Observer GigaStor : Getting started : Getting started using your GigaStor
   
Getting started using your GigaStor
 
Page Contents
What is the GigaStor?
Differences between GigaStor Software Edition and GigaStor
Using the GigaStor Control Panel
Non-GigaStor-specific settings
Setting the GigaStor general options
Understanding GigaStor protocol and port settings
Revised: 2016-11-22
A GigaStor probe is a hardware device with many terabytes of storage space to capture, store, and analyze your network traffic.
Follow these steps to get started with your GigaStor. The installation happens in two main parts. The first part is at the GigaStor probe in the server room. The second part continues at a desk using Observer Analyzer to connect to the GigaStor probe.
Before getting started with your GigaStor probe, these tasks should already be complete:
1. It has been decided where to install the GigaStor probe as discussed in Deciding where to place probes in your network.
2. The GigaStor probe has been installed into a server rack. It is important to install the RAID drives into the correct slots. Ensure that monitoring interfaces are connected to the appropriate data feeds (SPAN or mirror ports, TAPs, aggregation devices). Ensure the configuration of these third-party devices is done properly so data flows to the GigaStor.
All GigaStor probes use the Expert Probe software. Learn more about the Expert Probe in Using the Expert Probe software.
Video 1: Retrospective Network Analysis
To get the most out of your GigaStor, you need:
A good working knowledge of your network. You can use Observer to gather information from your routing protocols and verify your network configurations, which is helpful when updating your network map.
An understanding of the protocols that run on your network.
An understanding of probe instances and why you want to use them. In particular, a GigaStor is heavily reliant on a unique probe instance called an active instance. See What is a probe instance?.
To get started with your GigaStor probe:
1. By default the GigaStor probe’s name is a random mix of letters and numbers. Change the name of the GigaStor probe to something identifiable (such as the physical location or purpose). See Configuring a probe’s name and other probe options.
In a typical installation, the GigaStor probe runs the Expert Probe software as a Windows service and a remote Observer connects to the GigaStor probe to complete the configuration.
From the Observer system, complete the following steps. These steps requires that you have an Observer installed and licensed separate from the GigaStor probe.
2. Connect to the GigaStor probe from your Observer. See Connecting to a probe instance from an Observer Analyzer.
3. By default the active instance is called Instance 1 and there are no passive instances. Rename the active instance to something more meaningful (for instance, Active Instance) and create at least two passive instances. (You can create more passive instances later if you wish.) Although you renamed the GigaStor probe in step 1, renaming the probe instance is different. For details, see Creating a probe instance. Pay attention to the special instructions if your GigaStor array is larger than 256 TB.
4. Set the adapter speed for the active instance. See Configuring the probe’s adapter speed, ToS/QoS precedence, and statistics sampling.
5. To capture network traffic, you must have the GigaStor capture running. See Configuring probes to collect data even when not connected to an analyzer.
The purpose of a GigaStor probe is to capture and store large amounts of data. By default the GigaStor is not set to capture any data. It must be enabled.
6. Using a passive probe instance, begin analyzing the traffic you are capturing. See Using the GigaStor Control Panel.
After you have collected data, you will want to see what is happening on your network.
7. (Optional) If you want to track physical ports individually, ensure you enable Track statistics information per physical port. See Setting the GigaStor general options.
Tip! All GigaStor probes come with a capture card. Details about this unique capture card, including physical port indexing or virtual adapters, is covered in Hardware configuration .
8. (Optional) If you want to define the different subnets of your network so that GigaStor can track and report on them, see Defining subnets in your GigaStor.
9. (Optional) Your reports and displays may be more complete and readable if you add devices to the GigaStor probe’s address book and define any custom applications to the list maintained by the probe.
10. (Optional) The default settings for Observer is to be unaware of TCP connections that were opened after the GigaStor or packet capture started. You can change this default setting by doing the following:
a. Mine some data from the GigaStor by following .
This opens the Decode and Analysis tab.
b. Ensure the Expert Analysis tab is selected, and click the Settings button at the top.
The Expert Global Settings window appears.
c. Click the TCP/IP tab and clear the Follow only newly opened TCP connections.
(Optional) A newly opened TCP connection is any connection established after Expert Analysis was started. If the conversation started before Expert Analysis was started, Observer cannot see it.
 
By following the steps, you successfully configured the GigaStor probe to collect network traffic. You also made some configuration changes that help the GigaStor probe work well in your network. Also, you mined data from the GigaStor probe.
 
What is the GigaStor?
Revised: 2016-11-22
The GigaStor is a specialized probe appliance for capturing, storing, and analyzing high levels of network traffic over long periods of time.
It includes a high-performance RAID coupled with the capture card in a rack unit. The capture card allows you to capture a number of different full-duplex media by swapping standard SFP or SFP+ modules in and out. When Observer is connected to a GigaStor probe, the GigaStor Control Panel is enabled. The GigaStor Control Panel eases many tasks involved in capturing, storing, and retrieving massive amounts of network traffic.
Tip! Place the GigaStor in the cores of data centers. Locate near servers to capture their server-to-server traffic. The distribution layer is another optimal position for GigaStor.
By utilizing network TAPs, you can insert and remove the GigaStor around the network without disruption of flow. The GigaStor reports back to Observer Expert and Observer Suite analyzers for in-depth analysis.
If desired, GigaStor can be configured as a local console for on-site analysis.
Differences between GigaStor Software Edition and GigaStor
Created: 2015-12-01   Revised: 2016-11-22
The GigaStor Software Edition (GSE) is identical in most ways to a hardware GigaStor purchased from VIAVI. However, there are differences that exist due to GSE naturally lacking GigaStor hardware components like the capture card and high-performance RAID card(s).
 
Capability
GigaStor Software Edition
GigaStor as Appliance
Mining & Analysis Interface
X
X
Packet Capture
X
X
Real-Time Statistics
X
X
Trending
X
X
Triggers and Alarms
X
X
Data-at-Rest Security
X
Capture card
X
Hardware Acceleration
X
Hardware Filtering
X
Packet Deduplication
X
Physical Port Indexing
X
Precision Time Stamping
X
Virtual Adapters
X
High-performance RAID card
X
 
Minimum and recommended system specifications
Created: 2015-11-06   Revised: 2017-08-07
If you are installing the software on your own hardware or a virtual machine, these are the minimum and recommended specifications for a production environment.
 
Table 1. Observer Expert Console Only (ECO)
Minimum
Recommended
Processor / CPU
Dual core Pentium class processor
Quad core Pentium class processor
RAM1
2 GB RAM
8 GB RAM
Operating system2
64-bit Operating System
Windows 7 or newer
64-bit Operating System
Windows 7 or newer
Network Card
Server-class
Intel server-class

1 If your system has 4 GB of RAM, you cannot reserve any memory for Observer. This is a limitation of Windows known as the BIOS memory hole. Either add more RAM or take some out.

2 See for a full list of supported operating systems.

 
 
Table 2. Observer or GigaStor Software Edition in a virtual server
Minimum
Recommended
Processor / CPU
Four core
Six core Intel
RAM1
Minimum 16 GB (8 GB for Observer and 8 GB for the operating system)
64 GB
Storage
Packet capture - Hardware: Determined by your product
Packet capture - GigaStor Software Edition: Determined by your license.
Same
Operating system2
64-bit Operating System
Windows 7 or newer
64-bit Operating System
Windows 7 or newer
Network Card
Virtualized network adapter
Intel server-class
Capture Card3
Virtualized network adapter
Server-class onboard network adapter

1 If your system has 4 GB of RAM, you cannot reserve any memory for Observer. This is a limitation of Windows known as the BIOS memory hole. Either add more RAM or take some out.

2 See for a full list of supported operating systems.

3 A second network card that acts solely as a capture card is required (and must be in “promiscuous mode”). Alternatively, a dual-port NIC can be used.

 
 
 
 
Current compatibility and incompatibly of virtual machines with the GigaStor Software Edition (GSE) is described in this list:
VMWare ESXi Server
ESXi 5.0 and higher is compatible with GSE.
VMWare Workstation Pro is not supported with GSE
Microsoft Hyper-V may function but is not supported with GSE
 
Storage limits of packet capture for GigaStor Software Edition (GSE)
Created: 2016-01-06   Revised: 2016-11-21
The disk storage capacity usable for packet capture and of GigaStor Software Edition (GSE) is governed by your GSE license. This allows flexible cost options when considering the storage available to the computer, or virtual machine, that you are installing GSE on.
 
GSE licenses are available at these maximum storage sizes:
 
256 GB
1 TB
4 TB
16 TB
32 TB
48 TB
64 TB
 
 
 
Maximum storage size is a measure of how much network data (in the form of packets) can be retained by the GigaStor Software Edition before the oldest GigaStor data is removed in a first-in first-out (FIFO) storage scheme. The maximum storage size is not an indication of how much disk space the GigaStor Software Edition will consume on your hard disk. For example, the program files and libraries, storage of network trending data (not packets), and other executables are not governed by your GSE license and do not count towards the maximum storage capacity.
Network trending storage is a separate issue from packet capture storage and they are not connected in any way except both require writing data to the hard drive. When estimating file size, retention, and system maintenance, you may want to look at the system holistically and consider both simultaneously. Read more about network trending in Configuring your network trending settings.
 
How to determine disk space requirements for network trending
Created: 2016-01-11   Revised: 2016-11-22
Because network trending can consume a lot of disk space, you need to know how much disk space to reserve.
Network trending data consumes hard disk space. Depending on where you store trending data and your storage requirements for network trending data, the network trending data could fill that drive to full capacity—this is a problem. Therefore, determine your typical 24-hour data rate and how many days of trending data you want to retain. The result indicates how much storage space is required.
To determine the amount of space required to store your desired amount of trending data:
1. Determine your typical 24-hour data rate.
Example: 15 MB or 20 GB.
The data rate is amount of trending data collected in one 24-hour period.
2. Multiply your typical 24-hour data rate by the number of days you want to retain.
Example: 15 MB x 365 days = 5.475 GB
Example: 20 GB x 30 days = 600 GB
 
The result is the amount of hard drive space required to retain the trending data.
 
 
You can use the numbers you calculated to inform your decisions when deleting network trending data.
 
Using the GigaStor Control Panel
This section covers the GigaStor Control Panel, its settings, and its use when you choose GigaStor from the Capture group in the Home tab.
Note: Packet decoding, Connection Dynamics, and analysis types like TCP, UDP, or VoIP Events are covered elsewhere.
After the GigaStor probe is up and running on the network, you can use an Observer to view captures from the probe. In the Observer you use a special section of the analyzer called the GigaStor Control Panel. The major section of the GigaStor Control Panel are listed in Figure 1.
Figure 1: GigaStor Detail and Outline Charts
GigaStor Control Panel Detail and Outline ChartsGigaStor Control Panel Detail and Outline Charts
The GigaStor Control Panel shows traffic on a time line graph, allowing you to select packets for decoding, analysis, and display by defining the time period you want to view, and the types of packets you want to include.
Use the sliders at the top of the time line chart to select the time period you are interested in analyzing, then click Update Chart and Update Reports to update everything to the new time frame. Right-click in the top chart to open additional controls.
Figure 2: GigaStor Control Panel Summary tab
GigaStor Control Panel Summary tabGigaStor Control Panel Summary tab
If desired, you can further constrain the display of packets by MAC Stations, IP Stations, IP Pairs, etc., by clicking on the appropriate statistics tab and selecting the items you want to see on the Detail Chart.
Press the Settings button. Under General Options, clear Enable Analysis types for whichever analysis types you do not need. This will remove them from the Reports/Statistics ribbon.
Use the left/right arrow on the Reports/Statistics ribbon to move it to the right to see the Maximize button if needed. Clicking this button maximizes or minimizes the section. Now you can more easily work with and view reports and statistics for your selected time frame. You can filter or select a specific area of interest, such as HTTP. Press the Analyze button and choose Filter Using Selected GigaStor Entries to open Expert Analysis and decode tools focused on just your area of interest.
Non-GigaStor-specific settings
The GigaStor Control Panel is a portion of Observer. Some settings in Observer affect the GigaStor.
Some things you may want to configure in Observer include:
Discovering host names so that GigaStor resolves and uses host names. See the Discovery section in the Observer User Guide.
Protocol definitions. This is particularly important if you have custom protocols you want to monitor. See the Discovery section in the Observer User Guide.
TCP/UDP/Server applications. By defining specific applications Observer can provide more detailed reports to you. Observer has many applications already defined, but you can add more if you wish. See the Discovery section in the Observer User Guide.
The default settings for Observer is to not be aware of TCP connections that were opened after the GigaStor or packet capture started. You can change this default setting.
Mine some data from the GigaStor. See Analyzing data without any filters. This opens the Decode and Analysis tab.
Ensure the Expert Analysis tab is selected, then click the Settings button at the top. The Expert Global Settings window opens.
Click the TCP/IP tab and clear the Follow only newly opened TCP connections option. A newly opened TCP connection is any connection established after Expert Analysis was started. If the conversation started before Expert Analysis was started, Observer cannot see it.
Setting the GigaStor general options
Revised: 2017-10-26
The General Options tab configures packet capture and buffer size; whether partial packets are captured; indexing of MAC, IP, VLANs; capture and analysis options; sampling; analysis types; and more.
This tab lets you configure many options for the GigaStor.
2. Click the Settings button.
3. Click General Options. See Table 3 for a description of each field of the GigaStor General Options tab.
Figure 3: GigaStor General Options
Packet capture and GigaStor buffer size—This only applies to the active probe instance.
Partial packet capture size—This only applies to the active probe instance.
GigaStor indexing options—You may need to adjust the indexing information based on your network.
Capture and analysis options—What protocols are on your network? Are they all standard protocols, or do you have some custom or home grown protocols?
Other general GigaStor Control Panel options.
Table 3. GigaStor configuration options
Capture Buffer size
Only available if you are configuring an active GigaStor instance.
Allows you to set the amount of Windows memory that Observer will set aside to store captured packets. Observer will show the buffer percentage full and give you an idea of what the best buffer size is for a particular situation.
You will want to capture an event in as little time with as little buffer space as possible. Observer has no limitations on the amount of RAM that can be used for a buffer. On 64-bit systems, you are limited only by the amount of physical memory installed on the Observer PC.
It is not recommended that you use Observer to view packets going to or coming from the Observer PC. If you need to look at the traffic to/from the Observer PC, install Observer on another PC. There are many reasons why this is not a good idea but, in general, you will see varying amounts of your own data with a protocol analyzer on your own PC. This is due to the architecture of the PC and the inability of Windows to multi-task the receiving and analysis of the data going and coming from the Observer PC.
Capture Partial Packets
by default, Observer will capture the entire packet. This option allows you to define a specific amount of each packet to capture to the buffer. For example, a setting of 64 bytes will result in Observer only capturing the first 64 bytes of every packet. Most of the pertinent information about the packet (as opposed to the information contained in the packet) is at the beginning of the packet, so this option allows you to collect more packets for a specific buffer size by only collecting the first part of the packet. In some forensic situations, a warrant may only allow an officer/agent to collect, for example, email headers.
Also, if the system is having trouble keeping up with bandwidth spikes, collecting partial packets can resolve the issue. To change the number of bytes captured in each packet, click Change Size.
This setting affects all analyzers that connect to this probe. You cannot change this setting unless you have administrative privileges to do so.
Collect and Show GigaStor Indexing Information by
Choose whether to show or hide the following tabs in the GigaStor Control Panel: MAC Stations, IP Pairs, IP Addresses, TCP Applications, UDP Applications, VLANs, MPLS, Physical Ports, and Network Packet Broker (NPB) Port Tagging. These options are for controlling statistical display only. All packets that the GigaStor sees are written to disk and is available for analyzing using the Analyze button.
The value configured in these boxes determine the maximum number of stations that are indexed by the GigaStor and shown in the GigaStor Control Panel. If you are limiting MAC stations to 1000 (the default), it is the first 1000 MAC stations the GigaStor sees—not the most recent 1000.
The maximum allowable IP Addresses is 200,000 (the default is 1000). See Discovering current top talkers on the network for tips on how to narrow your time slice.
Capture and Analysis Options
Enable intelligent TCP protocol determination: Displays only known applications while hiding dynamic ports by using the TCP three-way handshake (SYN SYN+ACK ACK). Clearing this option shows all ports.
Limit to ports defined in “Protocol Definitions”: Select this option to limit the ports shown to only those listed in the Protocol Definitions. See the Discovery section in the Observer User Guide.
Track statistics information per physical port: When selected, causes the GigaStor to index the data it collects by capture card physical ports. You can then display GigaStor Control Panel statistics by physical port. If this option is selected, then you also may want to enable the “Use physical port selections…” option also on this tab.
Collect counts for all IP protocols in addition to TCP and UDP: Select this option to collect counts for all IP protocols (such as ICMP, OSPF, Multicast, etc.) not just TCP and UDP. If this option is not selected, TCP and UDP counts are still collected.
Enable Analysis Types:
Choose whether to enable the GigaStor Control Panel to process and display these types of data. By clearing these options, the corresponding tab is hidden in the GigaStor Control Panel and you cannot analyze packets for these data types:
 
Forensic Analysis (uses Snort rules)
FIX Analysis: used to process FIX financial transactions.
Microburst Analysis: used to process data to identify microbursts on your network, typically a concern for network administrators in trading firms, but also other companies.
Trading Multicast Analysis
IPTV Analysis
 
GigaStor Packet Sampling
Packet sampling applies to the GigaStor Control Panel statistical displays, not saved packets. On probes connected to highly-saturated networks (especially multi-port probes), sometimes it is desirable to adjust the rate of statistical indexing to conserve probe processing and storage resources. The default (and recommended) setting is for Observer to automatically scale back the packets it uses to update the analyzer display based on system load. Alternatively, you can specify a fixed sampling ratio to consider when updating the GigaStor Control Panel charts and statistical displays. A sampling ratio of 1 means every packet is analyzed. and a ration of 10 means every 10 packets are analyzed. From a statistics perspective analyzing every 10 or even 100 packets will provide the trends you need without burdening the system by analyzing every packet.
For even more details, see Differences between statistics and packets.
Use physical port selections…
You can choose this option to display statistics sorted by capture card physical port. This is useful when you want to troubleshoot the individual links without having to load the capture buffer by clicking Analyze.
If selected, you must also select the Track statistics information per physical port option in the Capture and Analysis Options section on this tab.
Auto-update GigaStor chart…
When selected, causes the listed actions to have the same effect as clicking the Update Chart/Statistics buttons.
Keep focus on GigaStor
Keeps the focus in the GigaStor Control Panel instead of switching to the decode pane.
Update display…in 30 second intervals
When selected all tables will update in 30 second intervals. This does not affect web-based reports, only the real-time displays in the analyzer.
Display only defined subnets
When selected only defined subnets are displayed. The subnets must be defined on the Subnet tab. See for details about defining a subnet.
Enable IP DNS resolution
Select this option to enable IP DNS resolution within the GigaStor. If you have several thousand hosts, you may wish to disable this option as it may take a long time to resolve names for reports.
Enable packet time charting…
Because the charts can be configured to show sub-second intervals that means that some packets will cross the boundaries of your chosen intervals. This makes it hard to tell in the chart how long your scenario occurred. When enabled, this setting makes the charts display every interval in which the bits were present from your packet, not just the first interval.
This setting works even if it was not enabled when the packet was captured. It can be enabled later and you will see every interval where a bit was present.
 
You set the general options for your GigaStor system. These options have a large effect on the operation of the GigaStor system, so if anything seems wrong or you are not seeing all the packets you anticipated, return to these settings and see if they should be changed.
 
Shorten your time slice to find a top talker
Created: 2015-06-26   Revised: 2016-11-22
The Top Talker list may appear to be missing entries. This occurs because of a combination of two settings in your GigaStor Control Panel. Temporarily adjust these settings to get the data you want.
If you are trying to find what system or systems are responsible for certain traffic on your network, you’d typically use Top Talkers to identify them. There is, however, a limit to the number of systems that Top Talkers identifies. By default, that limit is 1000. As soon as the 1000th system is identified in a time slice—chronologically—all remaining systems are ignored even if they were “chattier” (that is, causing more traffic on the network) than any of the first 1000 systems. In other words, the GigaStor Control Panel does not show the 1000 most talkative systems, but the first 1000 systems it encounters.
The solution is to shorten your time slice, perhaps down to milliseconds if necessary so that the Top Talker list does not reach the 1000 stations. Additionally, you can increase the number of IP Addresses allowed in the list up to a maximum of 200,000.
Also keep in mind that in the GigaStor Control Panel you are looking at statistics, not actual packet data. Therefore, you could set the GigaStor Control Panel sampling ratio to 1 and set the maximum number of entries allowed to a very high number (100,000 or even higher). This won’t give you 100% accurate data, but you will get a very good idea of the situation based on statistics.
Caution: If you change the maximum IP address or sampling ratio, consider changing its value back after you have identified your top talker. The reason is that both settings affect memory and can adversely affect performance if there is a high number of IP address and extremely low sampling ratio. Returning these values to their defaults (10,000 IP Addresses and a sampling ratio of 10) will restore GigaStor performance.
The GigaStor Control Panel indexing maximums and sampling ratio are configured in Setting the GigaStor general options.
Understanding GigaStor protocol and port settings
Revised: 2016-11-22
Allow the GigaStor to get smarter by collecting more information. Over time as the GigaStor sees more of your network’s traffic, it gets smarter about the traffic on your network.
 
Unless you have a specific reason to do so, we recommend that you leave these options selected:
Enable intelligent TCP protocol determination—when checked, all new data collected is indexed by protocol, only if SYN-SYNACK-ACK packets are observed at the start of the conversation. If this combination is found, reports show this conversation by protocol name (or custom name), IANA name, or port number (based on statistics lists setting). Otherwise the conversation is not listed. If you try to analyze data prior to the time that this option was enabled, you will not see this data. Data must be collected with this option enabled for GigaStor reports to present the data correctly using the Update Reports button. By clearing this option, you ensure you get all protocol information regardless of SYN-SYNACK-ACK packets.
Limit to ports defined in “Protocol Definitions”—limits the displayed data to the ports specifically defined in the Options > Protocol Definitions dialog. Again, this is written to the internal GigaStor index. This option only shows custom protocols defined on new data collected after a protocol port has been defined. You must also choose Apply Protocol to all Instances to ensure this data is shown on all instances used for analysis. By clearing this setting, all ports are used.
If you want to track statistical information for each port on your capture card, then you should ensure Track statistics information per physical port option is selected.
For even more information about what these settings affect, see Differences between statistics and packets and Understanding GigaStor indexing.