Observer GigaStor : Gen3 Capture Card : Understanding time stamps
   
Understanding time stamps
 
Page Contents
How to reorder packets based on a trailer timestamp
Setting the probe’s time clock synchronization settings
Supported time stamp and synchronization methods
Created: 2016-08-18
How to reorder packets based on a trailer timestamp
Created: 2016-03-15
You can change how Observer filters and sorts packets in the Decode pane based on a timestamp from your switch aggregator rather when GigaStor saw the packets.
Reordering packets is limited to post capture analysis only; it does not affect real-time analysis, triggers and alarms, or trending analysis. If you save a packet capture after it has been reordered using this option, the packets are saved in the reordered series. If you load a saved, reordered packet capture, then analysis is based on the reordered time frames and not the time stamps from the GigaStor.
1. In the GigaStor Control Panel, select the time range of traffic you want to decode and click Analyze.
GigaStor Analysis Options opens with the start and end time selected.
2. Select a filter type.
3. Select Reorder and filter based on trailer timestamp and click Settings.
Trailer Timestamp Settings opens.
Figure 67: Trailer Timestamp Settings
4. In Timestamp type, choose your switch aggregator.
Timestamp types
5. Choose what filters to apply.
Trailer filters
 
The Decode pane displays packets in the sorted (and filtered) order based on your chosen switch aggregator.
 
Timestamp types
Created: 2016-03-15
The Timestamp types provides a list of the supported switch aggregators that can be used to reorder packets before they are shown in the Decode pane.
 
Switch Aggregator
Notes
Arista
Keyframes are used to correlate packets to a physical port group. For instance, any keyframe seen on port 1 associates packets with that keyframe only with port 1. Likewise, a keyframe seen on port 2 associates the packets only to port 2, and so on. A keyframe is unique to a physical port group.
cPacket
Gigamon GigaSMART
Gigamon H-Series
IXIA Anue
NetScaler
Network Instruments
Choose if you use Matrix.
PacketPortal PDG
VSS Monitoring
VSS Monitoring w/Port
VSS Monitoring with Port Stamping.
 
Trailer filters
Created: 2016-03-16
Trailer filters allow you to exclude or include packets from your switch aggregator based on where the trailer occurs and other location-specific information.
 
Trailer level
Use when multiple timestamps are found in a packet to identify which timestamp to use. The levels are identified starting at the end of the packet.
Group ID
The port group ID from Matrix. You can find this ID on the Matrix in System > General > Trailer Configuration.
Box ID
The port box ID from Matrix. You can find this ID on the Matrix in System > General > Trailer Configuration.
Port
The ingress port on the switch aggregator where the packet was seen.
Probe ID(s)
A comma separated list of hexadecimal characters from a PacketPortal IV SFProbe or JMEP. Use PacketPortal System Manager (IV SFProbe) or the SFP Programmer GUI (JMEP) to view a list of probe IDs. A sample probe ID: 5e65eb52f633.
 
Setting the probe’s time clock synchronization settings
At times your capture card drivers time clock may drift. They can be synchronized with the system clock, if you wish. Unless you notice a reason to enable this feature, we recommend that you do not synchronize your capture card’s time clock.
Some Other things to consider:
The capture card synchronizes itself with the system clock at when the system starts.
Generally, you are interested in relative time between packets, not the actual time a packet was seen.
1. Do one of the following:
On the probe: Click the Synchronization tab.
In Observer: Select a probe instance, right-click and choose Administer Selected Probe. Then click the Synchronization tab.
2. Click the Edit Schedule button.
3. Choose when and how you want the capture card’s time clock to synchronize with the system clock and click OK.
 
 
Daylight Savings Time
Observer is not coded with a specific date in mind. Daylight Savings Time is controlled by the operating system. When the clock rolls backwards or forwards Observer rolls with it, with one exception: packet capture/decode.
Packet capture provides nanosecond time resolution, which none of the rest of the product does. Because of this, packet capture does not rely on the system clock to provide time stamps. It relies on the processor time ticks. When Observer opens it requests the system time and the number of processor time ticks and uses those. This allows Observer to know what date and time it is when a packet is seen.
Because the Observer only asks the operating system for the system time when Observer is started, packet capture does not know that the time has jumped forward or backward. To get this to happen you need restart Observer after the time change. It is that simple.
Supported time stamp and synchronization methods
Created: 2016-08-18
Observer supports several different time stamp trailers in your packets. With these, the packets can be chronologically reordered in the order they were sent or received by a switch, router, or device, instead of the times seen by the capture card. Time synchronization methods are also available to Observer and the capture card for accurate and reliable timing for when packets are seen.
 
 
 
Supported time stamps for reordering
Arista
cPacket
Gigamon GigaSMART
Gigamon H-Series
IXIA Anue
NetScaler
Network Instruments
PacketPortal PDG
VSS Monitoring
VSS Monitoring w/Port
 
 
Supported time synchronization methods
Description
Sync capture drivers with Windows system clock during Observer launch
Each time Observer starts, the capture card drivers are synchronized with the Windows system clock one time.
Sync capture drivers with Windows system clock at scheduled times
Observer can synchronize the capture card drivers with the Windows system clock at scheduled times. These options include daily or weekly synchronizations at a specific time of day, plus an option to synchronize if the time difference exceeds a set number of seconds only.
Sync Windows system clock to internal capture card time
The Windows system clock is kept synchronized with the internal clock of the capture card. If selected, this option can greatly reduce clock drift.