GIGASTOR ™ 1 rev.
GigaStor User Guide 3 rev.
Trademark Notices ©2008 Network Instruments,® LLC. All rights reserved. Network Instruments, Observer® Gen2,TM and all associated logos are trademarks or registered trademarks of Network Instruments, LLC. Open Source Copyright Notices Portions of this product include software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http:// www.openssl.org/), Copyright © 1998-2008 The OpenSSL Project. All rights reserved.
Limited Warranty—Software Network Instruments, LLC (“DEVELOPER”) warrants that for a period of sixty (60) days from the date of shipment from DEVELOPER: (i) the media on which the SOFTWARE is furnished will be free of defects in materials and workmanship under normal use; and (ii) the SOFTWARE substantially conforms to its published specifications. Except for the foregoing, the SOFTWARE is provided AS IS. This limited warranty extends only to END-USER as the original licensee.
Ownership and Confidentiality END-USER agrees that Network Instruments, LLC owns all relevant copyrights, trade secrets and all intellectual property related to the SOFTWARE. End User License Agreement (EULA) PLEASE READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY BEFORE DOWNLOADING OR USING THE SOFTWARE. BY CLICKING ON THE “ACCEPT” BUTTON, OPENING THE PACKAGE, DOWNLOADING THE PRODUCT, OR USING THE EQUIPMENT THAT CONTAINS THIS PRODUCT, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT.
Technical Support Network Instruments provides technical support by phone (depending on where you are located): US & countries outside Europe at (952) 358-3800 UK and Europe at +44 (0) 1959 569880 By fax (depending on where you are located): US & countries outside of Europe at (952) 358-3801 UK and Europe at +44 (0) 1959 569881 Or by e-mail at: US & countries outside of Europe: support@networkinstruments.com UK and Europe: support@networkinstruments.co.
rev.
Contents Chapter 1: About the GigaStor GigaStor versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Chapter 2: Installing Your GigaStor Unpacking and inspecting the parts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing the GigaStor and connecting the cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tapping a WAN connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 T1/E1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 DS3/E3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 7: Observer on the GigaStor Using the Observer console locally on the GigaStor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Chapter 8: Probe Instances What is a probe instance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Chapter 9: Gen2 Capture Card Swapping the Gen2 card’s SFP or XFP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rev.
Chapter 1 About the GigaStor 13 rev.
GigaStor versions The GigaStor is an enterprise-strength network probe appliance. The GigaStor combines a multi-terabyte, high-performance Redundant Array of Independent Disks (RAID) with a dedicated, high-speed network capture card in a modular, easy-to-deploy appliance. There are these versions of the GigaStor: Q Q Q Q GigaStor GigaStor Expandable: a controller PC along with one, two, or three disk expansion units that can store up to a total of 288 terabytes of data.
possible to use the same probe to monitor different types of links as needed. For example, you can easily convert the capture card from optical to copper, allowing you to connect the GigaStor to different test access points (TAPs) or switch port analyzer (SPAN) or mirror interfaces. If your GigaStor is configured to monitor WAN (such as E1, T1, E3, DS3, or HSSI) connections, your GigaStor has a specialized WAN capture card. It does not have SFP or XFP connectors.
GigaStor versions Chapter 1 About the GigaStor rev.
Chapter 2 Installing Your GigaStor 17 rev.
The general steps to install your GigaStor are: F “Unpacking and inspecting the parts” on page 18 F “Installing the GigaStor and connecting the cables” on page 19 F “Connecting Observer to the GigaStor” on page 22 Additional steps to complete the installation are: F “Configuring Observer for your Gigabit device” on page 31 F “Configuring Observer for your WAN device” on page 33 F “Tapping an Ethernet or Fibre Channel connection” on page 37 F “Tapping a WAN connection” on page 42 F “Installing the drives in
Installing the GigaStor and connecting the cables 1 Install the GigaStor and any expansion units into your rack using the supplied rails. Instructions for installing the rail kits are provided in the rail kit box. 2 Install the drives into the GigaStor and any expansion units. See “Installing the drives in your GigaStor” on page 50. 3 Connect the GigaStor, TAP, and cables.
4 Ensure that each drive’s power/activity light is lit. If a drive’s light is not lit, it is likely that the drive is not seated properly. Turn off the GigaStor and reseat the drives. For more information, see “Installing the drives in your GigaStor” on page 50. 5 Log in using the Administrator account. The default Administrator password is admin. 6 Click Start →Control Panel →Network and Internet Connections →Network Connections. Choose Local Area Connection and right-click and choose Properties.
Figure 3 Probe Service Configuration Applet 10 The Probe Administration window opens. Click the Probe Options tab (Figure 4). Figure 4 Probe Options 11 Change the name of the probe to something meaningful to you. The name might be the physical location of the probe. Click Apply to save your changes and close the window. By default the GigaStor runs the Expert Probe as a Windows service and starts automatically at system startup. This prevents you from using the Observer console on the GigaStor.
Connecting Observer to the GigaStor This section assumes you have already installed Observer on your desktop or laptop. If not, install the software. You can download from the Network Instruments website. There are three main tasks to connect Observer to your GigaStor Q “Redirecting the GigaStor probe” on page 22 Q “Probe administration” on page 24 Q “GigaStor Capture Analysis” on page 29 Redirecting the GigaStor probe 1 Choose Start →All Programs →Observer →Observer. Observer opens.
Figure 6 Edit Remote Probe Entry 4 Type the IP address that you assigned to the GigaStor in step 7 in “Setting the GigaStor’s IP address” on page 19 and click OK. You may leave the other fields blank. If you type a name, the name will change after Observer connects to the remote probe. The GigaStor appears in the list of probes available for redirection (Figure 7). Figure 7 Probe added to Remote Probe Administration and Redirection 5 rev.
Figure 8 Probe Instance Redirection 6 Select the probe instance and click Redirect Selected Instance. Figure 9 appears. Figure 9 Redirecting Probe or Probe Instance 7 Choose the “Redirect to this Observer” option, then click the Redirect button. Within 30 seconds the GigaStor will connect to the local Observer. If you use NAT, see “NAT” on page 124. 8 Close the Probe Instance Redirection window. Probe administration Now that your GigaStor is connected to your Observer console, you can administer it.
1 Click Probe Administration (see Figure 7). The Probe Administration Login window opens. Figure 10 Remote Probe Administration 2 Ensure “Login using a user account configured for this Probe” is selected and click OK. The Probe Administration window opens to the Memory Management tab (Figure 11). Figure 11 Memory Management tab 3 rev. 1 Select the Network 1 probe instance and click Rename. Choose a name that is meaningful to you for the probe instance name and click OK.
By default all of the installed memory on the GigaStor is dedicated for one probe instance. You must first release the memory so that you can assign the freed memory to other probe instances. 4 With the newly renamed probe instance still selected, click Configure Memory (Figure 12) at the top of the window. Figure 12 Edit Probe Instance: Capture Buffer Memory 5 Use the arrows to release some memory. Free enough memory to create your probe instances and click OK.
Figure 13 GigaStor Instances 7 Click New Instance. Figure 14 appears. Figure 14 Edit Probe Instance: Name 8 rev. 1 You are configuring a GigaStor probe to capture data and write it to the hard drive. Therefore ensure “Probe instance” is selected in the Instance type. Type a name and description and click Next.
Figure 15 Edit Probe Instance: Configure Memory 9 From the RAM that you released earlier, assign some of it to this probe instance and click Next. 10 Ensure the correct network adapter is selected and click Finish to redirect the GigaStor to your local Observer console. Figure 16 Edit Probe Instance: Connect to Console 28 Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor rev.
11 Repeat step 7 through step 10 until you have created all of your probe instances. Any unused memory should be reallocated to the packet capture buffer of the active probe instance or to the operating system. 12 Click OK to close the Probe administration windows. After a moment the GigaStor probe and any probe instances appear in the Observer Probe list found along the left side of the main Observer window.
Figure 18 GigaStor Settings Schedule tab 3 In the Schedule GigaStor Capture section, select Always. For more information about a packet capture vs. GigaStor capture, see “Packet Capture or GigaStor Capture” on page 53. 4 In the Reserve scheduling for section, select GigaStor and click OK. You may receive a notice about scheduling reservation. If you do, click Yes to change the scheduling.
Configuring Observer for your Gigabit device Depending on your probe and your network, you may need to make some changes from the factory defaults. Q Q “Jumbo Frame Support (Gigabit Ethernet)” on page 31 “Configuring Terms of Service and Quality of Service settings” on page 32 Jumbo Frame Support (Gigabit Ethernet) When a Gigabit Ethernet GigaStor is the selected probe, Observer displays an additional Gigabit tab on the Probe or Device Setup dialog. This allows you to adjust the maximum frame size.
Figure 19 Gigabit tab Configuring Terms of Service and Quality of Service settings The ToS/QoS settings are configured for each probe. 1 Select the gigabit probe and right-click. A menu appears. Choose Probe or Device Settings. 2 Click the ToS/QoS tab (Figure 20). 3 Specify the IP precedence bits for the terms of service/quality of service for your network. 32 Configuring Observer for your Gigabit device Chapter 2 Installing Your GigaStor rev.
Figure 20 ToS/QoS tab Configuring Observer for your WAN device There are a number of setup options and statistical displays unique to WAN Observer, which are described in the following subsections. Before you can analyze the WAN link, you must set some device options. You must also have the appropriate administrative privileges to change WAN device settings.
Digital DS3/E3/HSSI Probe Settings To access the probe settings, select the probe, right-click and choose Probe or Device Settings. Then click the DS3/E3/HSSI tab (Figure 21). Figure 21 DS3/E3/HSSI Probe Settings Table 1 describes fields in Figure 21. Table 1 DS3/E3/HSSI probe settings Setting Explanation WAN Type Choose DS3 (T3), E3 or HSSI to match the type of link you are analyzing, then choose the frame check sequence (FCS) standard: CRC-16 (the default) or CRC32.
Digital T1/E1 Probe Settings To access the probe settings, select the probe, right-click and choose Probe or Device Settings. Then click the T1/E1 tab (Figure 22). Figure 22 T1/E1 WAN Probe Settings Table 2 describes fields in Figure 22. Table 2 T1/E1 WAN Probe Settings Setting Explanation WAN/Frame Relay Type Choose T1 or E1 to match the type of link you are analyzing. Encapsulation You must set this to match the settings on the frame relay CSU/DSU.
Serial T1/E1 Probe Settings Table 3 describes fields for a serial T1/E1 connection. Table 3 Serial T1/E1 probe settings Setting Explanation WAN/Frame Relay Type Choose T1 or E1 to match the type of link you are analyzing. Encapsulation You must set this to match the settings on the frame relay router. Fractionalized Check if your link is configured for fractionalized operation. Bandwidth Set to match the bandwidth setting of the link you are analyzing.
Tapping an Ethernet or Fibre Channel connection This section describes how to connect the cables for these environments: Q Q “10/100/1000, 10GbE Optical, and Fibre Channel” on page 37 “Gigabit copper” on page 40 10/100/1000, 10GbE Optical, and Fibre Channel The optical Ethernet kit includes: Q Q Q Optical TAP One, two, or four full duplex optical cables depending on which Gen2 card you purchased. One, two, or four optical Y-analyzer cables To connect the TAP to the GigaStor: rev.
Figure 23 Gen2 card port assignments 1 1 1 1 1 3 1 1 5 1 DCE 2 DCE 2 DTE DCE 2 DTE 3 2 2-port 6 NOTE: STRAIGHTTHROUGH CABLE 2 6 DTE 3 DCE 4 4-port 2 DCE DTE 7 DCE 4 DTE DCE 2 DCE 8 DTE 4 DTE DTE 8-port: mainboard and daughter board 2 2-port 10 Gb Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. If you are using a switch’s SPAN/mirror port, no nTAP is required.
Figure 24 GigaStor with an optical nTAP Gen2 RX Optical TAP TX RX TX RX 10/100/1000 NIC for TCP/IP Server (DTE) rev.
Gigabit copper The Gigabit copper kit includes: Q Copper nTAP Q 1, 2, or 4 standard Ethernet cables Q 2, 4, or 8 analyzer cables To connect the TAP to the GigaStor: 1 Insert the supplied SFP connectors into the open slots on the back of the Gen2 card(s). 2 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 3.
6 NOTE: PASS-THROUGH CABLE Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. If you are using a switch’s SPAN/mirror port, no nTAP is required. Simply plug any straight-through Ethernet cable into the SPAN/mirror port on the switch and one of the ports on the Gen2 capture card. Now that you have physically connected the cables for the GigaStor, you must now configure its software. See “Setting the GigaStor’s IP address” on page 19.
Tapping a WAN connection This section describes how to connect the cables for these environments: Q “T1/E1” on page 42 Q “DS3/E3” on page 46 T1/E1 See “Digital” on page 42 or “Serial” on page 44 depending on your needs. Digital The digital T1/E1 kit includes: Q One T1/E1 dual link TAP Q One T1/E1 WAN analyzer cable Q Two T1/E1 Ethernet cables 1 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them.
Now that you have physically connected the cables for the GigaStor, you must now configure its software. See “Setting the GigaStor’s IP address” on page 19. Figure 27 shows the GigaStor as it would be cabled to analyze T1/E1 link with a Channel Service Unit/Data Service Unit (CSU/DSU)1. Figure 27 Digital T1/E1 Tap Gen2 T1 TAP 10/100/1000 NIC for TCP/IP Router or CSU/DSU (DTE) T1 Line (DCE) GigaStor or GigaStor Expandable Observer Console 1.
Serial The serial T1/E1 kit includes: Q One serial T1/E1 WAN TAP Q One serial Y cable Q One serial T1 WAN cable 1 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 2. 2 Connect the TAP to the GigaStor using the serial T1/E1 WAN cable. 3 Using the serial Y cable, connect it to the TAP and then to your CSU/DSU and your router.
Figure 28 WAN Serial T1/E1 TAP MODE DTE A B DCE POWER OUTPUT ACTIVE Serial T1/E1 TAP 10/100/1000 NIC for TCP/IP CSU/DSU (DTE) rev.
DS3/E3 See “Digital” on page 46 or “Serial/HSSI” on page 48 depending on your needs. Digital The digital DS3/E3 kit includes: Q One digital DS3/E3 TAP Q One digital DS3/E3 WAN cable Q Two full-duplex DS3/E3 coax cables 1 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 2. 2 Connect the TAP to the GigaStor using the supplied digital DS3/ E3 WAN cable.
Figure 29 DS3/E3 TAP DCE E3 LOS DTE LOS LOF POWER IN LOF OUT OUT IN DS3 TAP IN (RX) OUT (TX) OUT (TX) IN (RX) CSU/DSU (DTE) rev.
Serial/HSSI The serial DS3 kit includes: Q One serial DS3/E3 TAP Q One HSSI Y-cable Q One HSSI cable Q One Ethernet cable 1 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 2. 2 Connect the TAP to the GigaStor using the supplied HSSI Ycable.
Figure 30 WAN HSSI HSSI OUT HSSI IN HSSI TAP 10/100/1000 NIC for TCP/IP CSU/DSU (DTE) rev.
Installing the drives in your GigaStor CAUTION HANDLING THE DRIVES Be especially careful when handling and installing the hard drives. Proper handling is paramount to the longevity of the unit. The internal mechanism of the hard drive can be seriously damaged if the hard drive is subjected to forces outside its environmental specifications.
Figure 31 shows how the drive numbers correspond to slot locations. Figure 31 GigaStor drive locations A7 A5 A3 A1 A8 A6 A4 A2 A1 1 14 10 6 2 15 11 7 3 16 12 8 4 ! rev.
Connecting the GigaStor Expandable to the expansion units After you have installed the drives Use the supplied cables to connect the expansion units to the GigaStor Expandable. Figure 32 shows how to cable the GigaStor Expandable to the expansion units. Figure 32 Cable diagram for the GigaStor Expandable A1 2 3 4 B 1 2 3 4 C 1 2 3 4 A1 2 3 4 B1 2 3 4 B1 2 3 4 C1 2 3 4 C1 2 3 4 Otherwise, continue with “Installing the GigaStor and connecting the cables” on page 19.
Chapter 3 Packet Capture or GigaStor Capture 53 rev.
Capturing Packets with the GigaStor A GigaStor can accumulate terabytes of stored network traffic. To manage the sheer volume of data, the GigaStor includes an alternative, specialized capture and analysis control panel. The GigaStor Control Panel manages the capture, indexing, and storage of large numbers of packets over long periods of time. While the GigaStor control panel is active, standard packets captures are unavailable. You cannot run the two types of captures simultaneously.
However, if you are pushing the limits of the system on which the probe is installed by creating many probe instances, you may be able to avoid some performance problems by fine-tuning the memory allocation for each probe instance. For example, suppose you want to give a number of remote administrators access to Top Talkers data from a given probe.
Packet capture buffer and statistics buffer Chapter 3 Packet Capture or GigaStor Capture rev.
Chapter 4 GigaStor Control Panel 57 rev.
Once the GigaStor is up and running on the network, you can run Expert Observer or Observer Suite to connect to the GigaStor running as a probe to begin analyzing the network, or you can run the GigaStor in Console mode via Windows Terminal Server (or a monitor and keyboard that are physically attached). Observer works with the GigaStor just as it does any other Network Instruments probe, with some GigaStor-specific enhancements (described below).
etc., by clicking on the appropriate tab and selecting the items you want to see on the time line chart. Display Controls Charts and statistical tables are refreshed only when you click the Update Chart or Update Statistics button. The buttons will flash with a red border when a refresh is necessary. You can also have the display auto-update. For details, “GigaStor Options tab” on page 64. You can change the Screen resolution (in other words, the time scale) and which Data type (i.e.
Right-click menus As with other Observer displays, the charts and tables of the GigaStor control panel offer many right-click shortcuts. Q Right-clicking on the chart portion of the Control Panel displays the following options for navigating and displaying traffic data: Figure 34 Chart right-click menu Q Q Settings brings up GigaStor Control panel settings; the Zoom to Cursor Click Position options let you select from different chart resolutions, centering the display at the current cursor position.
Analyze button Figure 36 GigaStor Control Panel Analyze button When you click the Analyze button to view the results, you are prompted to select how to filter the packet capture for display (Figure 37). After you click OK, any filters you have chosen are applied, and a standard decode window is displayed, unless you have checked the “Display selected filter before starting analysis” option, in which case the filter editor is displayed. rev.
Figure 37 GigaStor Analysis Options window Table 4 describes what the fields in the various sections control. Table 4 GigaStor Analysis Options Field section Description GigaStor Analysis Filter Choose whether to Analyze all traffic in the analysis period, Select an Observer filter to apply before decoding, or Create an analysis filter using checked GigaStor entries (in other words, based on the constraints you have selected using the GigaStor control panel).
Configuring the GigaStor through the Control Panel Just as with the standard Observer packet capture interface, you can set the colors of the capture graph and schedule captures to be automatically launched (or to run all the time). In addition, there are a number of GigaStor-specific settings that allow you to fine-tune performance based on your particular needs. 1 Open the GigaStor Control Panel (Capture →GigaStor Capture Analysis). 2 Click the Settings button.
GigaStor Options tab This tab lets you configure many options for the GigaStor. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Options tab (Figure 39). Figure 39 GigaStor Options tab See Table 5 for a description of each field of the GigaStor Options tab. 64 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev.
Table 5 GigaStor Options tab Field Description Capture Buffer size Allows you to set the amount of Windows memory that Observer will dedicate to the capture buffer cache for this instance. Values are in megabytes. This configuration value has been pre-set for optimum performance given a single GigaStor collection instance.
Table 5 GigaStor Options tab Field Description Start/Stop Packet Capture marker frames When checked, saved packet capture buffers will include markers that timestamp when packet captures were started and stopped. Wireless Channel Change When checked, saved packet capture buffers will include markers that show what channel was currently being listened to. This is useful if you are using Wireless Site Survey to scan channels.
GigaStor Chart tab This tab lets you choose the appearance, colors, and scale of the GigaStor Control Panel’s time line chart. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Chart tab (Figure 40). Figure 40 GigaStor Chart tab GigaStor Outline Click Settings and the GigaStor Outline tab to modify the display of the GigaStor outline graph. See Figure 33 on page 58 for an example of the GigaStor outline graph.
Figure 41 GigaStor Outline 68 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev.
Capture Graph tab Click Settings and the tab for the type of graph or chart for which you want to set the display properties. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Capture Graph tab (Figure 42). Figure 42 Capture Graph tab Table 6 Capture Graph fields Field Description Item allows you to select which item will be configured. Item color allows you to select the color of the display item.
GigaStor Schedule tab This tab lets you schedule GigaStor packet captures to occur at preset times and days of the week. Although the dialog looks identical to the standard Packet Capture schedule tab, the two types of schedules can not be in effect at the same time. If you attempt to schedule GigaStor packet captures when standard packet captures are already scheduled (or the reverse), an error message is displayed.
Q Choose Daily at specified times or By day-of-week at specified times to automatically schedule packet captures during the specified time intervals (which you can add by clicking the Add button at the bottom of the dialog; see below). Adding, Modifying, and Deleting Time Intervals To add or modify a time interval to a schedule option, choose that option (in other words, Daily or the day-of-week for which you want to schedule a capture) and click the appropriate button.
Figure 44 Statistics Lists tab Subnet You can specify subnet properties for the GigaStor. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Subnet tab (Figure 45). Use the Add, Delete, Modify, and Delete All buttons to configure the subnet settings for the GigaStor. When you define subnets in the GigaStor, Observer adds that subnet information to the index files.
Figure 45 GigaStor Subnet tab Figure 46 shows how the subnet settings show up in the GigaStor Control Panel. They appear on the IP Stations tab. rev.
Figure 46 Subnet and IP Stations 74 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev.
GigaStor reports There are several default reports available for you. 1 Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Reports tab (Figure 47). Figure 47 GigaStor Reports tab 2 rev. 1 Select a report name and click Edit to change the report’s characteristics (Figure 48).
Figure 48 Report Setup 3 Use the arrow buttons to position graphs and tables on your report. 4 Double-click a section of the report to modify its caption, detail, and number format (Figure 48). Figure 49 Table Setup 76 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev.
Export You can export your GigaStor-collected data on a scheduled basis. Use the Export tab to configure when and to where your data is saved or to manually export your data. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Export tab (Figure 50). Figure 50 Exports tab rev.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev.
Chapter 5 Using Observer with a WAN Probe 79 rev.
In general, the WAN analysis works much like Ethernet analysis. One difference is that, when appropriate, Observer identifies WAN links by their Data Link Connection Identifier (DLCI) rather than by MAC address as is done with standard protocol analysis. In addition, many WAN statistical modes break out the data by DCE, DTE, and summary to reflect the full-duplex nature of WAN links. Modes unrelated to WAN analysis are greyed out and unavailable.
To set the CIR for a DLCI or group of DLCIs 1 Choose Tools → Discover Network Names. The Discover Network Names pane opens. 2 In the pane, click the edit DLCI CIR button on the Discover Network Names mode window (Figure 51). Figure 51 Edit DCLI 3 Click Add to add a new DLCI. 4 Type the CIR in Kbits/sec for the DLCI. Figure 52 DLCI Configuration dialog rev.
5 Click OK when you are done. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. WAN Bandwidth Utilization To see the percentages of bandwidth saturation on DCE, DTE and DCE+DTE (Summary) for each configured link, choose Statistics → Bandwidth Utilization.
WAN Vital Signs by DLCI In Observer, the Network Vital Signs display is replaced by the WAN Vital Signs by DLCI mode. This mode provides a summary of the errors occurring on a WAN link (E1/T1/DS3/E3). Choose Statistics → WAN Vital Signs by DLCI. You can choose what portion of traffic you wish to view from the list box in the upper left corner of the window: DCE, DTE, DCE plus DTE, and so forth.
Table 7 WAN statistics Column Description DLCI Data Link Connection Identifier of the statistics that follow. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. DCE KBits/s Max The maximum bit rate sensed so far from the DCE side of this DLCI, in Kbits per second. DTE KBits/s Max The maximum bit rate sensed so far from the DTE side of this DLCI, in Kbits per second.
Figure 55 WAN Load by DLCI The WAN Load by DLCI mode can be viewed as a dial, graph, or list display. Except for list view, there are no setup options for WAN Load by DLCI mode. Every view includes a dropdown box that lets you select which DLCI you want to monitor. Figure 56 WAN Load by DLCI Dial View The WAN Load by DLCI mode in dial view shows transfer rate, CRC error rate, FECN/BECN frame rates graphed on dial meters. For encapsulations that do not use DLCI (such as X.
Figure 57 WAN Load by DLCI Graph View The WAN Load display in graph view shows these same statistics (transfer rate, CRC error rate, and FECN/BECN frame rates) as superimposed spike meters. The Committed Information Rate (CIR) is also shown, allowing you to view the network activity against the baseline performance you have contracted to receive from your WAN service provider You can select line, point, or bar-style meter, and the colors for each statistic by right-clicking on the chart.
second, etc.) that apply to WAN is a subset of those available for standard network analysis. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. 1 Choose Statistics → Top Talkers Statistics. 2 Press Start to begin capturing load data. Figure 58 WAN Top Talkers TIP ! If you are looking to identify additional top talkers beyond the DLCI, using Ethernet Top Talkers may be more beneficial for you.
Figure 59 Active Filters Triggers and Alarms WAN Observer adds WAN-related criteria to the standard Triggers and Alarms mode. 1 Click the Alarm Settings button located in the lower left corner of Observer’s main window. Figure 60 Alarm Settings A dialog appears that allows you to select the probe or probes for which you want to set alarms. 2 Check the probes you wish to set. 3 Select an probe for which you want to set alarms and then click the Selected Instance Alarm Settings button.
Figure 61 Probe Alarm Settings 4 Select the alarms you want set. 5 Click the Triggers tab to set the criteria by which the alarms will be triggered. Figure 62 Triggers tab rev.
Most WAN alarms can be set on the DTE or DCE side or both. The Committed Information Rate displayed is that which you set in Discover Network Names mode. See “Setting the Committed Information Rate (CIR) for a DLCI” on page 80. 6 Click the Actions tab to define actions to launch if an alarm is triggered. You can log messages, send e-mail, or even send a pager alarm. 90 Triggers and Alarms Chapter 5 Using Observer with a WAN Probe rev.
Chapter 6 Forensic Analysis using Snort 91 rev.
Forensic Analysis, exclusive to the GigaStor version of Observer, is a powerful tool for scanning high-volume packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort rule syntax. You can obtain the rules from www.snort.org, or, if you know the Snort rule syntax, you can write your own rules. Snort began as an open source network intrusion detection system (NIDS).
that of native Snort. When you import a set of Snort rules that includes configuration settings, Observer imports rules classifications, but uses its own defaults for the preprocessor settings. NOTE: There is a difference between enabling the preprocessor and enabling logs for the preprocessor. For example, you can enable IP defragmentation with or without logging.
Figure 64 GigaStor Analysis Options - Forensic Analysis section If you already have a forensic analysis profile, you choose the profile from the Profile list (Figure 64) and click OK. For more information about the analysis output, see: Q “About Forensic Analysis tab” on page 98 Q “About the Forensic Analysis Log tab” on page 99 Creating a forensic analysis profile from the GigaStor control panel 1 Click the Forensics Analysis tab on the far right of the screen.
Figure 66 GigaStor Analysis Options 3 Select the profile that you want or click Edit. 4 Click the Settings Profile Edit button to view and define the fields as you need. The fields are described in full in “Forensic Analysis Profile Settings tab” on page 100. Figure 67 Forensic Settings rev.
If this is the first time forensic analysis has been run, you must import some rules. 5 Click the Import Snort Files button to display a file selection dialog. Browse to the directory where the rules you wish to import are located and select them. You can select multiple files using either CTRL-clicks or by simply dragging the cursor across the files you wish to select. If you do not yet have the Snort rules, see “Rules tab” on page 106. 6 Click OK when you are done selecting files.
Figure 69 Rules tab 9 Select the boxes next to the rules you want to enable. The rightclick menu has options to enable/disable all rules, and to show the actual Snort rule that was imported. It also lets you jump to webbased threat references such as bugtraq for further information about the alert. Rule classifications offer another level of control. Check the “Rules must also match rule classifications” box to display a list of defined rule classifications.
10 Click OK to close the Forensic Analysis Profile dialog. Click OK again to close the Forensic Settings dialog. Click OK to close the GigaStor Analysis Options dialog. Observer applies the rules and filters to the capture data and displays the results in the Forensics Summary tab. A new tab is also opened that contains the decode.
results, you may want to adjust preprocessor settings to eliminate these conditions. Intruders often attempt to exceed the limitations of forensic analysis to hide malicious content. The right-click menu lets you examine the rule that triggered the alert (if applicable). It also lets you jump to web-based threat references such as bugtraq for further information about the alert. These references must be coded into the Snort rule to be available from the right-click menu.
right-click menu. You can also jump to the Decode display of the packet that triggered the alert. Forensic Analysis Profile field descriptions This section describes in detail the fields on the Settings and Rules tab. See: Q “Forensic Analysis Profile Settings tab” on page 100 Q “Rules tab” on page 106 Forensic Analysis Profile Settings tab Figure 72 Forensic Analysis Profile Settings tab Table 8 describes the fields in the Forensic Analysis Profile Settings tab.
Table 8 Forensic Analysis Profile Settings tab Field Description Settings Profile Settings Profiles provide a mechanism to save and load different preprocessor settings, and share them with other Observer consoles. IP Flow Packets belong to the same IP flow if they share the same layer 3 protocol, and also share the same source and destination addresses and ports.
Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description TCP Stream Reassembly (Continued) Q Log preprocessor events—Checking this box causes forensic analysis to display all activity generated by the TCP stream assembly preprocessor to the log. Q Maximum active TCP streams tracked—If this value is set too high given the size of the buffer being analyzed, performance can suffer because of memory consumption.
Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description TCP Stream Reassembly (Continued) Q Reassembly error action—Discard and flush writes the reassembled stream for analysis, excluding the packet that caused the error. Insert and flush writes the reassembled stream, but includes the packet that caused the error. Insert no flush includes the error-causing packet and continues stream reassembly.
Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description HTTP URI Normalization (Continued) Q Normalize percent-U encodings—Convert Microsoft-style %u-encoded characters to standard format. The second check box allows you to enable logging when such encoding is encountered during preprocessing. Because such encoding is considered non-standard (and a common hacker trick), logging occurrences of this is recommended.
Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description ARP Inspection Ethernet uses Address Resolution Protocol (ARP) to map IP addresses to a particular machine (MAC) addresses. Rather than continuously broadcasting the map to all devices on the segment, each device maintains its own copy, called the ARP cache, which is updated whenever the device receives an ARP Reply. Hackers use cache poisoning to launch man-in-the-middle and denial of service (DoS) attacks.
Rules tab The web site www.snort.org provides Snort rule documentation, and downloadable rule sets. There are three sets of rules available at www.snort.org: Community Rules (which are available to anyone with a web browser), and three versions of the Vulnerability Response Team (VRT) Certified Rule Set.
Chapter 7 Observer on the GigaStor 107 rev.
Using the Observer console locally on the GigaStor Depending on how you want or need to use Observer it can be either a graphic console to help you analyze your network data or it can be a probe to capture data and to which other Observer consoles can connect. Observer cannot simultaneously be a console and a probe. In some situations you may want to run Observer locally on your GigaStor instead of using a separate system. This is not the default behavior for a GigaStor.
Figure 74 Probe Options 3 In the Service Settings section, clear the “Run Probe as a Windows Service” option and click OK. This uninstalls the Network Instruments Expert Probe service from Windows. 4 Click Start →Programs →Observer →Observer. The Network Instruments Expert Probe window opens. Figure 75 Expert Probe interface rev.
5 Choose Options →Switch between Observer and Expert Probe Interface. The Choose Program Interface window opens. TIP ! S WITCHING E XPERT P ROBE BACK TO 6 Choose Observer and click OK. You must close Observer and restart it to switch into the console interface. Click OK on the message dialog. 7 Click Start →Programs →Observer →Observer to open the console interface. In Observer, choose View → Switch between Observer and Expert Probe Interface.
Chapter 8 Probe Instances 111 rev.
What is a probe instance? TIP ! For instructions on setting up a probe instance, see “Probe administration” on page 24. Observer uses probes to capture network data. In some cases you may want or need more than one probe in a specific location. You can achieve that through probe instances. A probe instance provides you the ability to look at multiple network interfaces or to publish to multiple Observer consoles. Observer has only one kind of probe instance: the passive probe instance.
instances to the Gen2 adapter if at all possible. A copy of all packets are sent from the adapter to every passive probe instance attached to it. If you have several passive probe instances attached to the Gen2 adapter, the Gen2’s performance is significantly affected. Instead attach the passive probe instances to either a 10/100/1000 adapter or to a non-existent one.
NOTE: By default there is one active probe instance for GigaStor. It binds to the network adapter and its ports. If you have a specific need to separate the adapter’s ports and monitor them separately, you can do so through passive probe instances or you can create separate virtual adapters. See “Configuring virtual adapters on the Gen2 card” on page 116. Figure 76 shows how one active probe instance captures and writes to the GigaStor RAID. Passive probe instances 1 and 2 mine data from the RAID array.
Chapter 9 Gen2 Capture Card 115 rev.
The Gen2 card is designed and manufactured by Network Instruments and is optimized for the GigaStor. The Gen2 card comes in two, four, or eight port models.
Q Q Ports 1-4 are monitoring a collection of trunked links The remaining ports are each connected to the SPAN (or mirror) port on a switch In this scenario, it makes sense for Observer to view Ports 1-4 as a single data stream and to separate each of the four remaining ports into separate data streams. Virtual adapters are a convenient way to accomplish this separation in real time, rather than depending on filters to sort through the traffic post-capture.
Figure 78 Assign Port to Virtual Adapter: Default view 3 Select the ports to remove and click Remove. This places them in the Available Ports list. 4 Change the name of the adapter to something meaningful to you and click OK (Figure 79). Figure 79 Assign Ports to Virtual Adapter: Trunk 5 Click New Adapter. The Assign Ports to Virtual Adapter window opens. 6 Type a name in the Adapter Name box.
Figure 80 Edit Port Description 9 Repeat step 5 through step 8 until you have created all of your virtual adapters and given descriptions to your ports. The adapters appear in the list of adapters presented when you create a probe instance. This allows you to bind the probe instance to a virtual adapter. Figure 81 shows the example of the trunk with four ports assigned to it and four more adapters each with its own port.
10 Right-click the GigaStor probe and choose Administer Selected Probe from the menu. Log in to the probe. 11 Click the GigaStor Instances tab along the bottom. 12 For each virtual adapter listed as a passive probe instance that you want to promote to an active probe instance, select it, right click and choose Make Instance Active. Figure 82 Make Instance Active 13 A message appears with information about the change. Click Yes to accept the changes. Your virtual adapters are now configured.
2 In the tree on the left, select Device Manager. 3 In the tree on the right, expand Network Instruments Capture Adapters (Figure 83). Figure 83 Computer Management window 4 Choose Network Instruments Gen2 Gigabit Capture Adapter, right-click and choose Properties. Click the Current State tab (Figure 84). Figure 84 Gen2 Card Properties – Current State tab rev.
This tab shows all active physical ports on the Gen2 card and the board’s ID. The “Interrupt enabled” and “DMA enabled” lights are light green when Observer is running and dark green when Observer is not running. CAUTION ADVANCED SETTINGS TAB Do not make any changes to the settings on the Advanced Settings tab unless directed by the Support department! The DMA buffer size and DMA copy size are optimized at the factory for your specific motherboard and Gen2 card.
Appendix A TCP/IP ports, NAT, and VPN 123 rev.
This section discusses the TCP/IP ports, NAT, and VPN. TCP/IP ports Observer and all Network Instruments probes use ports 25901 and 25903 to communicate. These ports are registered ports to Network Instruments. All Network Instruments probes initiate connection with Observer using port 25901. Observer listens on port 25901. After a connection is established all communication between Observer and the probes occurs on port 25901, except probe redirection and administration, which uses port 25903.
Figure 86 NAT If the Observer is outside the network where the probe is running, you must forward port 25903 from the Observer’s address. You must use the NAT outside IP address as the probe’s IP address when trying to redirect and/or administer the probe from Observer. VPN Using VPN is an easy way to get access to a probe on a remote LAN. The most common configuration change is when redirecting the probe. You must manually enter the Observer IP address.
VPN Appendix A TCP/IP ports, NAT, and VPN rev.
Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 127 rev.
GigaStor Figure 87 shows the front of the GigaStor. Figure 87 GigaStor A 13 9 5 1 14 10 6 2 15 11 7 3 B C D E F GH I 16 12 8 4 ! 13 9 5 1 14 10 6 2 15 11 7 3 16 12 8 4 ! 1 1 2 A. B. C. D. E. F. G. H. I.
GigaStor Expandable Controller unit Figure 88 GigaStor Expandable controller Power Button Reset Button Power LED Hard Drive Activity Fan LED Temperature LEDs Fan/Temperature Alarm Reset Table 11 GigaStor Expandable LEDs and Buttons LED/Button Description Power Button The power button works only when the power switch on the rear of the unit is on. Press to turn on the GigaStor. If you press and hold this button for a few seconds, the unit will do a a hard shut down.
Figure 89 shows the back of the GigaStor Expandable. Figure 89 GigaStor Expandable rear view Serial ATA Disk Interfaces (3) only available on GigaStor Exandable A 1 2 3 4 B 1 2 3 4 C 1 2 3 4 Power Supply Gen2 Capture Card On/Off Keyboard and Monitor 10/100/1000 Ethernet Expansion unit Figure 90 Expansion unit A C B D E F G A. B. C. D. E. F. G.
Table 12 Expansion Unit LEDs and Buttons LED/Button Description Individual Drive Activity These LEDs blink whenever there is activity on the drive in the RAID array. The lights are red when there is a problem with the drive, otherwise they are green. Temperature probe When lit green the unit’s temperature is within normal operating conditions. If it is red, then the unit is too hot. Works in conjunction with the Alarm button.
GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases rev.
Appendix C GigaStor Portable 133 rev.
The portable GigaStor offers full-duplex packet capture and analysis at wire speed. Depending on which version you ordered, the system includes everything you need to perform continuous, in-depth analysis of one of the following topologies: Q Gigabit Ethernet Q 10 Gigabit Ethernet Q Fibre Channel Q Wide Area Networks (WAN), in any of a number of different encapsulations The Portable Analysis Platform includes an internal probe that provides access to the network to which it is connected.
Figure 92 Portable Analysis Platform System Tour CD/DVD R/W combo drive and TAP bay e t wo r k instrum e n t s. co m 10 100 1000 A Link B A Analyzer B w w w. n Turn thumbscrews to open port access door Port layout varies by topology Your GigaStor includes a number of components. Take a moment after unpacking the system to ensure that you received all the parts.
Figure 93 Portable GigaStor Gigabit and Fibre Channel systems have an appropriate copper or optical nTAP installed in the drive bay on the right side of the system. WAN system TAPs are shipped separately. Running Observer passively When analyzing a link using a TAP, Observer runs “passively.” Passive operation guarantees that analysis will not affect the link; however, it does have some implications when running Observer.
Dynamic Host Control Protocol (DHCP). For most applications of Observer, you should assign an address to the analyzer rather than depending on the DHCP assignment. Using the portable GigaStor as a probe Although most administrators usually run the Observer console directly from the portable GigaStor, in some cases you may want to use the system as a distributed probe system. The probe software is included for this purpose. rev.
Using the portable GigaStor as a probe Appendix C GigaStor Portable rev.
Index Numerics 10 Gigabit Ethernet 14, 37, 116 Gen2 card 37 GigaStor Portable 134 tapping 19 10/100/1000 37 25901 124 25903 124 A alarms WAN 90 Analysis Type 62 ARP Inspection, network forensics preprocessor 105 Assign Port to Virtual Adapter 118ff Assign Ports to Virtual Adapter 118ff ATM 34–35 B Board ID 120 buffer overrun 26 buffer statistics 54, 65 buffer, see capture buffer and statistics buffer bugtraq 97, 99 C Cable diagram for the GigaStor Expandable 52ff capture buffer 26ff, 54 32-bit Windows 5
T1/E1 42 WAN alarms 90 WAN statistics 80, 82–83 DCE BECN under CIR 84 DCE FECN under CIR 84 DCE Kbits/s Avg 84 DCE KBits/s Max 84 denial of service 105 DHCP 137 DLCI 80–87 DLCI CIR Setup 81 DMA buffer size 122 DMA copy size 122 DMA enabled 122 DS3 see also HSSI DLCI 83 fractionalized 34 monitoring 15 probe settings 34 tapping 46–47 DS3/E3 TAP 47ff DSU encapsulation 34–35 HSSI 48 tapping 42–44, 46 WAN statistics 83 DTE WAN alarms 90 WAN statistics 80, 82–83 DTE BECN under CIR 84 DTE FECN under CIR 84 DTE Kbi
daughter board 38 DMA enabled 122 Fibre Channel 37 filter ports 66 Gigabit 37 Gigabit copper 40 Interrupt enabled 122 mirror port 38 passive probe instance 113 performance 113 port assignments 38ff, 40ff ports 66 probe instance warning 112 properties 120 SFP 14, 116 SPAN port 38 statistics 66 swapping SFP or XFP 116 virtual adapters 116 XFP 14, 116 Gigabit 40–41, 136 defining probe as 117 Ethernet 116, 134 Fibre Channel 14 GigaStor Portable 134, 136 jumbo frame 31 Gigabit Ethernet 14, 19 Gigabit switch 37 G
L LAPB 34–35 load preprocess settings 101 preprocessor 113 M MAC address 105 DLCI instead of 80 excluding 65 statistics 71 Top Talkers 86 MAC address tab 86 MAC stations 58 Make Instance Active 120ff Max Buffer Size 55, 65 megabytes 113 memory management 55 Memory Management tab 25ff mirror port 38, 41, 116–117 see also SPAN port N NAT 124–125ff Network 1 probe instance 25 Network Forensics 91 Network Intrusion Detection 91–92 network load 65 packet loss 65 viewing 59 network masquerading, see NAT NIDS 92
Probe Properties T1/E1 Tab 35 Probe Service Configuration Applet 21ff, 108ff Q QLogic 19 Quality of Service 32 T R RAID 14, 113–114, 128, 131 RAM see also buffer active probe instance 26 buffer size 113 capture buffer size 65 formula 55 limitations 55 packet capture 55, 112 packet loss 26 probe instance 26, 59, 113 releasing 26 statistics 55 TCP stream reassembly 102 tuning 55 unused 29 Windows 55 Rate field 59 Redirecting Probe or Probe Instance 24ff, 125ff Remote Probe Administration 25ff Remote Probe
virtual adapter 114ff probe instances 119–120 Virtual Adapters tab 119ff VPN 125 X X.
rev.
www.networkinstruments.com © 2008 Network Instruments, LLC. All rights reserved. Network Instruments, Observer, and all associated logos are registered trademarks of Network Instruments, LLC. 146 rev.
