Observer Analyzer : Expert Probe Software : Introducing Probes
   
Introducing Probes
 
Page Contents
What is a probe instance?
Which software probe is right for you?
How probes work with switches
Revised: 2016-03-07
Discover the basics of probes, probe instances and what type is right for you, and how probes work with switches.
As a network administrator, when something goes wrong on your network, seeing what is happening on the wire can quickly lead you to a solution. Use this guide to assist you with choosing, deploying, configuring, and using your probes. The probes, along with Observer software, let you see all traffic on the network to which it is connected. To monitor multiple networks from a single analyzer, probes must be installed at every point where network visibility is required.
Probes collect and report network traffic and statistics (usually from a switch) to an Observer. This enables you to detect and anticipate problems on both local and remote portions of the network. Probes gain insight and visibility into every part of the network, access remote networks as easily as local networks, eliminate the time and expense of traveling to remote sites, and speed troubleshooting.
A probe is a hardware device on your network running VIAVI probe instance software. Each hardware probe has at least one probe instance that captures packets from your network to analyze. The probe hardware device could be an appliance purchased from VIAVI or you could install the probe software on your own hardware.
The probe can be located on the same system as the analyzer (every Observer includes a “local probe”), or the probe can communicate with remote analyzers over TCP/IP.
Probes monitor the following topologies:
10/100 Mb, 1/10/40 Gb Ethernet (half- and full-duplex)
Wireless ( 802.11 a/b/g/n)
Figure 64 shows how probes provide visibility into your network. It may be obvious, but it also shows that you cannot see traffic on portions of your network where you do not have a probe. Finally, you can put Observer anywhere on your network so long as it has TCP connectivity to the probe.
Figure 64: Typical network
What is a probe instance?
Observer has only one kind of probe instance: the probe instance. If you have a GigaStor then you have two special probe instance types available to you: the active probe instance and the passive probe instance.
Video 7: Probe instances explained
Observer uses probes to capture network data. In some cases you may want or need more than one probe in a specific location. You can achieve that through probe instances. A probe instance provides you the ability to look at multiple network interfaces, have multiple views of the same interface, or to publish to multiple Observer.
Table 34 compares the features of active and passive probe instances with an Observer probe instance found on all non-GigaStor probes.
Table 34. Active vs. passive GigaStor instances and Observer probe
GigaStor Active probe instance
GigaStor Passive probe instance
Observer Probe1
Better suited for troubleshooting
X
X
Better suited for data capture
X
Start packet capture
X
X
X
Stop packet capture
X
X
X
Start GigaStor packet capture
X
Schedule packet capture
X
X
X
Change directories where data is stored
X
X
X
Able to set permissions
X
X
Able to redirect to different analyzer, etc.
X
X
X

1 An Observer probe is the Single Probe, Multi Probe, or Expert Probe software running on a non-GigaStor probe.

Video 8: Active and passive probe instances
A passive probe instance may capture packets to RAM and allows you to do reactive analysis or look at real-time statistics for troubleshooting. The passive probe instance binds to a virtual adapter or a network adapter that has data coming to it that you want to capture. You can change whichever adapter a passive probe instance is bound to without affecting any active probe instance. By default a passive probe instance uses 12 MB of RAM. You can reserve more memory for passive probe instances if you wish.
Caution: With a GigaStor you have the option of which NIC to bind the passive probe instance. Do not bind any passive probe instances to the capture card adapter if at all possible. A copy of all packets is sent from the adapter to every passive probe instance attached to it. If you have several passive probe instances attached to the capture card adapter, the capture card’s performance is significantly affected. Instead attach the passive probe instances to either a 10/100/1000 adapter or to a non-existent one.
If you have a passive probe instance connected to a GigaStor, you can mine data that has already been written to the RAID disk by using an active probe instance. There should be one passive probe instance for each simultaneous Observer user on a GigaStor. By using a passive probe instance, instead of an active probe instance, only one copy of data is being captured and written to disk, which reduces the processor load and the required storage space. For troubleshooting and most uses in Observer passive probe instances are appropriate.
An active probe instance on a GigaStor captures network traffic and writes it to the RAID array. An active probe instance should have as large of a RAM buffer as possible to cushion between the network throughput rate and the array write rate. Like a passive probe instance, it can also be used to mine data from the hard disk, however a passive instance is better suited for the task. An active probe instance cannot start a packet capture while the GigaStor Control Panel is open.
By default there is one active probe instance for GigaStor. It binds to the network adapter and its ports. If you have a specific need to separate the adapter’s ports and monitor them separately, you can do so through passive probe instances or you can create separate virtual adapters.
Only one active probe instance per GigaStor.
Set scheduling to Always for the active probe instance so that it is constantly capturing and writing data. Use a passive probe instance to mine the data.
Do not pre-filter, unless you know exactly what you want to capture. Of course, if something occurs outside the bounds of the filter, you will not have the data in the GigaStor.
Do not allow remote users access to the active probe instance.
Figure 65: GigaStor capture and packet capture through probe instances
Figure 65 shows how one active probe instance captures and writes to the GigaStor RAID. Passive probe instances 1 and 2 mine data from the RAID array. As a best practice, the passive probe instances are bound to the slowest network adapter in the GigaStor.
Additionally, passive probe instance 3 and 4 are each capturing packets separate from each other and separate from the active probe instance. However, since they are also bound to the same adapter as the active probe instance, they are capturing the same data as the active probe instance.
Which software probe is right for you?
Revised: 2017-10-27
Software probes are an economical choice for many situations.
For companies that cannot invest in dedicated hardware probes, Observer Platform software probes provide a low-cost monitoring option and are easy to install and configure. Software probes support Ethernet, Gigabit and wireless and are appropriate for analyzing speeds of up to 1000 Mbps or for low-utilization gigabit networks via a SPAN/mirror port on a switch. The Observer software can handle fast network speeds (including 40 Gigabit), but it is the network adapter that is the bottleneck on home-grown systems. VIAVI uses a custom-designed network adapter removing the bottleneck in our probes. These levels of software probes are available:
Single probe—Single probes have only one probe instance and it is not user-configurable. Single probes are appropriate for sites with small administrative staffs where only one user needs to look at a probe at a time.
Multi Probe—Multi probes may have one or more probe instances. Multi probes allow multiple users to each connect to the probe and use their own probe instance. Each probe instance can be looking at the same packet capture or different capture.
Expert probe—Expert probes are the same as a Multi probe except that they have local expert analysis and decode capabilities in the probe that allows for remote decoding and expert analysis in real time. The Expert probe software comes pre-installed on most hardware probes from VIAVI.
Hardware >
GigaStor, Portable probes, Probe Appliances, 3rd party hardware
Dual port Ethernet Probe, 3rd party hardware
Ethernet Single probe, 3rd party hardware
Installed software >
Expert Probe
Multi Probe
Single Probe
Sends entire buffer1
X
X
Alarms
X
X
X
Trending
X
X
X
Triggers
X
X
X
Wireless
X
X
X
X
X
Simultaneous multi-topology support
X
X
Simultaneous users2
X
X
X
X
X
X
X
X
Full-duplex3
X
X
X
X
Remote decode of GigaStor captures
X
Sends expert summary & decode packets4
X
X

1 Buffers are sent to Observer where the decoding and analysis is performed. This is less efficient than sending the expert summary and decode packets, which is available with Expert Probe.

2 Simultaneous users are supported when each user has his own probe instance.

3 Only available on hardware probes from VIAVI.

4 Decoding and expert analysis are performed by the probe and a summary is sent to Observer reducing network bandwidth use.

5 Application Performance Analysis and Application Transaction Analysis. Applications are generally OSI Layer7 applications like HTTP, FTP, RTSP, SMB, and so on.

How probes work with switches
The purpose of a switch is to isolate traffic to the local network, thereby reducing the amount of traffic each device on that network must see and process. Although a protocol analyzer puts a network interface card in “promiscuous” mode, the analyzer only sees packets addressed to or transmitted from the port that it is connected to on the switch.
To operate a probe in a switched environment, you must choose a method that provides network visibility to the port where the probe is connected. Most switches provide a function that “mirrors” all packets received or transmitted from either a single port of interest (for instance, a server or router), or multiple ports of interest. The mirrored traffic can then be captured or analyzed by connecting your analyzer (or in this case, the probe) to the “mirror port” (which is sometimes called a SPAN port).
Note: Switches typically provide two options for configuring the SPAN/mirror port settings. You can either use a command line interface (CLI) or web-based interface included with your switch to set the port (or ports) to be mirrored.
To SPAN/mirror ports, Observer can use SNMP to directly query your switch and report port-based statistics or use RMON to report any internal RMON statistics the switch may have. Selecting the method right for you depends on your switch, and the level of detail you need to troubleshoot the problem at hand. For packet capture, decode and Expert Event identification, only static port mirroring provides all the information required for a complete picture of what is happening on your network.