Observer Analyzer : Analyzer : Getting started : Configuring Observer’s general settings
   
Configuring Observer’s general settings
 
Page Contents
General tab
Security tab
Folders tab
SNMP tab
IPv6 tab
Third Party Decoder tab
GeoIP Settings
The Observer General Options window allows you to configure the general settings for Observer. These include general configuration options, e-mail and pager options, folder settings, and more.
To configure Observer’s general settings:.
Click the File tab, and click Options > General Options.
General tab
 
This tab allows you to set how the analyzer functions. Preferences you can set on this tab include:
Whether Observer asks for confirmation before doing certain things
What application certain file extensions are association with
Whether any features are disabled
Several display and formatting options
Several start and runtime options
The Remember expert post-capture statistic data when switching tabs field is only available when the product is installed on 64-bit systems because of memory limitations of 32-bit systems.
One option of note is: Enable port control via command line on capture card (xxxGig2010) capture cards. This option is only available for 1 Gb, 10 Gb, or capture cards released with version 15 or later. It will not work for any capture cards in probes purchased prior to version 15 and later upgraded to version 15. The command line usage and options are:
NiDecodeApi.exe -VIRTADAPTER=C:;V:;P:
Purpose
Sets the ports for the capture card to be on or off from a command line using NiDecodeApi.exe -VIRTADAPTER. Parameters must be separated by a semi-colon (;).
Parameters
C:
Specifies that the capture card is a either a 1, 10, or 40 Gb capture card. The options are:
C:oneGig2010
C:tenGig2010
C:fortyGig2010
V:
Specifies the virtual port adapter number. The capture card supports up to four virtual adapters. You may only specify one virtual adapter at a time.
V:1
V:2
V:3
V:4
P:
Specifies whether a port is on or off for a given virtual adapter. The capture card has up to 12 ports.
0=off
1=on
Ports can be partially filled. For instance:
P:; means all ports are off.
P:1; means port 1 is on and all others are off.
P:0001;means ports 1, 2, and 3 are off and port 4 is on. If the capture card has more than four ports, any ports beyond 4 are also off.
Use
NiDecodeApi.exe -VIRTADAPTER=C:oneGig2010;V:1;P:1111
NiDecodeApi.exe -VIRTADAPTER=C:tenGig2010;V:3;P:01010101
NiDecodeApi.exe -VIRTADAPTER=C:fortyGig2010;V:2;P:11110101
 
Security tab
 
There are several options available to you to tighten access to Observer . Many of the options are used in conjunction with OMS, but some can be used by Observer by itself.
To view and change the security settings for an Observer, in Observer choose Options > Observer General Options > Security tab. Use the information in Table 4 to configure the analyzer’s security and OMS options.
Table 4. Security options
Option
Description
Require Observer Login
When enabled, this option forces a user to provide a user name and password to open Observer . The user name can be stored locally if you are not using OMS, or maintained by OMS if the “Authenticate Observer login with OMS” option is enabled. This option is not visible unless you have a special license enabling it.
Caution: Do not lose this password! There is no way to recover a lost administrative password.
Observer Login Credentials—Type a user name and password. This information is encrypted and stored locally. Only one user account is allowed per system. If you want numerous people to have access to Observer with different user accounts, you must use OMS.
Administrative Credentials—A local administrative user account that allows you to create a non-administrator account and to set security options for OMS.
Use Observer Encryption Key file for secure connections
Strong encryption is available for Observer Expert and Suite users. Observer Encryption Key (.OEK) files let you use private encryption keys to ensure that unauthorized persons do not have access to the data flowing between Observer and probes.
To use Observer Encryption Key files, you must copy the encryption key file into the installation directory (usually C:\Program Files\Observer) of each probe or analyzer that you want to authorize. To generate a key file, click the “Launch Encryption Key Generator” button. Its online help explains its use and how to set up the keys it generates.
Each analyzer and each probe must have the .oek file. Observer encryption keys are required if you want to use OMS.
Authenticate users (for redirected Probe instances)
Forces users to authenticate with OMS before using remote probes. User accounts belong to user groups in OMS and through the user group's access to probe instances can be granted or restricted. Only probe instances to which the user has access will be visible in the analyzer. This option does not control whether users can open Observer. That is done through the “Authenticate Observer login with OMS” option.
Manage Observer /Probe license with OMS
An Observer or probe license can be stored and managed locally at each analyzer or probe, or it can be managed centrally by OMS. If unchecked, it is managed locally and you must provide a license for each analyzer/probe. If selected, then you can provide a pool of licenses in OMS and the analyzer or probe will take an available license when the analyzer or probe starts.
Get list of Probe Instances available for redirection from OMS
When selected all probe instances to which you the user has access to through group permissions set in OMS are available when connecting to a probe. When unchecked only the local probe instances are available and no probe instances are listed when connecting to a remote probe.
Share filters with OMS
When selected you may create filters and share them with others. You may also get any filters created by others. Whenever a filter is updated, other users can be informed and update their local version. The list is maintained by OMS.
Synchronize user protocol definitions through OMS
When selected you synchronize protocol definitions, including any derived applications definitions, automatically through OMS. If any protocol definitions are updated in another analyzer, you automatically receive those. If a protocol definition is updated in one analyzer, it is published to OMS and OMS pushes that new definition to all analyzers that choose to synchronize their protocol definitions.
Extra caution should be used with this setting because definitions are automatically propagated to all analyzers (assuming the setting is selected in Observer). If two users are updating the same protocol definition, the last user to save and close the window is whose definition is used. Only one user (or a small select group of users) should be responsible for maintaining the list of protocol definitions. This ensures that no inadvertent changes are made.
Primary/Secondary server
Provide the IP address of the primary OMS server. If you are also using a failover OMS server, type its IP address in the Secondary server box.
Allowed to modify shared filters
When selected, you can get a shared filter from someone else, modify it locally, then upload your modified version to OMS thereby making your new version available to everyone else. When disabled, you can only get filters from OMS and upload your own. You cannot modify any filters you get from OMS. This option requires that you have the ability to share filters with OMS.
Authenticate Observer login with OMS
This option works in conjunction with the “Require Observer Login” option. This forces Observer to use OMS to authenticate users rather than Observer’s local user list. A user list is maintained in OMS.
Require a password to change partial packet capture size
Select this option if you want to require someone to provide a password before they may change the partial packet capture size. This is a central password and all users must use the same password.
Launch Encryption Key Generator
Click this button to open the VIAVI encryption key generator. If you want the GigaStor payload to be encrypted using 256-bit AES encryption before it is stored, select the “Encrypt GigaStor network traffic…” option.
An encryption key is needed on the GigaStor (or a location accessible by the GigaStor) to encrypt and decrypt the data. The AES key is not needed on workstations, probes, or other collection points. A special license is required for this feature. ContactVIAVI for this license.
 
Folders tab
Revised: 2015-12-02
This tab allows you set the directories that hold Observer data. In most cases, the defaults are fine. We do not recommend pointing to networked directories or mapped drives.
 
Network Trending Folder
The location for Observer to store Network Trending data.
Network Trending Viewer data size (in MB)
The maximum amount of memory to use when loading trending data in the network trending viewer. If the data exceeds the specified memory limit, an error message is displayed.
Folder for GigaStor and saving packets to disk
The default save location for packet captures. Automatically generated files are also stored here, like packet capture data collected by GigaStor.
The default directory for a GigaStor appliance is D:\DATA.
SNMP Trending Folder
The location for Observer Suite to store SNMP Trending data.
Write SNMP Trending data to disk every N-minutes
Allows you to set the number of minutes the system will wait before writing trended SNMP data to disk.
Compiled SNMP MIB folder
The location for Observer to store and access compiled SNMP Management Information Base (MIB) files. The default is C:\Program Files\Observer\SNMP.
We do not recommend changing this unless you have a specific reason to do so. When you change the MIBs or requests directory, any currently installed MIBs (or requests) will become inaccessible to the SNMP Management Console and its supporting utilities. If you change these directories, you will need to move the files in the existing directories to the new location. All executable files in the SNMP Management Console package use these definitions to find installed MIBs and requests.
SNMP Requests folder
Allows you to define the path to the directory where SNMP Management Console should look for compiled request files. The default is C:\Program Files\Observer\SNMP.
 
SNMP tab
 
This tab will not be active unless you have purchased a licensed copy of Observer Suite. After installation, the SNMP Management Console will generally require little, if any, configuration before it can be used.
Stop MIB compilation upon error in MIB source file
If you want Observer to complete the compilation even though the source file contains errors, leave the box unchecked.
Use as MIB source editor
Allows you to enter the program you wish to use to edit MIB source files. The default is Microsoft Windows Notepad, although any editor capable of saving a plain text file will do.
Default SNMP version
Allows you to select the default version of SNMP to use for new agents. You may also override this in the Agent Properties dialog.
Request time-out period (sec)
Allows you to set the number of seconds that SNMP Management Console will wait for an agent to respond before resending a request.
Request retry count
Allows you to define how many times SNMP Management Console will re-send a request to an agent before timing out.
Max data buffer (x100K) for running charts
Allows you to define how much memory will be made available for SNMP Management Console’s chart display. The more memory made available, the more data points the chart display will be able to show. Memory saved for the SNMP Management Console’s chart display; however, will not be available for other programs or purposes.
Max allowed RMON objects in MIB Walk
Allows you to set the maximum number of RMON objects to appear and/or be processed during a MIB Walk. The default value is 9999.
Repeat alarm notifications
Allows you to select the number of times that Observer should send out SNMP-related alarms when the alarm has been triggered.
Repeat trap notifications
Allows you to select how many times to repeat trap notifications. While, in practice, the vast majority of notifications sent via UDP will reach their destination, the UDP protocol, which is specified by the SNMP RFC for trap notification, does not require or permit packets being acknowledged by the receiving station. It is simply a matter of sound practice to repeat trap notifications several times.
 
IPv6 tab
 
IPv6 is fully and natively supported in Observer.
This tab configures Observer to display actual IPv6 addresses when sensed, rather than their IPv4-compatible representation. This affects all statistical displays that show IP addresses in an IPv6 environment. You can also choose how to represent these addresses.
Compressed hexadecimal represents the address as native IPv6 (i.e. each of the eight 16-bit portions of the address are specified), but with the 0000 portions of the address replaced by double colons (::). For example: FE80::254E:F35D:7DB4:11
Not compressed hexadecimal represents the address as native IPv6 (i.e. each of the eight 16-bit portions of the address are specified), including the 0000 portions. For example:FE80:0000:0000:0000:254E:F35D:7DB4:0011
The IPv4 compatible formats represent the address as x:x:x:x:x:x:d.d.d.d, where the x’s are the 16-bit left-most portions of the IPv6 address, and the d’s are four 8-bit (IPv4-style) decimal values derived from the last two portions of the 16-bit IPv6 address. An example of the compressed form is FE80::254E:F35D:125.180.0.17. In uncompressed format, it would beFE80:0000:0000:0000:254E:F35D:125.180.0.17
Decimal. separated represents the address as 16 decimal octets, for example:254.128.0.0.0.0.0.0.37.78.243.93.125.180.0.17
 
Third Party Decoder tab
 
Prerequisite: Observer Expert or Observer Suite
This tab allows you to specify a third party decoder, which can be installed anywhere on the same system as Observer, to use when loading saved packet captures. By enabling this option, a new menu option is available: File > Decode Capture File using Wireshark. Some third party packet analyzers can decode some things that Observer cannot. You can use Observer to capture the traffic and use the third party decoder to analyze it. Additionally, if you want to use a third party decoder to look at the same packet capture and compare the results side-by-side, you can now launch the decoder from within Observer.
Assign menu name
Defines the menu option that appears under the File menu. It defaults to “Decode Capture File using Wireshark,” but this menu item can be anything you want.
Executable name
Provide the full path to the third party application you want to use to decode capture files. The decoder must be installed on the same system as Observer , not the probe.
Command line
Provide any command line options you want to pass to the third party decoder when you are opening the application.
Capture buffer format
Choose which file format to export your capture to: Observer’s native BFR format or PCAP. See Saving packet captures.
 
GeoIP Settings
 
There may be times when you want to know more about an IP address you are seeing in Observer. Using an external geolocation service, you can more easily find out information such as the IP’s carrier or service provider and the city, state, and country where the IP address is located in the world. This information could be valuable in identifying the source of a security threat, malicious communication, or a simply an incorrectly configured system somewhere in the world impacting your organization.
This tab allows you to define a URL that is called and opened in a web browser. By default the geolocation service of the GeoIP website is used, but you may change this to any geolocation service you wish.
You can look up the geolocation information for an IP address when you are on the Decode and Analysis tab in Observer or when you are on the IP Stations tab in the GigaStor Control Panel. For instance, click the Top Talkers tab, select an IP address, right-click and choose Connect to the Selected Station via > GeoIP Lookup.