Network Instruments GigaStor User Manual page 11

Capture Partial Packets
Collect and Show
GigaStor Information by
Capture and Analysis
Options
Enable Analysis Types:
GigaStor Packet
Sampling
by default, Observer will capture the entire packet. This option allows you to
define a specific amount of each packet to capture to the buffer. For example,
a setting of 64 bytes will result in Observer only capturing the first 64 bytes of
every packet. Most of the pertinent information about the packet (as opposed
to the information contained in the packet) is at the beginning of the packet, so
this option allows you to collect more packets for a specific buffer size by only
collecting the first part of the packet. In some forensic situations, a warrant may
only allow an officer/agent to collect, for example, e-mail headers.
Also, if the system is having trouble keeping up with bandwidth spikes, collecting
partial packets can resolve the issue. To change the number of bytes captured in
each packet, click the Change Size.
This setting affects all analyzers that connect to this probe. You cannot change
this setting unless you have administrative privileges to do so.
Choose whether to show or hide the following tabs in the GigaStor Control Panel:
MAC Stations, IP Pairs, IP Addresses, TCP Applications, UDP Applications, VLANs,
MPLS, and Physical Ports. These options are for controlling statistical display only.
All packets that the GigaStor sees are written to disk and is available for analyzing
using the "Analyze" button.
The value configured in these boxes determine the maximum number of stations
that are indexed by the GigaStor and shown in the GigaStor Control Panel. If you
are limiting MAC stations to 1000 (the default), it is the first 1000 MAC stations the
GigaStor sees—not the most recent 1000.
The maximum allowable IP Pairs is 100,000 (the default is 10,000).
Enable intelligent TCP protocol determination: Displays only known applications
while hiding dynamic ports by using the TCP threeway handshake (SYN SYN+ACK
ACK). Clearing this option shows all ports.
Limit to ports defined in "Protocol Definitions": Select this option to limit the ports
shown to only those listed in the Protocol Definitions. See the Discovery section
in the Observer User Guide.
Track statistics information per physical port: When selected, causes the GigaStor
to index the data it collects by Gen2 capture card physical ports. You can then
display GigaStor Control Panel statistics by physical port. If this option is selected,
then you also may want to enable the "Use physical port selections..." option also
on this tab.
Collect counts for all IP protocols in addition to TCP and UDP: Select this option to
collect counts for all IP protocols (such as ICMP, OSPF, Multicast, etc.) not just TCP
and UDP. If this option is not selected, TCP and UDP counts are still collected.
Choose whether to enable the GigaStor Control Panel to process and display
these types of data. By unchecking these options the corresponding tab is hidden
in the GigaStor Control Panel and you cannot analyze packets for these data
types:
Forensic Analysis (uses Snort rules)
FIX Analysis: used to process FIX financial transactions.
Microburst Analysis: used to process data to identify microbursts on your
network, typically a concern for network administrators in trading firms, but also
other companies.
Trading Multicast Analysis:
Packet sampling applies to the GigaStor Control Panel statistical displays, not
saved packets. On probes connected to highly-saturated networks (especially
multi-port probes), sometimes it is desirable to adjust the rate of statistical
Setting GigaStor's basic options | 11