Network instruments Gigastor portable User manual

GigaStor™

User Guide

ii | Table of Contents (pub. 25.Apr.2014)

Table of Contents

Chapter 1: Getting Started............................................................................................................................................. 6

Getting started using your GigaStor.............................................................................................................................................................6

What is the GigaStor?....................................................................................................................................................................................7

Using the GigaStor Control Panel.............................................................................................................................................................8

Non-GigaStor-specific settings...................................................................................................................................................................9

Setting GigaStor's basic options.............................................................................................................................................................10

GigaStor reports............................................................................................................................................................................................ 12

Understanding GigaStor protocol and port settings......................................................................................................................13

Chapter 2: Hardware Settings...................................................................................................................................... 14

Configuring your GigaStor..............................................................................................................................................................................14

Defining your subnets in GigaStor........................................................................................................................................................ 14

Tracking individual analysis ports..........................................................................................................................................................14

Configuring the packet capture and GigaStor buffer size............................................................................................................15

Generating NetFlow records from the GigaStor’s NetFlow Agent............................................................................................15

Chapter 3: About Probe Instances............................................................................................................................... 17

Introducing Probes............................................................................................................................................................................................ 17

What is a probe instance?.........................................................................................................................................................................18

Which software probe is right for you?...............................................................................................................................................20

How probes work with switches............................................................................................................................................................ 22

Chapter 4: Deploying Probes in your Network.......................................................................................................... 23

Deploying probes in your network.............................................................................................................................................................23

Monitoring half-duplex and full-duplex Ethernet links................................................................................................................. 23

Monitoring wireless traffic........................................................................................................................................................................ 24

Deciding where to place probes in your network...........................................................................................................................24

Ports used by Network Instruments products.................................................................................................................................. 26

Chapter 5: Packet Captures.......................................................................................................................................... 27

Capturing packets with the GigaStor......................................................................................................................................................... 27

Setting a schedule for when data captures should occur............................................................................................................27

Trimming data from your captures for space or privacy.............................................................................................................. 28

Password protecting the ability to change partial packet capture size.................................................................................. 29

Differences between statistics and packets.......................................................................................................................................29

Understanding GigaStor indexing......................................................................................................................................................... 29

Exporting GigaStor data for archiving..................................................................................................................................................31

Chapter 6: Mining Data.................................................................................................................................................32

Mining data from your GigaStor.................................................................................................................................................................. 32

Selecting a time frame to analyze......................................................................................................................................................... 35

Analyzing data without any filters.........................................................................................................................................................35

Analyzing data with filters from the Observer filter editor.......................................................................................................... 36

Analyzing data with filters from the GigaStor Control Panel...................................................................................................... 36

Analyzing data by combining GigaStor Control Panel and Observer filters..........................................................................37

Analyzing multiple GigaStor probe instances from one GigaStor Control Panel................................................................ 37

Chapter 7: Stream Reconstruction...............................................................................................................................39

Reconstructing streams of HTTP, VoIP, and more.................................................................................................................................39

Defining what can be recreated in Stream Reconstruction.........................................................................................................39

| iii

How to extract VoIP and video calls from your GigaStor............................................................................................................. 40

How to analyze 4G LTE traffic from your GigaStor..........................................................................................................................41

Analyzing 4G LTE traffic............................................................................................................................................................................. 42

Chapter 8: Forensic Analysis........................................................................................................................................ 44

Examining your network traffic with forensic analysis........................................................................................................................44

Importing Snort rules..................................................................................................................................................................................44

Analyzing packets using Snort rules.....................................................................................................................................................45

Creating a Forensic Settings profile...................................................................................................................................................... 45

Using network forensics to track a security breach........................................................................................................................50

Using network forensics to track acceptable use or compliance.............................................................................................. 50

Chapter 9: Microbursts..................................................................................................................................................52

Searching for microbursts...............................................................................................................................................................................52

Using the Microburst Analysis tab in the GigaStor Control Panel.............................................................................................53

Using the Detail Chart only...................................................................................................................................................................... 54

Chapter 10: Charts, Graphs, and Reports....................................................................................................................57

Configuring options for the GigaStor charts, graphs, and reports..................................................................................................57

Detailed Chart tab........................................................................................................................................................................................ 57

GigaStor Outline............................................................................................................................................................................................57

Capture Graph tab....................................................................................................................................................................................... 57

Statistics Lists tab......................................................................................................................................................................................... 58

Chapter 11: GigaStor in a Financial Firm.................................................................................................................... 59

Using Observer in financial firms.................................................................................................................................................................59

Analyzing FIX transactions........................................................................................................................................................................60

Configuring a FIX profile............................................................................................................................................................................61

Chapter 12: GigaStor RAID Maintenance....................................................................................................................63

Monitoring and maintaining the GigaStor RAID array.........................................................................................................................63

Monitoring the RAID drives through e-mail notifications............................................................................................................ 63

Cleaning the disk to maintain write performance...........................................................................................................................65

Chapter 13: Understanding how a Probe Uses RAM..................................................................................................67

How a probe uses RAM....................................................................................................................................................................................67

Packet capture buffer and statistics buffer.........................................................................................................................................68

Running Observer without reserved memory...................................................................................................................................69

Running Observer with reserved memory......................................................................................................................................... 71

How packet capture affects RAM...........................................................................................................................................................72

How to allocate the reserved RAM..............................................................................................................................................................73

Recommendations for the Gen2 capture cards................................................................................................................................74

Tweaking the statistics memory configuration................................................................................................................................ 75

Chapter 14: Gen2 Capture Card................................................................................................................................... 76

Gen2 capture card..............................................................................................................................................................................................76

Installing the Gen2 card’s SFP, QSFP or XFP interfaces.................................................................................................................77

Supported QSFP/SFP/SFP+ media types....................................................................................................................................... 77

Configuring virtual adapters on the Gen2 card................................................................................................................................77

Viewing the Gen2 card’s properties and finding the board’s ID................................................................................................79

Setting the cable length for the GPS System....................................................................................................................................80

Connecting your GigaStor to a GPS System......................................................................................................................................80

iv | Table of Contents (pub. 25.Apr.2014)

Configuring the 10 Gb Gen2 card with a SPAN port......................................................................................................................81

Chapter 15: GPS............................................................................................................................................................. 83

Chapter 16: Troubleshooting....................................................................................................................................... 84

Troubleshooting common issues.................................................................................................................................................................84

Troubleshooting a slow probe system.................................................................................................................................................85

A probe is not connecting to the analyzer or vice versa.............................................................................................................. 85

No network adapter available................................................................................................................................................................. 86

Integrated adapters report all sent packets with bad TCP checksum......................................................................................86

“No VLAN” shown while using a Gigabit NIC....................................................................................................................................87

VLAN Statistics tool is not working....................................................................................................................................................... 87

Using Discover Network Names on a Layer 3 switch that uses VLANS................................................................................... 88

Suspected NAT or VPN issues..................................................................................................................................................................89

Running Observer passively affects NetFlow.................................................................................................................................... 89

Daylight Savings Time................................................................................................................................................................................ 89

Configuring Cisco 6xxx switches using a SPAN port to a full-duplex Gigabit Probe..........................................................89

Cisco CatOS switches............................................................................................................................................................................ 90

Cisco IOS switches..................................................................................................................................................................................90

Ports used by Network Instruments products.................................................................................................................................. 90

Troubleshooting your GigaStor configuration........................................................................................................................................91

GigaStor Control Panel option is grayed out.................................................................................................................................... 91

GigaStor is full or does not have the history you expect..............................................................................................................91

TCP applications are not appearing in the GigaStor Control Panel..........................................................................................91

Loading decodes in the Observer analyzer is slow.........................................................................................................................91

A RAID array drive is failing or has failed............................................................................................................................................91

Chapter 17: Backups and Restoring............................................................................................................................ 93

Configuring a FIX profile................................................................................................................................................................................. 93

Exporting GigaStor data for archiving....................................................................................................................................................... 94

Backing up your Observer.............................................................................................................................................................................. 94

How to restore a GigaStor probe to factory settings...........................................................................................................................95

Chapter 18: Installation................................................................................................................................................ 98

Unpacking and inspecting the parts.......................................................................................................................................................... 98

Installing the GigaStor Upgradeable 5U..............................................................................................................................................98

How to install the Network Instruments rail kits...........................................................................................................................100

Installing the drives in your GigaStor.................................................................................................................................................102

How to handle hard drives properly.................................................................................................................................................. 103

Setting the probe’s IP address..............................................................................................................................................................104

Configuring the Lights out Management port for your GigaStor...........................................................................................106

Chapter 19: Technical Specifications.........................................................................................................................107

GigaStor Upgradeable 5U technical specifications.............................................................................................................................107

Supported QSFP/SFP/SFP+ media types.......................................................................................................................................... 110

Index............................................................................................................................................................................. 111

| 5

GigaStor Upgradeable

6 | GigaStor™ (pub. 25.Apr.2014)

Chapter 1: Getting Started

Getting started using your GigaStor

A GigaStor probe is a hardware device with many terabytes of storage space to capture, store, and analyze your

network traffic. All GigaStor probes use the Expert Probe software. Learn more about the Expert Probe in .

To get the most out of your GigaStor, you need:

A good working knowledge of your network. You can use the Observer analyzer to gather information

from your routing protocols and verify your network configurations, which is helpful when updating

your network map.

An understanding of the protocols that run on your network.

Follow these steps to get started with your GigaStor. The installation happens in two main parts. The first part

is at the GigaStor probe in the server room. The second part continues at a desk using the Observer analyzer to

connect to the GigaStor probe.

Before installing your GigaStor probe:

1. Where you should install your GigaStor probe is discussed in Deciding where to place probes in your

network.

2. The GigaStor uses probe instances, and in particular a unique probe instance called an “active instance.”

Learn more about probe instances and why you want to use them in What is a probe instance?.

3. After you have determined where to place your GigaStor probe, install the unit into your rack. It is important

to install the RAID drives into the correct slots. Ensure that monitoring interfaces are connected to the

appropriate data feeds (SPAN or mirror ports, TAPs, aggregation devices). Ensure the configuration of these

third-party devices is done properly so data flows to the GigaStor.

4. By default the GigaStor probe’s name is a random mix of letters and numbers. Change the name of the

GigaStor probe to something identifiable (such as the physical location or purpose).

In a typical installation, the GigaStor probe runs the Expert Probe software as a Windows service and a

remote Observer analyzer connects to the GigaStor probe to complete the configuration.

From the Observer analyzer system, complete the following steps. These steps requires that you have an

Observer analyzer installed and licensed separate from the GigaStor probe.

5. Connect to the GigaStor probe from your Observer analyzer.

What is the GigaStor? | 7

6. By default the active instance is called “Instance 1” and there are no passive instances. Rename the active

instance to something more meaningful (for instance, “Active Instance”) and create at least two passive

instances. (You can create more passive instances later if you wish.) Although you renamed the GigaStor

probe in step 4, renaming the probe instance is different. For details, see Creating a probe instance. Pay

attention to the special instructions if your GigaStor array is larger than 256 TB.

7. Set the adapter speed for the active instance. See .

8. The purpose of a GigaStor probe is to capture and store large amounts of data. By default the GigaStor is not

set to capture any data. It must be enabled. To do that, you must have the GigaStor capture running. See

Configuring probes to collect data even when not connected to an analyzer.

9. Using a passive probe instance, begin analyzing the traffic you are capturing. See Using the GigaStor Control

Panel.

After you have collected data, you will want to see what is happening on your network. See:

Mining data from your GigaStor (page 32).

Reconstructing streams of HTTP, VoIP, and more (page 39).

Examining your network traffic with forensic analysis (page 44).

Analyzing FIX transactions (page 60).

Although not a complete list, these are common optional settings you may want to change. Use

these options along with the rest of the information in this user guide to fine-tune your GigaStor.

Although not a complete list, these are common optional settings you may want to change. Use

these options along with the rest of the information in Using the GigaStor Control Panel (page

8) to fine-tune your GigaStor.

10. (Optional) If you want to track physical ports individually, ensure you enable “Track statistics information per

physical port.” See Setting GigaStor's basic options.

11. (Optional) If you want to define the different subnets of your network so that GigaStor can track and report

on them, see Defining your subnets in GigaStor.

12. (Optional) All GigaStor probes come with a Gen2 capture card.Details about this unique capture card,

including physical port indexing orvirtual adapters, is covered in Gen2 capture card.

13. (Optional) Since a GigaStor is designed to have several concurrent users attached to it, you should add user

accounts to your probe. See and .

14. (Optional) Your reports and displays may be more complete and readable if you add devices to the GigaStor

probe’s address book and define any custom applications to the list maintained by the probe.

15. (Optional) The default settings for the Observer analyzer is to not be aware of TCP connections that were

opened after the GigaStor or packet capture started. You can change this default setting.

a. Mine some data from the GigaStor. See Analyzing data without any filters (page 35). This opens the

Decode and Analysis tab.

b. Ensure the Expert Analysis tab is selected, then click the Settings button at the top. The Expert Global

Settings window opens.

c. Click the TCP/IP tab and clear the “Follow only newly opened TCP connections” option. Anewly opened

TCP connection is any connection established after Expert Analysis was started. If the conversation

started before Expert Analysis was started, Observer cannot see it.



What is the GigaStor?

The GigaStor is a specialized probe appliance for capturing, storing, and analyzing high levels of network traffic

over long periods of time.

8 | GigaStor™ (pub. 25.Apr.2014)

It includes a high-performance Redundant Array of Independent Disks (RAID) coupled with the Gen2 capture

card in a rack unit. The Gen2 capture card allows you to capture a number of different full-duplex media by

swapping standard SFP or XFP modules in and out. When the Observer analyzer is connected to a GigaStor

probe, the GigaStor Control Panel is enabled. The GigaStor Control Panel eases many tasks involved in capturing,

storing, and retrieving massive amounts of network traffic.

Tip! Place GigaStors in the data center core. Locate near servers to capture their server-to-server traffic. The

distribution layer is another optimal position for GigaStor.

By utilizing the included network TAPs, you can insert and remove the GigaStor around the network without

disruption of flow. The GigaStor reports back to Observer Expert and Observer Suite analyzers for in-depth

analysis.

If desired, GigaStor can be configured as a local console for on-site analysis.

Using the GigaStor Control Panel

This section covers the GigaStor Control Panel, its settings, and its use when you choose Capture > GigaStor

Control Panel. It does not cover packet decoding or analysis like TCP, UDP, or VoIP Events, nor does it cover

Connection Dynamics.

After the GigaStor probe is up and running on the network, you can use an Observer analyzer to view captures

from the probe. In the Observeryou use a special section of the analyzer called the GigaStor Control Panel. The

major section of the GigaStor Control Panel are listed in Figure 1 (page 8).



Figure 1: GigaStor Detail and Outline Charts



The GigaStor Control Panel shows traffic on a time line graph, allowing you to select packets for decoding,

analysis, and display by defining the time period you want to view, and the types of packets you want to include.

Use the sliders at the top of the time line chart to select the time period you are interested in analyzing, then

click Update Chart and Update Reports to update everything to the new time frame. Right-click in the top

chart to open additional controls.



Non-GigaStor-specific settings | 9

Figure 2: GigaStor Control Panel Summary tab



If desired, you can further constrain the display of packets by MAC Stations, IP Stations, IP Pairs, etc., by clicking

on the appropriate Statistics tab and selecting the items you want to see on the Detail Chart.

Press the Settings button. Under General Options, uncheck Enable Analysis types if you are not using 4G LTE,

FIX, etc. This will remove them from the Reports/Statistics ribbon.

Use the left/right arrow on the Reports/Statistics ribbon to move it to the right to see the button if needed.

Pressing this button maximizes or minimizes the Reports/Statistics section. Now you can more easily work with

and view reports and statistics for your selected time frame. You can filter or select a specific area of interest,

such as HTTP. Press the Analyze button and choose Filter Using Selected GigaStor Entries to open Expert

Analysis and decode tools focused on just your area of interest.

Non-GigaStor-specific settings

The GigaStor Control Panel is a portion of the Observer analyzer. Some settings in the Observer analyzer affect

the GigaStor. Some things you may want to configure in Observer include:

Discovering host names so that GigaStor resolves and uses host names. See the Discovery section in the

Observer User Guide.

Protocol definitions. This is particularly important if you have custom protocols you want to monitor. See

the Discovery section in the Observer User Guide.

10 | GigaStor™ (pub. 25.Apr.2014)

TCP/UDP/Server applications. By defining specific applications Observer can provide more detailed

reports to you. Observer has many applications already defined, but you can add more if you wish. See

the Discovery section in the Observer User Guide.

The default settings for the Observer analyzer is to not be aware of TCP connections that were opened

after the GigaStor or packet capture started. You can change this default setting.

Mine some data from the GigaStor. See Analyzing data without any filters (page 35). This opens the

Decode and Analysis tab.

Ensure the Expert Analysis tab is selected, then click the Settings button at the top. The Expert Global

Settings window opens.

Click the TCP/IP tab and clear the “Follow only newly opened TCP connections” option. A newly opened

TCP connection is any connection established after Expert Analysis was started. If the conversation

started before Expert Analysis was started, Observer cannot see it.

Setting GigaStor's basic options

This tab lets you configure many options for the GigaStor.

1. Choose Capture > GigaStor Control Panel.

2. Click the Settings button.

3. Click the General Options tab. See Table 1 for a description of each field of the GigaStor General Options tab.

Packet capture and GigaStor buffer size—This only applies to the active probe instance.

Partial packet capture size—This only applies to the active probe instance.

GigaStor indexing options—You may need to adjust the indexing information based on your

network.

Capture and analysis options—What protocols are on your network? Are they all standard protocols,

or do you have some custom or home grown protocols?

Other general GigaStor Control Panel options.

The Packet Capture Setup dialog is where buffer and packet specific options are set. You can access the

Packet Capture Setup dialog by selecting Capture > Packet Capture and then clicking on the Settings

button. The Capture Setup dialog is displayed.

Table 1: GigaStor configuration options

Capture Buffer size Only available if you are configuring an active GigaStor instance.

Allows you to set the amount of Windows memory that Observer will set aside

to store captured packets. Observer will show the buffer percentage full and give

you an idea of what the best buffer size is for a particular situation.

You will want to capture an event in as little time with as little buffer space as

possible. Observer has no limitations on the amount of RAM that can be used for

a buffer. You can allocate up to 4 gigabytes on 32-bit version of Observer, limited

only by the physical memory installed on your system. On 64-bit systems, you are

limited only by the amount of physical memory installed on the Observer PC.

It is not recommended that you use Observer to view packets going to or coming

from the Observer PC. If you need to look at the traffic to/from the Observer

PC, install Observer on another PC. There are many reasons why this is not a

good idea but, in general, you will see varying amounts of your own data with a

protocol analyzer on your own PC. This is due to the architecture of the PC and

the inability of Windows to multi-task the receiving and analysis of the data going

and coming from the Observer PC.

Setting GigaStor's basic options | 11

Capture Partial Packets by default, Observer will capture the entire packet. This option allows you to

define a specific amount of each packet to capture to the buffer. For example,

a setting of 64 bytes will result in Observer only capturing the first 64 bytes of

every packet. Most of the pertinent information about the packet (as opposed

to the information contained in the packet) is at the beginning of the packet, so

this option allows you to collect more packets for a specific buffer size by only

collecting the first part of the packet. In some forensic situations, a warrant may

only allow an officer/agent to collect, for example, e-mail headers.

Also, if the system is having trouble keeping up with bandwidth spikes, collecting

partial packets can resolve the issue. To change the number of bytes captured in

each packet, click the Change Size.

This setting affects all analyzers that connect to this probe. You cannot change

this setting unless you have administrative privileges to do so.

Collect and Show

GigaStor Information by

Choose whether to show or hide the following tabs in the GigaStor Control Panel:

MAC Stations, IP Pairs, IP Addresses, TCP Applications, UDP Applications, VLANs,

MPLS, and Physical Ports. These options are for controlling statistical display only.

All packets that the GigaStor sees are written to disk and is available for analyzing

using the “Analyze” button.

The value configured in these boxes determine the maximum number of stations

that are indexed by the GigaStor and shown in the GigaStor Control Panel. If you

are limiting MAC stations to 1000 (the default), it is the first 1000 MAC stations the

GigaStor sees—not the most recent 1000.

The maximum allowable IP Pairs is 100,000 (the default is 10,000).

Capture and Analysis

Options

Enable intelligent TCP protocol determination: Displays only known applications

while hiding dynamic ports by using the TCP threeway handshake (SYN SYN+ACK

ACK). Clearing this option shows all ports.

Limit to ports defined in “Protocol Definitions”: Select this option to limit the ports

shown to only those listed in the Protocol Definitions. See the Discovery section

in the Observer User Guide.

Track statistics information per physical port: When selected, causes the GigaStor

to index the data it collects by Gen2 capture card physical ports. You can then

display GigaStor Control Panel statistics by physical port. If this option is selected,

then you also may want to enable the “Use physical port selections…” option also

on this tab.

Collect counts for all IP protocols in addition to TCP and UDP: Select this option to

collect counts for all IP protocols (such as ICMP, OSPF, Multicast, etc.) not just TCP

and UDP. If this option is not selected, TCP and UDP counts are still collected.

Enable Analysis Types: Choose whether to enable the GigaStor Control Panel to process and display

these types of data. By unchecking these options the corresponding tab is hidden

in the GigaStor Control Panel and you cannot analyze packets for these data

types:

Forensic Analysis (uses Snort rules)

FIX Analysis: used to process FIX financial transactions.

Microburst Analysis: used to process data to identify microbursts on your

network, typically a concern for network administrators in trading firms, but also

other companies.

Trading Multicast Analysis:

GigaStor Packet

Sampling

Packet sampling applies to the GigaStor Control Panel statistical displays, not

saved packets. On probes connected to highly-saturated networks (especially

multi-port probes), sometimes it is desirable to adjust the rate of statistical

12 | GigaStor™ (pub. 25.Apr.2014)

indexing to conserve probe processing and storage resources. The default (and

recommended) setting is for Observer to automatically scale back the packets

it uses to update the analyzer display based on system load. Alternatively, you

can specify a Fixed Sampling Ratio to consider when updating the GigaStor

Control Panel Charts and statistical displays. A sampling ratio of 1 means every

packet is analyzed. and a ration of 10 means every 10 packets are analyzed. From

a statistics perspective analyzing every 10 or even 100 packets will provide the

trends you need without burdening the system by analyzing every packet.

For even more details, see Differences between statistics and packets (page

29).

Stop capture when disk

is full

When selected, the GigaStor stops capturing packets when the disk array is full.

The default behavior is to use circular (i.e.FIFO) disk writes, causing the oldest

buffer files to be overwritten as newer traffic is captured.

Use physical port

selections…

If “Stop capture when disk is full” is selected, you can choose this option to

display statistics sorted by Gen2 capture card physical port. This is useful

when you want to troubleshoot the individual links without having to load the

capturebuffer by clicking Analyze.

If selected, you must also select the “Track statistics information per physical port”

option in the Capture and Analysis Options section on this tab.

Auto-update GigaStor

chart…

When selected, causes the listed actions to have the same effect as clicking the

Update Chart/Statistics buttons.

Keep focus on GigaStor

…

Keeps the focus in the GigaStor Control Panel instead of switching to the decode

pane.

Update display…in 30

second intervals

When selected all tables will update in 30 second intervals. This does not affect

web-based reports, only the real-time displays in the analyzer.

Display only defined

subnets

When selected only defined subnets are displayed. The subnets must be defined

on the Subnet tab. See Defining your subnets in GigaStor (page 14) for details

about defining a subnet.

Enable IP DNS resolution Select this option to enable IP DNS resolution within the GigaStor. If you have

several thousand hosts, you may wish to disable this option as it may take a long

time to resolve names for reports.

Enable packet time

charting…

When selected packet time charts are created in small intervals if microburst

analysis is disabled.



GigaStor reports

Tip! The reports in the GigaStor Control Panel share the many of the same options and configurations as reports

available in Observer Suite.

There are several default reports available for you.

1. Choose Capture > GigaStor Control Panel.

2. Click the Settings button.

3. Click the Reports Setup tab.

4. Select a report name and click Edit to change the report’s characteristics.

5. Use the arrow buttons to position graphs and tables on your report.

6. Double-click a section of the report to modify its caption, detail, and number format.



Understanding GigaStor protocol and port settings | 13

Understanding GigaStor protocol and port settings

Allow the GigaStor to get smarter by collecting more information. Over time as the GigaStor sees more of your

network’s traffic, it gets smarter about the traffic on your network.



Unless you have a specific reason to do so, we recommend that you leave these options selected:

Enable intelligent TCP protocol determination—when checked, all new data collected is indexed by protocol,

only if SYN-SYNACK-ACK packets are observed at the start of the conversation. If this combination is found,

reports show this conversation by protocol name (or custom name), IANA name, or port number (based on

statistics lists setting). Otherwise the conversation is not listed. If you try to analyze data prior to the time that

this option was enabled, you will not see this data. Data must be collected with this option enabled for GigaStor

reports to present the data correctly using the update reports button. By clearing this option, you ensure you get

all protocol information regardless of SYN-SYNACK-ACK packets.

Limit to ports defined in “Protocol Definitions”—limits the displayed data to the ports specifically defined in

the Options > Protocol Definitions dialog. Again, this is written to internal GigaStor index. This option only shows

custom protocols defined on new data collected after a protocol port has been defined. You must also choose

“Apply Protocol to all Instances” to ensure this data is shown on all instances used for analysis. By having this

option unchecked, all ports are used.

If you want to track statistical information for each port on your capture card, then you should ensure Track

statistics information per physical port option is selected.

For even more information about what these settings affect, see Differences between statistics and packets

(page 29) and Understanding GigaStor indexing (page 29).



14 | GigaStor™ (pub. 25.Apr.2014)

Chapter 2: Hardware Settings

Configuring your GigaStor

Your GigaStor probe can be configured in many different ways and tuned for your environment.

Defining your subnets in GigaStor

You can specify subnet properties for the GigaStor to allow for statistical aggregation of devices within the

Statistics tabs in GigaStor Control Panel.

1. Choose Capture > GigaStor Control Panel.

2. Click the Settings button.

3. Click the Subnet tab.

4. Use the Add, Delete, Modify, and Delete All buttons to configure the subnet settings for the GigaStor. When

you define subnets in the GigaStor Control Panel, the Observer analyzer adds that subnet information to its

index files. All future data analyzed will have subnet filtering readily available as well as statistical data. On

the IP Stations tab you see your subnets and you can perform statistical analysis based on subnets.

When you analyze data from captures with index files without any subnets defined, there will be no subnet

available in the IP stations tab even if the analyzed data includes some index files with the new subnet

information.



Tracking individual analysis ports

When using the Gen2 capture card in your GigaStor, you can track statistical information per physical port. Data

captured by the Gen2 capture card is indexed to show on which port the data arrived. You can further choose

to use physical ports to filter statistics. This means that information on the Statistics tab at the bottom of the

GigaStor Control Panel is dependent on which physical ports are selected.

Note: If you are using virtual adapters on your Gen2 capture card in your GigaStor probe, you should not attempt

to analyze the packets on a per-port basis.

1. Choose Capture > GigaStor Control Panel.

2. Click the Settings button.

Configuring the packet capture and GigaStor buffer size | 15

3. Click the General Options tab. See Table 1 for a description of each field of the GigaStor General Options tab.

4. Enable these two options:

Track statistics information per physical port

Use physical port selections to filter statistics



Configuring the packet capture and GigaStor buffer size

Allows you to set the amount of RAM that Observer will dedicate to the capture buffer cache for this instance.

This configuration value has been pre-set for optimum performance given a single active GigaStor monitoring

instance. The default settings allows enough memory to set up a number of passive GigaStor instances.

If you wish to run multiple active monitoring instances to watch multiple links or networks, you can decrease

the capture buffer size dedicated to GigaStor collection, which frees some memory for creating other probe

collection instances. Inadequate memory allocation to GigaStor collection can affect performance and result in

dropped packets during high load periods.

A GigaStor Instance can be as large as the physical memory installed on your system after subtracting the

memory dedicated to Windows and other probe instances.

To change the allocation for this probe instance, click the Configure button, which will display the probe

instance, Memory and Security Administration dialog.

In all cases, the actual buffer size (Max Buffer Size) is also reduced by 7% for memory management purposes.

Should you try to exceed the Max Buffer Size an error dialog will be displayed indicating the minimum and

maximum buffer size for your Observer (or probe) buffer.

Generating NetFlow records from the GigaStor’s NetFlow Agent

The GigaStor probe has the ability to publish any NetFlow flows generated by its network adapter using the

NetFlow Agent, including flows from any virtual adapter on the Gen2 card. The data outputs for NetFlow are

sent to a NetFlow collector for further analysis.

All NetFlow flows generated by the GigaStor probe are template-based using the Cisco NetFlow v9 templates.

See the Cisco documentation for details about the NetFlow flow-based record formats and what is contained in

the flow records. The GigaStor generates the flows adhering to the NetFlow v9 standards.

Only NetFlow version 9 and higher 10 (also known as IPFIX) are supported by the NetFlow Agent.

1. Choose Capture > GigaStor Control Panel.

2. Click the Settings button to open the GigaStor Settings dialog.

3. Click the NetFlow Agent tab.

4. Select Enable NetFlow Agent option.

5. In the Destinations section, click Add and type the IP address of the system with your NetFlow collector. By

default port 9996 is used for NetFlow. Change it if needed.

6. Enable the various data outputs and how frequently you want the template published. The GigaStor collects

the datagram information continuously and publishes it every 15 seconds (the GigaStor’s fixed collection

interval).

is now configured to publish NetFlow records to the NetFlow collector of your choice. This could also be a

GigaStor probe.

7. To view the NetFlow records in the GigaStor Control Panel, choose File > Load and Analyze Observer

Capture Buffer. Find the buffer file you want and open it.

16 | GigaStor™ (pub. 25.Apr.2014)

8. The buffer opens to the Decode and Analysis tab. Click the Decode tab.

9. Search the buffer for the records that interest you. Figure 3 shows how the Observer analyzer displays

captured NetFlow records and what the NetFlow templates format is for that record. See the Cisco

documentation for details about the NetFlow records, templates, and formats.



Figure 3: NetFlow template and records



About Probe Instances | 17

Chapter 3: About Probe Instances

Introducing Probes

As a network administrator, when something goes wrong on your network, seeing what is happening on the

wire can quickly lead you to a solution. Use this guide to assist you with choosing, deploying, configuring, and

using your probes. The probes, along with the Observer analyzer software, let you see all traffic on the network

to which it is connected. To monitor multiple networks from a single analyzer, probes must be installed at every

point where network visibility is required.

Probes collect and report network traffic and statistics (usually from a switch) to an Observer analyzer. This

enables you to detect and anticipate problems on both local and remote portions of the network. Probes gain

insight and visibility into every part of the network, access remote networks as easily as local networks, eliminate

the time and expense of traveling to remote sites, and speed troubleshooting.

A probe is a hardware device on your network running Network Instruments probe instance software. Each

hardware probe has at least one probe instance that captures packets from your network to analyze. The probe

hardware device could be an appliance purchased from Network Instruments or you could install the probe

software on your own hardware.

The probe can be located on the same system as the analyzer (every Observer analyzer includes a “local probe”),

or the probe can communicate with remote analyzers over TCP/IP.

Probes monitor the following topologies:

10/100 Mb, 1/10/40 Gb Ethernet (half- and full-duplex)

Wireless ( 802.11 a/b/g/n)

Figure 4 (page 18) shows how probes provide visibility into your network. It may be obvious, but it also

shows that you cannot see traffic on portions of your network where you do not have a probe. Finally, you can

put the Observer analyzer anywhere on your network so long as it has TCP connectivity to the probe.



18 | GigaStor™ (pub. 25.Apr.2014)

Figure 4: Typical network



What is a probe instance?

Observer has only one kind of probe instance: the probe instance. If you have a GigaStor then you have two

special probe instance types available to you: the active probe instance and the passive probe instance.

The Observer analyzer uses probes to capture network data. In some cases you may want or need more than one

probe in a specific location. You can achieve that through probe instances. A probe instance provides you the

ability to look at multiple network interfaces, have multiple views of the same interface, or to publish to multiple

Observer analyzers.

Table 2 (page 18) compares the features of active and passive probe instances with an Observer probe

instance found on all non-GigaStor probes.

Table 2: Active vs. passive GigaStor instances and Observer probe

GigaStor Active probe

instance

GigaStor Passive probe

instance Observer Probe1

Better suited for troubleshooting X X

Better suited for data capture X

Start packet capture X X X

Stop packet capture X X X

Start GigaStor packet capture X

Schedule packet capture X X X

Change directories where data is

stored

XXX

Able to set permissions X X

Able to redirect to different

analyzer, etc.

XXX

1)An Observer probe is the Single Probe, Multi Probe, or Expert Probe software running on a non-GigaStor probe.

A passive probe instance may capture packets to RAM and allows you to do reactive analysis or look at real-time

statistics for troubleshooting. The passive probe instance binds to a virtual adapter or a network adapter that

has data coming to it that you want to capture. You can change whichever adapter a passive probe instance is

What is a probe instance? | 19

bound to without affecting any active probe instance. By default a passive probe instance uses 12 MB of RAM.

You can reserve more memory for passive probe instances if you wish.

With a GigaStor you have the option of which NIC to bind the passive probe instance. Do not bind any passive

probe instances to the Gen2 adapter if at all possible. A copy of all packets is sent from the adapter to every

passive probe instance attached to it. If you have several passive probe instances attached to the Gen2

adapter, the Gen2’s performance is significantly affected. Instead attach the passive probe instances to either a

10/100/1000 adapter or to a non-existent one.

If you have a passive probe instance connected to a GigaStor, you can mine data that has already been

written to the RAID disk by using an activeprobe instance. There should be one passive probe instance for

each simultaneous Observer user on a GigaStor. By using a passive probe instance, instead of an active probe

instance, only one copy of data is being captured and written to disk, which reduces the processor load and the

required storage space. For troubleshooting and most uses in Observer passive probe instances are appropriate.

An active probe instance on a GigaStor captures network traffic and writes it to theRAID array. An active probe

instance should have as large of a RAM buffer as possible to cushion between the network throughput rate and

the array write rate. Like a passive probe instance, it can also be used to mine data from the hard disk, however

a passive instance is better suited for the task. An active probe instance cannot start a packet capture while the

GigaStor Control Panel is open.

By default there is one active probe instance for GigaStor. It binds to the network adapter and its ports. If you

have a specific need to separate the adapter’s ports and monitor them separately, you can do so through passive

probe instances or you can create separate virtual adapters.

Only one active probe instance per GigaStor.

Set scheduling to Always for the active probe instance so that it is constantly capturing and writing data. Use a

passive probe instance to mine the data.

Do not pre-filter, unless you know exactly what you want to capture. Of course, if something occurs outside the

bounds of the filter, you will not have the data in the GigaStor.

Do not allow remote users access to the active probe instance.

Only one active probe instance per GigaStor.

Set scheduling to Always for the active probe instance so that it is constantly capturing and writing data.

Use a passive probe instance to mine the data.

Do not pre-filter, unless you know exactly what you want to capture. Of course, if something occurs

outside the bounds of the filter, you will not have the data in the GigaStor.

Do not allow remote users access to the active probe instance.



20 | GigaStor™ (pub. 25.Apr.2014)

Figure 5: GigaStor capture and packet capture through probe instances



Figure 5 (page 20) shows how one active probe instance captures and writes to the GigaStor RAID. Passive

probe instances 1 and 2 mine data from the RAID array. As a best practice, the passive probe instances are

bound to the slowest network adapter in the GigaStor.

Additionally, passive probe instance 3 and 4 are each capturing packets separate from each other and separate

from the active probe instance. However, since they are also bound to the same adapter as the active probe

instance, they are capturing the same data as the active probe instance.

Which software probe is right for you?

For companies that cannot invest in dedicated hardware probes, Network Instruments’ software probes provide

a low-cost monitoring option and are easy to install and configure. Software probes support Ethernet, Gigabit

and wireless and are appropriate for analyzing speeds of up to 1000 Mbps or for low-utilization gigabit networks

via a SPAN/mirror port on a switch. The Observer software can handle fast network speeds (including 40

Gigabit), but it is the network adapter that is the bottleneck on home-grown systems. Network Instruments uses

a custom-designed network adapter removing the bottleneck in our probes. These levels of software probes are

available:

Single probe—Single probes have only one probe instance and it is not user-configurable. Single probes

are appropriate for sites with small administrative staffs where only one user needs to look at a probe at

a time. (Not sure what a probe instance is, watch this video.)

Table of contents

Popular Measuring Instrument manuals by other brands

Endress+Hauser

Endress+Hauser Prothermo NMT 539 operating instructions

Flowserve

Flowserve IPS Detect Installation & operating instructions

techem

techem Kamstrup MULTICAL 402 operating instructions

QEED

QEED QI-POWER-485-LV quick guide

Sentek

Sentek RT6 Hardware manual

Ahlborn

Ahlborn ALMEMO 2290-4 V5 operating instructions

sauter

sauter FC 1K-BT instruction manual

Grundig

Grundig RRCD 1350 MP3 manual

PCE Instruments

PCE Instruments PCE-VE 400N4 user manual

UltraLasers

UltraLasers CST-L-532-500mW user manual

Brugg Pipesystems

Brugg Pipesystems GERMANPIPE LMS 120 Operating and service instructions

Kogan

Kogan KAIECEB25MB user guide

Endress+Hauser

Endress+Hauser Proline Promass 80E technical information

VeEX

VeEX CX10 user guide

VOLTCRAFT

VOLTCRAFT DT-30LK operating instructions

ziltek

ziltek RemScan quick start guide

EVE

EVE ROOM Get started

M-system

M-system 47LHZ operating manual

Network Instruments GigaStor Portable User manual

Popular Measuring Instrument manuals by other brands