID sets Use the Areca user interface to delete the existing RAID set from your GigaStor appliance. Delete the existing RAID set or sets and rebuild again for future use. 1. In Windows, open the program MRAID > ArcHttpSrvGui. The program starts, but it immediately minimizes to the Windows taskbar.
6. Repeat the process of selecting a RAID set from the list and deleting its RAID set—until all RAID sets are deleted. 7. Return to the original page, and click the second link named ARC-1883X Web Management to access the second RAID controller and delete its RAID sets. a.
Tagged Command Queueing — Enabled ● SCSI Channel — 0:0:0 ● Volumes To Be Created — 1 ● 6. Select Confirm the Operation, and click Submit Initialization of the RAID should now begin. 7. Repeat steps step 2 through step 5 on the other two RAID controllers (each is named ARC-1883X Web Management).
Page 270
a. Move Disk 1, Disk 2, and Disk 3 from the Available section (on the left) to the Selected section (on the right). b. Take note of the number of megabytes shown in Maximum available size in MB. c. Divide the number of megabytes shown in Maximum available size in MB by two.
b. Type the calculated number of megabytes in the Select the amount of space in MB box. c. Click Next. 11. Assign drive letter E, and click Next. 12. Perform a quick format with these settings and values, and click Next. File system —...
How to use additional storage volumes on the GigaStor active instance When expanding your RAID array beyond 256 TB of usable disk space, you must add the additional volumes to your GigaStor active instance. Prerequisite: Expert Probe The maximum NTFS disk volume is 256 TB, but with a GigaStor you can have more storage than that by using the expanded disk arrays or striping through Windows.
How to delete saved network data Use the GigaStor Control Panel to delete the data collected on the active instance(s) on the GigaStor. Note: If you use multiple active instances, which is not recommended, you must repeat these steps for each active instance. To delete the GigaStor saved data captured by an active instance: 2.
Page 274
Figure 124: Viewing the application 3. In the leftmost panel, access the first RAID controller by expanding the SAS Raid Controllers list and clicking the first link named ARC-1883X Web Management. You might be asked for credentials during this step, unless you have an active session already.
b. Select the Confirm box, and click Submit. Each RAID set has been fully deleted from the GigaStor unit. How to build new RAID sets Create a new RAID array set in the Areca interface, and then prepare the new volume in Windows so it can be read and written to.
How to stripe the volumes in Windows After you create RAID sets and volumes, you must format the disk partitions as NTFS in Windows. This allows Windows to see the disk drives and you to assign drive letters. 1. Only after initialization is complete for all RAID controllers, proceed to Control Panel >...
How to disable the Recycle Bin for RAID The Windows Recycle Bin holds deleted files that can be restored, but this consumes valuable disk space. Disable the Recycle Bin for RAID drives to ensure RAID disk space is never used for this purpose. To delete 1.
3. Within the Areca RAID Controller user interface, delete the existing RAID sets and D: volume. 4. Within the Areca RAID Controller user interface, create new RAID sets for immediate or future use. 5. Stripe the volumes using the Windows Disk Management tool. 6.
How to delete RAID sets Use the Areca user interface to delete the existing RAID set from your GigaStor appliance. Delete the existing RAID set or sets and rebuild again for future use. 1. In Windows, open the program MRAID > ArcHttpSrvGui. The program starts, but it immediately minimizes to the Windows taskbar.
5. Select the Confirm box, and click Submit. 6. Return to the original page, and click the SAS Raid Controllers link named ARC-1883IX-24 Web Management or similar link to access the last RAID controller and delete its RAID set. a. In the leftmost panel, select Raid Set Functions > Delete RAID Set. b.
How to stripe the volumes in Windows After you create RAID sets and volumes, you must format the disk partitions as NTFS in Windows. This allows Windows to see the disk drives and you to assign drive letters. 1. Only after initialization is complete for all RAID controllers, proceed to Control Panel >...
How to disable the Recycle Bin for RAID The Windows Recycle Bin holds deleted files that can be restored, but this consumes valuable disk space. Disable the Recycle Bin for RAID drives to ensure RAID disk space is never used for this purpose. To delete 1.
3. Within the Areca RAID Controller user interface, delete the existing RAID sets and D: volume. 4. Within the Areca RAID Controller user interface, create new RAID sets for immediate or future use. 5. Stripe the volumes using the Windows Disk Management tool. 6.
How to delete RAID sets Use the Areca user interface to delete the existing RAID set from your GigaStor appliance. Delete the existing RAID set or sets and rebuild again for future use. 1. In Windows, open the program MRAID > ArcHttpSrvGui. The program starts, but it immediately minimizes to the Windows taskbar.
Each RAID set has been fully deleted from the GigaStor unit. How to build new RAID sets Create a new RAID array set in the Areca interface, and then prepare the new volume in Windows so it can be read and written to. Prerequisite(s): ...
3. Right-click Disk 1 again, select New Simple Volume, and click Next. 4. Assign drive letter D, and click Next. 5. Perform a quick format with these settings and values, and click Next. File system — NTFS ● Allocation unit size — Default ●...
Prerequisite(s): These tasks require a hardware appliance GigaStor. These steps cannot be followed for the GigaStor Software Edition. In performing a full deletion of the data available on the GigaStor RAID, the following steps should be completed in the following order across the GigaStor Control Panel, Windows, and Areca RAID Controller.
2. Right-click the D: drive and select Format. 3. Choose either a quick format or full format. Do one of the following only: For a quicker disk operation and less data security, ensure the Quick ● Format option is selected and click Start. For a slower disk operation and more data security, clear (disable) the ●...
Figure 133: RAID Controller (Example) 4. In the leftmost panel, select Raid Set Functions > Delete RAID Set. 5. Select the Confirm box, and click Submit. Each RAID set has been fully deleted from the GigaStor unit. How to build new RAID sets Create a new RAID array set in the Areca interface, and then prepare the new volume in Windows so it can be read and written to.
Tagged Command Queueing — Enabled ● SCSI Channel — 0:0:0 ● Volumes To Be Created — 1 ● 5. Select Confirm the Operation, and click Submit Initialization of the RAID should now begin. The RAID sets are now initializing, and this can last many hours. Return to the instructions when all initializations are finished.
How to create folders for the RAID drives Create a folder for network data to be stored. By default, the GigaStor Control Panel saves to a specific directory name on the RAID volumes, so make sure the folder is available for each volume. To create folders on your new RAID for the GigaStor appliance to save network data to, do the following: 1.
How to delete saved network data Use the GigaStor Control Panel to delete the data collected on the active instance(s) on the GigaStor. Note: If you use multiple active instances, which is not recommended, you must repeat these steps for each active instance. To delete the GigaStor saved data captured by an active instance: 2.
Figure 134: Viewing the application 3. In the leftmost panel, access the RAID controller by expanding the SAS Raid Controllers list and clicking the link named ARC-1883IX-24 Web Management. You might be asked for credentials during this step, unless you have an active session already.
By following these steps, all RAID sets and volumes are made. Part of this process includes foreground initialization that prohibits you from interacting with RAID sets before initialization completes. It can take many hours for initialization to complete, and during that time the RAID is not available. To build new RAID sets: 1.
Perform a quick format — Enabled ● 6. Click Finish. After a few seconds, the D: drive should now be available to Windows. You successfully prepared the disk volumes in Windows. Windows can now read and write to these RAID disk drives. How to disable the Recycle Bin for RAID The Windows Recycle Bin holds deleted files that can be restored, but this consumes valuable disk space.
Tip! These instructions are for a specific GigaStor model. See a full listing at GigaStor (page 253) RAID Wiping and Rebuilding (page 253). 1. Within the Observer application, delete the GigaStor saved data on the Active Instance. 2. Within Windows, perform a disk format of the D: volume. 3.
For a slower disk operation and more data security, clear (disable) the ● Quick Format option and click Start. The D: disk drive volume is now being reformatted. This either deletes and recreates the file system structure only (quick format), or it overwrites all data on the volume with empty bits (non-quick format).
Figure 137: RAID Controller (Example) 4. In the leftmost panel, select Raid Set Functions > Delete RAID Set. 5. Select the Confirm box, and click Submit. Each RAID set has been fully deleted from the GigaStor unit. How to build new RAID sets Create a new RAID array set in the Areca interface, and then prepare the new volume in Windows so it can be read and written to.
Tagged Command Queueing — Enabled ● SCSI Channel — 0:0:0 ● Volumes To Be Created — 1 ● 5. Select Confirm the Operation, and click Submit Initialization of the RAID should now begin. The RAID sets are now initializing, and this can last many hours. Return to the instructions when all initializations are finished.
How to create folders for the RAID drives Create a folder for network data to be stored. By default, the GigaStor Control Panel saves to a specific directory name on the RAID volumes, so make sure the folder is available for each volume. To create folders on your new RAID for the GigaStor appliance to save network data to, do the following: 1.
How to delete saved network data Use the GigaStor Control Panel to delete the data collected on the active instance(s) on the GigaStor. Note: If you use multiple active instances, which is not recommended, you must repeat these steps for each active instance. To delete the GigaStor saved data captured by an active instance: 2.
Figure 138: Viewing the application 3. In the leftmost panel, access the RAID controller by expanding the SAS Raid Controllers list and clicking the link named ARC-1883IX-24 Web Management. You might be asked for credentials during this step, unless you have an active session already.
By following these steps, all RAID sets and volumes are made. Part of this process includes foreground initialization that prohibits you from interacting with RAID sets before initialization completes. It can take many hours for initialization to complete, and during that time the RAID is not available. To build new RAID sets: 1.
Perform a quick format — Enabled ● 6. Click Finish. After a few seconds, the D: drive should now be available to Windows. You successfully prepared the disk volumes in Windows. Windows can now read and write to these RAID disk drives. How to disable the Recycle Bin for RAID The Windows Recycle Bin holds deleted files that can be restored, but this consumes valuable disk space.
RAID. You could lose data stored on the array or reduce its performance if a mistake is made. VIAVI uses a third party monitoring tool to monitor the RAID array developed by Areca. With it, you can be notified by email if there is an issue with the RAID array.
Page 306
Figure 141: RAID array email notifications 4. Complete the page with the details for your SMTP server, email addresses to send to, and the type of notifications to send. 5. Select Confirm The Operation, and click Submit. 6. Close the web browser and minimize the Areca application to the taskbar. Now that email notifications are set up, your configured recipients are sent an email message any time a new RAID issue occurs.
Chapter 14: Understanding How a Probe Uses RAM How a probe uses RAM A Windows computer uses Random Access Memory (RAM) as a form of temporary data storage. Windows separates all available memory into three sections: protected memory, user memory, and reserved memory. An Observer probe, depending on how it is configured, uses these types of memory differently.
Page 308
so that the probe runs efficiently and leaves the protected memory for the operating system and other programs to use. Packet captures are always written sequentially from the first open byte of RAM in reserved memory or in Windows protected memory. They are written until all available space is used.
Figure 143: How to resize various memory options Packet capture buffer and statistics buffer There are two kinds of buffers that a probe uses to store data in real-time: capture buffers and statistical buffers. The capture buffer stores the raw data captured from the network while the statistical buffer stores data entries that are snapshots of a given statistical data point.
Observer to be configured for your system. This section does not apply to the GigaStor or other hardware Note: products from VIAVI. They are properly configured at the factory. Tip! If you need more RAM for the statistics queue buffer, you may need to lower the amount of RAM dedicated to packet capture so that it is freed and available to add to the statistics queue.
Page 311
Single Probes, unlike Multi-Probes and Expert Probes, cannot use reserved memory because of their design. By default, 16 megabytes is available for the Packet Capture and Statistics Queue buffer. Single Probes have a maximum of 52 megabytes that can be assigned from the Windows memory pool. Because of the Windows memory pool constraint, Single Probes are limited to a Packet capture buffer maximum of 72 megabytes, assuming you set the Statistics queue buffer to its minimum (12 megabytes).
Observer to be configured for your system. Caution: Never change the reserved memory settings of VIAVI hardware unless VIAVI instructs you do so. Reserved memory settings should only be modified on non-VIAVI hardware, such as a desktop computer running Observer.
any memory for Observer. To capture packets on 64-bit Windows install either more than or less than 4 GB of RAM. 32-bit operating systems do not support more than 4 GB of RAM. Observer cannot use any RAM 2. above 4 GB. 1.
Page 314
Figure 145: How packets move through Observer’s memory The capture card receives data off the network. ♦ The capture card passes data into RAM. In the RAM it goes into the packet ♦ capture buffer and the statistics queue buffer. The statistics queue buffer passes the information to the statistics ♦...
100 MB allocated to the capture buffer of any probe instance that is bound to the capture card. Allocating less than 100 MB to a probe instance monitoring a VIAVI capture card may cause instability. If you are using any hardware accelerated probe instance, you must have ♦...
Page 316
minimum, but consider substantially raising this amount. The more RAM that you can allocate to packet capture and statistics, the better your GigaStor probe will perform. When using multiple probe instances on a GigaStor, ensure that only one ♦ probe instance is associated with the capture card. (If you are using virtual adapters to monitor disparate networks, then you may have more than one active instance bound to the capture card.) For performance reasons, all other probe instances should be associated with a different network...
Observer/GigaStor. Understanding the capture card The Gen3 capture card is designed and manufactured exclusively by VIAVI. This capture card is optimized for the Observer Platform and comes pre-installed in many GigaStor hardware and probe appliances.
For fiber optic connections that require a splitter: these steps assume you are using the VIAVI optical Y-splitter cable, as it is unable to inject light back into the upstream network link and the provided steps assume the cable is being used. If...
Page 319
To configure the capture card to properly connect to a network device: 1. In your version of Windows, open Device Manager. 2. In the tree on the right, expand Viavi Solutions Inc. Capture Adapters. 3. Right-click the capture card entry and choose Properties.
Page 320
Figure 146: Capture card Advanced Properties Each configured and cabled capture card port to your device(s) should establish a working connection. When to use a SPAN/mirror port The advantage of using a SPAN/mirror port is its cost, as a SPAN/mirror port is included for free with nearly every managed switch.
Reconstructs an integrated data stream from the two channels ♦ Routes the integrated signal to the send channel of the SPAN/mirror port ♦ Each of these activities burdens the switch’s internal processor. These demands on the switch’s CPU have implications for both your monitoring equipment and general network performance.
Page 322
To view the Gen3 capture card properties: 1. In your version of Windows, open Device Manager. 2. In the tree on the right, expand Viavi Solutions Inc. Capture Adapters. 3. Right-click the capture card entry and choose Properties. The Gen3 capture card device properties window is now visible.
Figure 147: Gen3 capture card properties Capture card device properties (page 335) for more explanation of the capture card properties in Windows Device Manager. How to create virtual adapters By default, Observer recognizes a Gen3 capture card as a single network adapter. However, you can make multiple clones of the capture card, called virtual adapters, and use each independently.
Page 324
To create a virtual adapter: 1. In Observer, right-click the Gen3 capture card-equipped probe instance from the probe list, and click Probe or Device Properties. A Gen3 capture card-equipped probe instance shows (Gigabit) or similar after the name. 2. Click the Virtual Adapters tab. Figure 148: Virtual Adapters tab 3.
5. Select physical ports from the Available Ports list, and click Add. You can select more than one physical port by holding CTRL as you click. 6. (Optional) If this virtual adapter should operate during certain days and times only, select Schedule virtual adapter ports and follow the prompts. (Optional) If you choose to set a schedule for your virtual adapter, the remaining steps in this procedure may not be followable as written.
Figure 149: Skip Duplicate Packets Using Hardware Accelerated Capture Adapter 6. (Optional) Select how duplicate packets are recognized by the Gen3 capture card and click OK. Example: (Optional) For example, by selecting Examine IP time to live (TTL), the packet time to live is considered when determining a duplicate packet.
Page 327
SFPs separately from others, then you can use virtual adapters to assign specific physical ports to probe instances. Prerequisite(s): Your hardware appliance must have one of the following: Gen2 capture card ♦ Gen3 capture card ♦ For example, suppose you are deploying an 8-port Gen3 capture card as follows: Ports 1-4 are monitoring a collection of trunked links ♦...
Page 328
Figure 150: Virtual Adapters tab 3. Select a virtual adapter, and click Edit Adapter. 4. Select physical ports from the Available Ports list, and click Add. You can select more than one physical port by holding CTRL as you click. 5.
This section applies to all probes and all versions of them, including Single Probe, Multi Probe, and Expert Probe on VIAVI or third party hardware. Note: If you have a network card in your system, but it is not being seen...
Note: When allocating memory for any probe instance with the VIAVI capture card as the chosen adapter, at least 80 MB of memory must be allocated to both the capture buffer and statistics queue buffers. Failure to do so will result in the inability to capture data.
Page 331
Prerequisite(s): To complete these steps, your probe instance list must show the active instance of your GigaStor probe. This can be accomplished by using Windows Remote Desktop to log on to the GigaStor system—so you can see the active instance directly—or by temporarily redirecting the active instance (page 331) of the...
Page 332
A probe may have multiple probe instances, which are useful if you need multiple users using the same probe simultaneously or if you have specific needs for each probe instance (for instance, packet capture, trending, and so on). When you connect to a probe, ensure you select the probe instance you need and not one being used by someone else.
6. Select the remote probe instance from the list, and click Redirect Selected Probe Instance(s). Allow time for the remote probe to redirect. How long this operation can take is limited by a timeout countdown. The probe instances of the remote probe are shown. 7.
Use software-based pre-filters. They are mutually exclusive; only one may ♦ be used. Affect statistics-based information, such as Network Trending. ♦ There are two types of filtering that occurs in GigaStor: hardware filtering on the capture card and software filtering in Observer. Hardware filtering only affects which packets are captured on the capture card and saved to the RAID;...
The General tab lists basic information about the capture card. Figure 154: General Field Description Device type Device type should state Viavi Solutions Inc. Capture Adapters. Manufacturer Manufacturer should state Viavi Solutions. Location Location indicates the PCI bus number that the capture card is using.
Page 336
Figure 155: Current State Field Description SFP state SFP state shows capture card ports that have a supported SFP installed (page 318), if that SFP is operational, and if the SFP is fiber (F) or copper (C). If a capture card port does not have an SFP installed, its icon remains dimmed.
Field Description risk immediate damage to the capture card. Always maintain proper case airflow and ambient temperature. Power This icon shows a red color if there is a power problem. A power problem could occur if the 12v power supply (PSU) rail, typically for MOLEX and auxiliary connections, is operating out-of-range and could indicate a dying power supply.
Figure 157: Advanced Settings Field Description Enable (Port) Each box represents a physical port on the capture card. These cannot be modified. Auto-Neg Each box represents the auto-negotiation setting for a port on the capture card. If selected, auto-negotiation for this port is turned on.
Figure 158: Driver Field Description Driver provider Driver provider should state Viavi Solutions. Driver date Shows the date that your currently installed capture card drivers were made. Driver version Shows the version of your currently installed capture card drivers. These do not always match your application versions for the Observer Platform.
Figure 159: Details Field Description Property Lists each device property that can be viewed. Value Displays the value of the selected property as reported by the device driver. Events The Events tab shows driver events like when a capture card driver is installed. Capture card device properties GigaStor (23 Feb 2018) —...
Figure 160: Events Field Description Events Each Windows event regarding the capture card is logged. This can help you understand when the drivers were updated and can be useful when troubleshooting. Information The full event message shows here for the selected Windows event.
1. In your version of Windows, open Device Manager. 2. Find and expand one of these. Viavi Solutions Inc Capture Adapters ● How to identify your GigaStor...
Can I upgrade a Network Instruments-manufactured, blue GigaStor to Observer 17.2 or later? Yes, if you have an active maintenance contract. No new features are available on the Gen2 capture card as a result of this name change. Can I put a Gen3 capture card in a Network Instruments-manufactured, blue GigaStor? No, the Gen3 capture card is only available in the GigaStor Gen3 appliance.
Page 345
4. In Timestamp type, choose your switch aggregator. Timestamp types (page 224) 5. Choose what filters to apply. Trailer filters (page 225) The Decode pane displays packets in the sorted (and filtered) order based on your chosen switch aggregator. Timestamp types The Timestamp types provides a list of the supported switch aggregators that can be used to reorder packets before they are shown in the Decode pane.
Probe ID(s) A comma separated list of hexadecimal characters from a PacketPortal IV SFProbe or JMEP. Use PacketPortal System Manager (IV SFProbe) or the SFP Programmer GUI (JMEP) to view a list of probe IDs. A sample probe ID: 5e65eb52f633. Setting the probe’s time clock synchronization settings At times your capture card drivers time clock may drift.
Supported time stamps for reordering Arista cPacket Gigamon GigaSMART Gigamon H-Series IXIA Anue NetScaler Network Instruments PacketPortal PDG VSS Monitoring VSS Monitoring w/ Port Supported time Description synchronization methods Sync capture Each time Observer starts, the capture card drivers are drivers with synchronized with the Windows system clock one time.
Understanding packet deduplication Deduplication is useful when multiple copies of the same packet are received, but only a single copy should be seen. Duplicate traffic is part of any network environment and is unavoidable. However, reducing duplicate packets as much as possible helps ensure your network is more efficient.
Page 349
5. (Optional) Click Skip Duplicate Packets Configuration. The Skip Duplicate Packets Using Hardware Accelerated Capture Adapter dialog appears. Figure 163: Skip Duplicate Packets Using Hardware Accelerated Capture Adapter 6. (Optional) Select how duplicate packets are recognized by the Gen3 capture card and click OK.
Deduplication details for the capture card The packet deduplication engine of the capture card is controlled by features in Observer. The features must be in use for packet deduplication to work. For capture card packet deduplication to work: Hardware acceleration must be enabled and in use. ♦...
Page 351
when packet time a time difference less than N-milliseconds. Setting this can difference is less help avoid some false-positive results, but you may need to than experiment with the value. Data link layer If selected, layer 2 of the OSI Model is ignored when determining duplicate packets.
Chapter 16: Troubleshooting Learn how to determine if your GigaStor Control Panel is experiencing issues and what you can do to fix common issues. Troubleshooting common issues Use the information in this section to assist you if you have a problem with your probe not connecting to your analyzer, your probe does not have a network adapter available, or if you are using an nTAP and want to capture NetFlow traffic or several other common issues.
Third, do not, under any circumstances, share interrupts, I/O ports, or memory addresses between adapters. No matter what has worked before or what might work in the future, sharing interrupts or memory settings is not a valid configuration. Troubleshooting checklist: Does your network work without any Observer programs or drivers loaded? If not, check your network installation instructions.
7. From the Local Area Connection Properties (step 5), choose Install > Protocol > Add > VIAVI – VMONI Protocol Analyzer and click OK. If the VMONI driver Troubleshooting common issues GigaStor (23 Feb 2018) — Archive/Non-authoritative version...
is not listed, click Have Disk, then browse to the VMONI.SYS file located in the Observer directory on your hard drive, select it, and click OK. The VMONI Protocol Analyzer will now be available to install. 8. Restart the computer after you have completed installing the driver. You should now be able to select an adapter when starting Observer.
The Gigabit NIC no longer strips VLAN tags, so the symptom in Observer is resolved. VLAN Statistics tool is not working Symptoms: “No VLAN” is the only VLAN ID that shows up in the VLANs column in VLAN Statistics. You are not seeing all VLANs you have on the network. Causes: To display VLAN Statistics, Observer checks each packet for a VLAN tag;...
For a 6500/6000 Series Switch running Native IOS 12.1 or later you must configure the destination port as a trunk port prior to configuring the SPAN, which have the following syntax: C6500(config)#Interface Type slot/port C6500(config-if)#Switchport C6500(config-if)#Switchport trunk encapsulation { ISL | dot1q } C6500(config-if)#Switchport mode trunk C6500(config-if)#Switchport nonnegotiate To monitor 802.1Q VLAN traffic passing through Fast Ethernet 02 via a SPAN port...
Size Distribution Statistics, Top Talkers –MAC (by hardware Address) will now show data by Port. Suspected NAT or VPN issues If you use network address translation (NAT) in your environment, you must make some configuration changes in Observer. Using the TCP/IP port information Ports used by Observer products v16 and earlier (page 212), you should be able to set up the NAT properly.
To use Observer with the Cisco 6xxx switch, you must disable auto negotiation. With auto negotiation enabled, the switch and probe may create a link when first starting the probe, but if the cable is unplugged or if a configuration change to the SPAN/mirror port is applied, you will lose connectivity to the switch.
Troubleshooting the GigaStor Control Panel Use the information in this section to assist you if you have a problem with the GigaStor Control Panel. GigaStor Control Panel option is grayed out If the Capture > GigaStor Control Panel option is grayed out and unavailable, one of two things has likely occurred.
filters to limit the packets you want to decode, shorten the time frame you are mining, or both. Troubleshooting the capture card Gen3 capture card card issues are uncommon, but this information can help identify and solve a Gen3 capture card-related issue. Most solutions suggested require that the unit be returned to an authorized service center for repair.
Temperature or voltage out of acceptable range Temperature or voltage out of acceptable range Air or fan obstruction ♦ Faulty system fan ♦ Faulty temperature probe ♦ Customer 1. Remove airflow obstructions from case or fan shrouds. Authorized service center 1.
Packet capture does not start on Gen3 capture card If Packet Capture does not start and there is no date and time information below the packet capture graph, you may need to reinstall the drivers for the Gen3 capture card. An issue is causing packet capture to not start Several steps may be necessary to isolate the specific issue.
Page 364
2. Click Device Manager. 3. In the list, expand Viavi Solutions Inc. Capture Adapters. 4. Right-click the VIAVI capture card and choose Update Driver Software. 5. Click Browse my computer for driver software. 6. Browse to or type C:\Program Files\Observer\DRIVERS\ and ensure the Include subfolders box is selected.
Page 365
The correct drivers install as soon as they are found. 8. Repeat the same procedure for the other VIAVI capture card shown. Example: You might see a second capture card depending on your hardware appliance. If so, you must repeat...
Page 366
Do not restart the system! Figure 166: Fully uninstall the driver 6. Repeat the same procedure for the other VIAVI capture card shown. Example: You might see a second capture card depending on your hardware appliance. If so, you must repeat step 5 for the other capture card.
Page 367
10. Restart the GigaStor system. This should be the last time a restart is required. Windows can no longer find VIAVI capture card drivers to automatically install. This provides you the opportunity to install known, good drivers for the capture card manually without Windows deciding for you or reintroducing the driver conflicts you are trying to avoid.
Page 368
8. In Windows, using your keyboard, press the Windows logo key + R. 9. Type control panel and press Enter. The Control Panel opens. 10. Proceed to Uninstall a program, select Viavi Solutions Observer Analyzer, and click Uninstall/Change. After Uninstall/Change is clicked, the Observer installer appears. It asks if you want to repair or uninstall Observer.
Chapter 17: Backups and Restoring Multiple portions of the GigaStor appliance can be backed up and restored. If necessary, you can also use the Gigastor System Restore kit to re-image your entire GigaStor to factory settings. Backups and Restoring Multiple portions of the GigaStor appliance can be backed up and restored. If necessary, you can also use the Gigastor System Restore kit to re-image your entire GigaStor to factory settings.
3. Click the Settings button to open GigaStor Settings. 4. Click the Export tab. 5. Choose how you want to export the data and in which format (BFR, PCAP, or CAP). 6. (Optional) Choose to schedule the export so that it can happen automatically. 7.
Restoring a GigaStor to factory settings is usually a last resort when all other methods to correct the issue have failed and should only be done under the direction of VIAVI Technical Support. Prerequisite(s): All captured packets and trending data on the GigaStor RAID are safe. Nothing on the RAID (D:\) is affected by this process.
Page 372
Physical access to the GigaStor ♦ Monitor and keyboard (connected to GigaStor) ♦ Each restore kit is purpose-built for a specific GigaStor that you own. You must match the serial number displayed on the GigaStor Restore USB flash drive to the serial number of the GigaStor.
Page 379
system load 189 Turn Windows features on or off 197 system specification 185 system time 346 UDP 25903 212, 359 unable to capture 363 unable to capture data 363 full-duplex Ethernet 209 unable to capture packets 363 NetFlow 358 Update Chart button 189 where to use 208 updating 195 TAPs...
Need help?
Do you have a question about the G3-GS-2P40-1152T and is the answer not in the manual?
Questions and answers