Observer Analyzer : GigaStor Control Panel : Mining data from your GigaStor
   
Mining data from your GigaStor
 
Page Contents
Selecting a time frame to analyze
How to reorder packets based on a trailer timestamp
Analyzing data without any filters
Analyzing data with filters from the Observer filter editor
Analyzing data with filters from the GigaStor Control Panel
Analyzing data by combining GigaStor Control Panel and Observer filters
Analyzing multiple GigaStor probe instances from one GigaStor Control Panel
Retrieving data from GigaStor and analyzing it is a primary function of the GigaStor Control Panel. You can use the information in the packet capture to identify numerous network conditions. By using filters and a specific analysis type, you can hone in on the exact information you want.
Video 14: Using a GigaStor
You have different options when you want to analyze captured data. You can analyze the data:
Without any filters.
With filters from the Observer filter editor.
With filters from the GigaStor Control Panel.
By combining filters from the GigaStor Control Panel and the Observer filter editor.
Note: All packets captured by the probe are time stamped immediately as it is seen by the capture card interface and then passed to the capture buffer. This ensures the most accurate timestamp.
Table 44 describes the different options available on the GigaStor Analysis Options screen that appears when you click the Analyze button on the GigaStor Control Panel.
Table 44. GigaStor Analysis Options
This option:
Allow you to do this:
Analysis Time Range
Shows the start and end time of the time range you selected in the Detail Chart. You can change the time here if you wish.
Analysis Options
Analyze all data (no filtering)
Takes all packets in the selected time frame on the Detail Chart and analyzes it using the analysis type chosen at the bottom of the screen, but without using any filter. See Analyzing data without any filters.
Select an existing filter
Takes all packets in the selected time frame on the Detail Chart and analyzes it using the analysis type chosen at the bottom of the screen and applies the filter you select (after clicking OK). See Analyzing data with filters from the Observer filter editor.
Filter using selected GigaStor entries
Takes all packets in the selected time frame on the Detail Chart and creates a one-time use filter for you using the options you chose from the Mac Stations, IP Stations, IP Pairs or any of the other tabs in the GigaStor Control Panel. See Analyzing data by combining GigaStor Control Panel and Observer filters
VoIP and Videoconferencing calls by SIP tag
Takes all of the packets in the selected time frame on the Detail Chart and allows you to extract VoIP and videoconferencing calls based on a SIP tag. For further details about the Settings, see How to extract VoIP and video calls from your GigaStor .
Reorder and filter based on trailer timestamp
Some switch aggregators add their own timestamp to packets and can cause packets to have a different order than they were actually seen by the GigaStor. If selected, Observer reorders and filters packets based on the timestamp information from the switch aggregator you chose from the list instead of from the GigaStor.
Include Expert information in analysis filter
Expert Information packets provide context of network conditions during the time that the traffic was captured. The expert frames may provide you insight into what was happening that may have influenced a condition within a packet capture you are analyzing.
Display selected filter before starting analysis
Allows you to view the filter before Observer begins analyzing the packet capture. For example, you might choose this option if you have already used the filter and the output is has excluded traffic you were expecting. By displaying the filter, you can inspect it to see why it may excluding the traffic.
Analysis Type
Expert analysis and decode
Along with the packet decode, this provides Observer's advanced expert analysis, such as protocol analysis, top talkers, Internet Observer, Application Transaction Analysis, VLAN information, and Forensic Analysis using Snort. Use this option if you want to deep dive into the packets with ability to view common services and applications, response performance by severity, port-based protocols with slow response, network and application problems with local traffic and WAN/Internet traffic distinction, and more.
Decode without expert analysis
Provides a packet decode without any of the insight of expert features listed above.
FIX analysis
Used in conjunction with a FIX analysis profile, the results are displayed on the FIX Analysis tab in the GigaStor Control Panel. See Analyzing FIX transactions. Use this option if you need to see the raw FIX protocol packets and headers, highlight just the FIX data, filter a trade by order ID for further analysis, or to validate a specific transaction.
Forensic analysis
Allows you to choose a profile where you have defined which Snort rules you want to use. The results are displayed on the Forensic Analysis tab in the GigaStor Control Panel. If you chose "Expert analysis and decode" and decided you also wanted to do forensic analysis, you could do that by clicking the Forensic Analysis tab, which prompts you for a profile. Use this option if you need to scan high-volume packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort rule syntax. You can enforce your "acceptable use" policies, fight industrial espionage, and assist with government regulations like Sarbanes Oxley or HIPPA requirements. Using network forensics you can provide pre-intrusion tracking and identification while delivering a paper trail after any intrusion. Or you can perform network troubleshooting using root-cause analysis and identify network problems that have been around awhile. See Examining your network traffic with forensic analysis.
Microburst analysis
Analyzes the selected time frame for any microbursts (as defined in the Microburst Analysis Settings dialog) and displays the results in the Microburst Analysis tab of the GigaStor Control Panel. This is an easier way to find microbursts across a much longer time frame than using the Detail Chart where the longest time frame that can be analyzed is 15 minutes. Use this option if you need to monitor applications that are sensitive to microbursts, such as financial, audio, video, or multicast applications. See Searching for microbursts.
Trading Multicast analysis
Analyzes the selected time frame for trading multicast streams issues on your network specifically related to stock exchanges. The streams can be analyzed for tracking UDP sequence numbers, multiple protocol data units (PDUs) within a UDP packet, and stream type or ID. Use this option if you want to analyze any of the Trading Multicast streams Observer supports.
See Trading Multicast for a list of default streams Observer has.
IPTV analysis
Analyzes the selected time frame for IPTV traffic on your network. IPTV is configured by providing the multicast stream IP (or range of IPs) and, optionally, the UDP ports used to transport the content, along with the receive capabilities of the devices consuming the IPTV feeds. These settings allow Observer to identify IPTV traffic of interest (the IP and UDP ports) and to accurately calculate metrics about the quality of the feed for the endpoints, such as MDI, by providing the Delay Factor and Media Loss Rate information.
See Choosing your network trending types for a list of default streams Observer has.
Multiple GigaStor analysis
Combines and analyzes data streams from two or more active probe instances. The active probe instances are typically from multiple GigaStor probes, but can also be from the same GigaStor probe. Use this option if your GigaStor probes captured the same data from two or more perspectives and you want to compare them using MultiHop Analysis. The MultiHop Analysis can be based on IP, IP Pair, IP port, or a filter. Or use it when two or more perspectives are capturing different parts of the same communication (one send and the other receive; or 50% of the connections to an application on one and 50% on the other) and you want to combine the data to get a complete picture of the communication. This might be due to the way traffic was routed (and eventually captured) or part of an architectural decision to load balance the traffic across multiple physical capture appliances.
For details about MultiHop Analysis, see Using MultiHop Analysis.
Third Party Decoder
Observer allows you to use other software to view packet decodes if you wish. You might do this because the other tool's interface or workflow. This option is only available if the Third Party Decoder option has already been enabled in Options > General Options and click the Third Party Decoder tab. By default the menu text is "Decode Capture File using Wireshark," but is completely configurable. See Third Party Decoder tab for details on how to change the menu text and what application is used.
Remember Analysis Options and Type
The selected the last analysis options are used for any subsequent analysis. This is useful if you typically use the same analysis options repeatedly.
Selecting a time frame to analyze
Revised: 2017-09-28
The GigaStor Control Panel has two graphs along the top: a Detail Chart and below it a Outline Chart. The Detail chart shows a shorter time frame. The Outline Chart shows a longer time frame with the Detail Chart being a portion of time from within Outline Chart.
You can configure the resolution of Detail Charts by clicking the “Screen resolution” option and using the slider to pick a time resolution. It can be anything from 8 hours/8 weeks so that you can see longer term trends to as short as 10 nanoseconds/500 nanoseconds to focus on specific issues. At the shorter time resolutions you can enable microburst analysis. The “Data type” list specifies what type of data appears in the Detail Chart.
You can configure the amount of time shown on the Outline Chart by right-clicking it and choosing “Outline Time Resolution.” It is measured in multiples of the Detail Chart. You may also choose to show packets or load in the chart.
Tip! If you know the time when something occurred that you want to investigate, you can jump to that time by right-clicking the Detail Chart and choosing Go to Specific Time.
How to reorder packets based on a trailer timestamp
Created: 2016-03-15
You can change how Observer filters and sorts packets in the Decode pane based on a timestamp from your switch aggregator rather when GigaStor saw the packets.
Reordering packets is limited to post capture analysis only; it does not affect real-time analysis, triggers and alarms, or trending analysis. If you save a packet capture after it has been reordered using this option, the packets are saved in the reordered series. If you load a saved, reordered packet capture, then analysis is based on the reordered time frames and not the time stamps from the GigaStor.
1. In the GigaStor Control Panel, select the time range of traffic you want to decode and click Analyze.
GigaStor Analysis Options opens with the start and end time selected.
2. Select a filter type.
3. Select Reorder and filter based on trailer timestamp and click Settings.
Trailer Timestamp Settings opens.
Figure 83: Trailer Timestamp Settings
4. In Timestamp type, choose your switch aggregator.
Timestamp types
5. Choose what filters to apply.
Trailer filters
 
The Decode pane displays packets in the sorted (and filtered) order based on your chosen switch aggregator.
 
Timestamp types
Created: 2016-03-15
The Timestamp types provides a list of the supported switch aggregators that can be used to reorder packets before they are shown in the Decode pane.
 
Switch Aggregator
Notes
Arista
Keyframes are used to correlate packets to a physical port group. For instance, any keyframe seen on port 1 associates packets with that keyframe only with port 1. Likewise, a keyframe seen on port 2 associates the packets only to port 2, and so on. A keyframe is unique to a physical port group.
cPacket
Gigamon GigaSMART
Gigamon H-Series
IXIA Anue
NetScaler
Network Instruments
Choose if you use Observer Matrix.
PacketPortal PDG
VSS Monitoring
VSS Monitoring w/Port
VSS Monitoring with Port Stamping.
 
Trailer filters
Created: 2016-03-16
Trailer filters allow you to exclude or include packets from your switch aggregator based on where the trailer occurs and other location-specific information.
 
Trailer level
Use when multiple timestamps are found in a packet to identify which timestamp to use. The levels are identified starting at the end of the packet.
Group ID
The port group ID from Matrix. You can find this ID on the Matrix in System > General > Trailer Configuration.
Box ID
The port box ID from Matrix. You can find this ID on the Matrix in System > General > Trailer Configuration.
Port
The ingress port on the switch aggregator where the packet was seen.
Probe ID(s)
A comma separated list of hexadecimal characters from a PacketPortal IV SFProbe or JMEP. Use PacketPortal System Manager (IV SFProbe) or the SFP Programmer GUI (JMEP) to view a list of probe IDs. A sample probe ID: 5e65eb52f633.
 
Analyzing data without any filters
1. Select a time frame you want to analyze. See Selecting a time frame to analyze.
2. Click the Update Reports button to get the latest data from the time frame selected. This is unnecessary if you have “Auto-update GigaStor chart on statistics tab or selection change” in the GigaStor Settings. See Setting the GigaStor general options.
3. Click the Analyze button. The GigaStor Analysis Options window opens.
4. Select “Analyze all traffic in the analysis interval” and click OK.
 
Your unfiltered data appears in a new “Decode and Analysis” tab.
 
Analyzing data with filters from the Observer filter editor
1. Select a time frame you want to analyze. See Selecting a time frame to analyze.
2. Click the Update Reports button to get the latest data from the time frame selected. This is unnecessary if you have “Auto-update GigaStor chart on statistics tab or selection change” in the GigaStor Settings. See Setting the GigaStor general options.
3. Click the Analyze button. The GigaStor Analysis Options window opens.
4. Choose “Select an Observer filter” and click OK. The GigaStor Analysis Filter window opens.
5. Choose one or more filters that you want to use and click OK.
 
Your filtered data appears in a new “Decode and Analysis” tab.
 
Analyzing data with filters from the GigaStor Control Panel
You may want to filter the data that is shown on the Detail Graph. You can do so with the filters section of the GigaStor Control Panel. You can filter data from MAC Stations tab, IP Stations tab, IP Pairs tab, and more.
One example where you might use this is if you have strange traffic (perhaps a virus) on your network that you want to identify or isolate. By selecting a station from IP Stations tab and an application from the TCP Applications tab, you can select the “Combine tabs for detailed chart pre-filter” to generate a specific report. Using this report you can understand the general pattern of activity of the strange traffic so that you can conduct further analysis using packet decodes.
Note: If you are using the Ethernet Physical Port filter in conjunction with other filters, in the GigaStor Control Panel > Settings > General Options tab, you must enable the “Use physical port selections to filter statistics” option otherwise the combined filter will not work as you expect.
1. Select a time frame you want to analyze. See Selecting a time frame to analyze.
2. Click the Update Reports button to get the latest data from the time frame selected. This is unnecessary if you have “Auto-update GigaStor chart on statistics tab or selection change” in the GigaStor Settings. See Setting the GigaStor general options.
3. Click the IP Stations tab (or any statistics tab to the right of the Summary tab).
4. Select one or more stations. This creates and opens a GigaStor Control Panel filter.
Figure 84: GigaStor Control Panel filter
5. Click other tabs and choose what entries you want to add to your filter, such as an application from the TCP Applications tab. When selecting options from different tabs a filter is built, and it uses a logical AND to build it.
6. Click the Update Chart button. This refreshes the Detail Chart using the filter you built.
 
You have filtered data in the GigaStor Control Panel, which may suffice. You can also choose to further analyze the data. See Analyzing data by combining GigaStor Control Panel and Observer filters.
 
Analyzing data by combining GigaStor Control Panel and Observer filters
Tip! If you chose “Create analysis filter using checked GigaStor entries” and do not have any data or do not have the data you expected, it may be because you applied too many filters. Try the “Analyze all traffic in the analysis interval” option instead.
1. Complete the procedure in Analyzing data with filters from the GigaStor Control Panel.
2. After you have a filtered chart, click the Analyze button. The GigaStor Analysis Options window opens.
3. Because you are analyzing data with checked GigaStor entries, you have two choices:
Analyze all traffic in the analysis interval—Uses the filtered data as-is and analyzes it.
Create analysis filter using checked GigaStor entries—Creates a second filter and applies it to the already filtered data.
4. Click OK.
 
Your filtered data appears in a new “Decode and Analysis” tab.
 
Analyzing multiple GigaStor probe instances from one GigaStor Control Panel
Combining the data of multiple GigaStor probe instances into one GigaStor Control Panel allows for quick and easy isolation of information.
One example where you might use this is if you need to find information but are unsure which GigaStor probe instance to query. Instead, you can combine the data of any GigaStor probe instances you have access to and perform just one query.
Note: The GigaStor Control Panel must be open for every GigaStor probe instance you want to combine for analysis.
To analyze multiple GigaStor probe instances from one GigaStor Control Panel:
1. On the Home tab, in the Capture group, click GigaStor.
2. Click Tools.
3. Click Select GigaStors for Combined Indexing.
4. Choose two or more probe instances and click Apply.
If a particular GigaStor probe instance is not listed, ensure the GigaStor Control Panel for that instance is open and try again.
5. Click Update Reports to start combining index data.
6. After the process completes, the currently open GigaStor Control Panel is showing a real-time aggregate of multiple GigaStor probe instances.
 
 
 
After completing this task:
Simply use the combined GigaStor Control Panel the same way as a non-combined GigaStor Control Panel. See for details.