Network Instruments GigaStor 114ff User Manual
GIGASTOR
™
rev. 1
1
GigaStor User Guide
rev. 1
3
Trademark Notices
©2008 Network Instruments,® LLC. All rights reserved. Network Instruments, Observer® Gen2,TM and all associated logos are
trademarks or registered trademarks of Network Instruments, LLC.
Open Source Copyright Notices
Portions of this product include software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://
www.openssl.org/), Copyright © 1998-2008 The OpenSSL Project. All rights reserved.
Portions of this product include software written by the University of Cambridge, Copyright © 1997-2008 University of
Cambridge All rights reserved. Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the University of Cambridge nor the name of Google Inc. nor the names of their contributors may be
used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Limited Warranty—Hardware
Network Instruments, LLC. (“Network Instruments”) warrants this hardware product against defects in materials and
workmanship for a period of 90 days from the date of shipment of the product from Network Instruments, LLC. Warranty is
for depot service at Network Instruments corporate headquarters in Minneapolis, MN, or Network Instruments’ London, UK
office. Warranties and licenses may give you more coverage in certain local jurisdictions; Network Instruments also offers
extended warranties as part of its maintenance agreement program.
If a defect exists during the initial warranty period or prior to expiration of a pre-paid maintenance program, at its option
Network Instruments will (1) repair the product at no charge, using new or refurbished replacement parts, or (2) exchange
the product with a product that is new or which has been manufactured from new or serviceable used parts and is at least
functionally equivalent to the original product. A replacement product assumes the remaining warranty of the original
product or 60 days, whichever provides longer coverage for you. When a product or part is exchanged, any replacement
item becomes your property and the replaced item becomes Network Instruments' property.
The information in this manual is furnished for informational use only, is subject to change without notice, and should not
be construed as a commitment by Network Instruments, LLC. Network Instruments, LLC assumes no responsibility or liability
for any errors or inaccuracies that may appear in this manual. Network Instruments, LLC does not warrant that the hardware
will meet your requirements or that the operation of the hardware will be uninterrupted or that the hardware will be errorfree.
Network Instruments, LLC SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT
LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
Network Instruments, LLC BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGE, INCLUDING BUT NOT
LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.
Network Instruments, LLC makes no other warranty, expressed or implied.
4
rev. 1
Limited Warranty—Software
Network Instruments, LLC (“DEVELOPER”) warrants that for a period of sixty (60) days from the date of shipment from
DEVELOPER: (i) the media on which the SOFTWARE is furnished will be free of defects in materials and workmanship under
normal use; and (ii) the SOFTWARE substantially conforms to its published specifications. Except for the foregoing, the
SOFTWARE is provided AS IS. This limited warranty extends only to END-USER as the original licensee. END-USER's exclusive
remedy and the entire liability of DEVELOPER and its suppliers under this limited warranty will be, at DEVELOPER or its
service center's option, repair, replacement, or refund of the SOFTWARE if reported (or, upon request, returned) to the party
supplying the SOFTWARE to END-USER. DEVELOPER does not warrant that the software will meet END-USER requirements,
and in no event does DEVELOPER warrant that the SOFTWARE is error free or that END-USER will be able to operate the
SOFTWARE without problems or interruptions.
Should DEVELOPER release a newer version of the SOFTWARE within 60 days of shipment of the product, DEVELOPER will
update the copy of the SOFTWARE upon request, provided request is made by the licensed END-USER within the 60 day
period of shipment of the new version. This update may consist of a CD or a manual or both at the discretion of DEVELOPER.
END-USER may be charged a shipping fee for updates.
The information in the SOFTWARE manuals is furnished for informational use only, is subject to change without notice, and
should not be construed as a commitment by DEVELOPER. DEVELOPER assumes no responsibility or liability for any errors or
inaccuracies that may appear in any SOFTWARE manual.
This warranty does not apply if the software (a) has been altered, except by DEVELOPER, (b) has not been installed, operated,
repaired, or maintained in accordance with instructions supplied by DEVELOPER, (c) has been subjected to abnormal
physical or electrical stress, misuse, negligence, or accident, or (d) is used in ultrahazardous activities.
DISCLAIMER. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND
WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE, ARE
HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
The above warranty DOES NOT apply to any beta software, any software made available for testing or demonstration
purposes, any temporary software modules or any software for which DEVELOPER does not receive a license fee. All such
software products are provided AS IS without any warranty whatsoever.
This License is effective until terminated. END-USER may terminate this License at any time by destroying all copies of
SOFTWARE including any documentation. This License will terminate immediately without notice from DEVELOPER if ENDUSER fails to comply with any provision of this License. Upon termination, END-USER must destroy all copies of SOFTWARE.
DEVELOPER makes no other warranty, express or implied.
Liability
IN NO EVENT WILL DEVELOPER OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR DATA, OR FOR SPECIAL,
INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF
LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE EVEN IF DEVELOPER OR ITS SUPPLIERS HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DEVELOPER SHALL NOT BE LIABLE FOR MATERIAL, EQUIPMENT, DATA, OR TIME LOSS CAUSED DIRECTLY OR INDIRECTLY BY
PROPER OR IMPROPER USE OF THE SOFTWARE. IN CASES OF LOSS, DESTRUCTION, OR CORRUPTION OF DATA, DEVELOPER
SHALL NOT BE LIABLE. DEVELOPER DOES NOT TAKE ANY OTHER RESPONSIBILITY.
In no event shall DEVELOPER's or its suppliers' liability to END-USER, whether in contract, tort (including negligence), or
otherwise, exceed the price paid by END-USER. The foregoing limitations shall apply even if the above-stated warranty fails
of its essential purpose.
DEVELOPER SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO,
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL DEVELOPER
BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGE, INCLUDING BUT NOT LIMITED TO SPECIAL,
INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.
DEVELOPER’S liability to the END-USER under this agreement shall be limited to the amount actually paid to DEVELOPER by
END-USER for the SOFTWARE giving rise to the liability.
rev. 1
5
Ownership and Confidentiality
END-USER agrees that Network Instruments, LLC owns all relevant copyrights, trade secrets and all intellectual property
related to the SOFTWARE.
End User License Agreement (EULA)
PLEASE READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY BEFORE DOWNLOADING OR USING THE SOFTWARE.
BY CLICKING ON THE “ACCEPT” BUTTON, OPENING THE PACKAGE, DOWNLOADING THE PRODUCT, OR USING THE
EQUIPMENT THAT CONTAINS THIS PRODUCT, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT
AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE “DO NOT ACCEPT” BUTTON AND THE INSTALLATION
PROCESS WILL NOT CONTINUE, RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND, OR DO NOT
DOWNLOAD THE PRODUCT.
The SOFTWARE is neither shareware nor freeware. The SOFTWARE is a commercial software package that is subject to
international copyright laws.
Single User License Grant: Network Instruments, LLC (“DEVELOPER”) and its suppliers grant to END-USER a nonexclusive and
nontransferable license to use the DEVELOPER software (“SOFTWARE”) in object code form solely on a single central
processing unit owned or leased by END-USER or otherwise embedded in equipment provided by DEVELOPER.
Multiple-Users License Grant: DEVELOPER and its suppliers grant to END-USER a nonexclusive and nontransferable license to
use the DEVELOPER SOFTWARE in object code form: (i) installed in a single location on a hard disk or other storage device of
up to the number of computers owned or leased by END-USER for which END-USER has paid individual license fees
purchased; or (ii) provided the SOFTWARE is configured for network use, installed on a single file server for use on a single
local area network for either (but not both) of the following purposes: (a) permanent installation onto a hard disk or other
storage device of up to the number of individual license fees purchased; or (b) use of the SOFTWARE over such network,
provided the number of computers connected to the server does not exceed the individual license fees purchased. ENDUSER may only use the programs contained in the SOFTWARE (i) for which END-USER has paid a license fee (or in the case of
an evaluation copy, those programs END-USER is authorized to evaluate) and (ii) for which END-USER has received a product
authorization keys (“PAK”). END-USER grants to DEVELOPER or its independent accountants the right to examine its books,
records and accounts during END-USER's normal business hours to verify compliance with the above provisions. In the event
such audit discloses that the Permitted Number of Computers is exceeded, END-USER shall promptly pay to DEVELOPER the
appropriate licensee fee for the additional computers or users. At DEVELOPER's option, DEVELOPER may terminate this
license for failure to pay the required license fee.
END-USER may make one (1) archival copy of the SOFTWARE provided END-USER affixes to such copy all copyright,
confidentiality, and proprietary notices that appear on the original.
EXCEPT AS EXPRESSLY AUTHORIZED ABOVE, END-USER SHALL NOT: COPY, IN WHOLE OR IN PART, SOFTWARE OR
DOCUMENTATION; MODIFY THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE
SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE SOFTWARE.
END-USER agrees that aspects of the licensed materials, including the specific design and structure of individual programs,
constitute trade secrets and/or copyrighted material of DEVELOPER. END-USER agrees not to disclose, provide, or otherwise
make available such trade secrets or copyrighted material in any form to any third party without the prior written consent of
DEVELOPER. END-USER agrees to implement reasonable security measures to protect such trade secrets and copyrighted
material. Title to SOFTWARE and documentation shall remain solely with DEVELOPER.
SOFTWARE, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and
its associated regulations, and may be subject to export or import regulations in other countries. END-USER agrees to
comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, reexport, or import SOFTWARE.
This License shall be governed by and construed in accordance with the laws of the State of Minnesota, United States of
America, as if performed wholly within the state and without giving effect to the principles of conflict of law. If any portion
hereof is found to be void or unenforceable, the remaining provisions of this License shall remain in full force and effect. This
License constitutes the entire License between the parties with respect to the use of the SOFTWARE.
Restricted Rights - DEVELOPER's software is provided to non-DOD agencies with RESTRICTED RIGHTS and its supporting
documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the Government is subject to the
restrictions as set forth in subparagraph “C” of the Commercial Computer SOFTWARE - Restricted Rights clause at FAR
52.227-19. In the event the sale is to a DOD agency, the government's rights in software, supporting documentation, and
technical data are governed by the restrictions in the Technical Data Commercial Items clause at DFARS 252.227-7015 and
DFARS 227.7202. Manufacturer is Network Instruments, 10701 Red Circle Drive, Minnetonka, MN 55343, USA.
6
rev. 1
Technical Support
Network Instruments provides technical support by phone (depending on where you are located):
US & countries outside Europe at (952) 358-3800
UK and Europe at +44 (0) 1959 569880
By fax (depending on where you are located):
US & countries outside of Europe at (952) 358-3801
UK and Europe at +44 (0) 1959 569881
Or by e-mail at:
US & countries outside of Europe: support@networkinstruments.com
UK and Europe: support@networkinstruments.co.uk
Network Instruments provides technical support for a period of 90 days after the purchase of the product at no charge. After
the 90-day initial support period, support will only be provided to those customers who have purchased a maintenance
agreement.
Telephone technical support hours are between 9:00 am and 5:00 pm (local time for each office).
Suggestions are welcomed. Many of the improvements made to our products have originated as end user suggestions.
Please submit detailed suggestions in writing to: support@networkinstruments.com or by fax at: (952) 358-3801. Please
submit any corrections to or criticism of Network Instruments’ publications to: pubs@networkinstruments.com or by fax at
(952) 358-3801.
To subscribe to the Network Instruments e-mail newsletter (delivered in HTML format), send an e-mail to
listserver@networkinstruments.com
with the word “subscribe” in the subject line.
rev. 1
7
8
rev. 1
Contents
Chapter 1: About the GigaStor
GigaStor versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 2: Installing Your GigaStor
Unpacking and inspecting the parts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Installing the GigaStor and connecting the cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Setting the GigaStor’s IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Connecting Observer to the GigaStor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Redirecting the GigaStor probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Probe administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
GigaStor Capture Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configuring Observer for your Gigabit device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Jumbo Frame Support (Gigabit Ethernet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring Terms of Service and Quality of Service settings . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring Observer for your WAN device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Digital DS3/E3/HSSI Probe Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Digital T1/E1 Probe Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Serial T1/E1 Probe Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Tapping an Ethernet or Fibre Channel connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
10/100/1000, 10GbE Optical, and Fibre Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Gigabit copper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
rev. 1
9
Tapping a WAN connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
T1/E1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
DS3/E3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Installing the drives in your GigaStor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Connecting the GigaStor Expandable to the expansion units . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Chapter 3: Packet Capture or GigaStor Capture
Capturing Packets with the GigaStor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Packet capture buffer and statistics buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 4: GigaStor Control Panel
Display Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Right-click menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Analyze button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Configuring the GigaStor through the Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
GigaStor Options tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
GigaStor Chart tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
GigaStor Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Capture Graph tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
GigaStor Schedule tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Statistics Lists tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
GigaStor reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 5: Using Observer with a WAN Probe
Discover Network Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Setting the Committed Information Rate (CIR) for a DLCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
WAN Bandwidth Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
WAN Vital Signs by DLCI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
WAN Load by DLCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
WAN Top Talkers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
WAN Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Triggers and Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Chapter 6: Forensic Analysis using Snort
Starting Forensic Analysis using Snort rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Creating a forensic analysis profile from the GigaStor control panel . . . . . . . . . . . . . . . . . . . . 94
About Forensic Analysis tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
About the Forensic Analysis Log tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Forensic Analysis Profile field descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Forensic Analysis Profile Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Rules tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
10
rev. 1
Chapter 7: Observer on the GigaStor
Using the Observer console locally on the GigaStor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Chapter 8: Probe Instances
What is a probe instance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Chapter 9: Gen2 Capture Card
Swapping the Gen2 card’s SFP or XFP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configuring virtual adapters on the Gen2 card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Viewing the Gen2 card’s properties and finding the board’s ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Appendix A: TCP/IP ports, NAT, and VPN
TCP/IP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Appendix B: GigaStor, GigaStor Expandable, and Expansion Unit Cases
GigaStor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
GigaStor Expandable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Controller unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Expansion unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Appendix C: GigaStor Portable
Running Observer passively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Using the portable GigaStor as a probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
rev. 1
11
12
rev. 1
C h a p t e r 1
About the GigaStor
rev. 1
13
Chapter 1 About the GigaStor
GigaStor versions
GigaStor GigaStor Expandable GigaStor SAN GigaStor Portable
The GigaStor is an enterprise-strength network probe appliance. The
GigaStor combines a multi-terabyte, high-performance Redundant
Array of Independent Disks (RAID) with a dedicated, high-speed
network capture card in a modular, easy-to-deploy appliance.
There are these versions of the GigaStor:
Q GigaStor
Q GigaStor Expandable: a controller PC along with one, two, or
three disk expansion units that can store up to a total of 288
terabytes of data.
Q GigaStor SAN: a controller PC that connects to your SAN to
write its data. It uses a fibre channel host bus adapter that can
operate at 1, 2, or 4 Gigabit speed for connectivity.
Q GigaStor Portable: a portable GigaStor
Figure 1 GigaStor models
N
OTE:
Unless specifically noted, all information in this manual
applies to all versions of the GigaStor: GigaStor, GigaStor
Expandable, GigaStor SAN, and GigaStor Portable.
If your GigaStor is configured to monitor Gigabit Ethernet, 10Gb
Ethernet, and Fibre Channel connections, the capture card is a Gen2
card with SFP (or XFP) modules. This allows you to hot-swap any
SFP-compliant connectors into the your appliance. This makes it
GigaStor versions
14
Chapter 1 About the GigaStor
rev. 1
possible to use the same probe to monitor different types of links as
needed. For example, you can easily convert the capture card from
optical to copper, allowing you to connect the GigaStor to different
test access points (TAPs) or switch port analyzer (SPAN) or mirror
interfaces.
If your GigaStor is configured to monitor WAN (such as E1, T1, E3,
DS3, or HSSI) connections, your GigaStor has a specialized WAN
capture card. It does not have SFP or XFP connectors.
The GigaStor can be used with the Expert Observer console or
Observer Suite to troubleshoot your network. Alternatively, you can
run the probe in “local console” mode, allowing you to analyze
GigaStor-collected data locally.The local console on the GigaStor is
Observer Expert. However, we recommend that you use Observer on
a remote system to analyze the data.
rev. 1
GigaStor versions
Chapter 1 About the GigaStor
15
GigaStor versions
16
Chapter 1 About the GigaStor
rev. 1
C h a p t e r 2
Installing Your GigaStor
rev. 1
17
Chapter 2 Installing Your GigaStor
The general steps to install your GigaStor are:
F “Unpacking and inspecting the parts” on page 18
F “Installing the GigaStor and connecting the cables” on page 19
F “Connecting Observer to the GigaStor” on page 22
Additional steps to complete the installation are:
F “Configuring Observer for your Gigabit device” on page 31
F “Configuring Observer for your WAN device” on page 33
F “Tapping an Ethernet or Fibre Channel connection” on
page 37
F “Tapping a WAN connection” on page 42
F “Installing the drives in your GigaStor” on page 50
Unpacking and inspecting the parts
Your GigaStor includes a number of components. Take a moment
after unpacking the kit to locate all of the parts.
F One rack-mountable GigaStor system with an installed 10/
100/1000 Ethernet network interface (management) card.
Unpacking and inspecting the parts
18
Chapter 2 Installing Your GigaStor
F Appropriate capture interface (Gen2 or WAN).
F The rack unit may also include a rail kit depending on
which model was purchased.
F Windows XP 64-bit operating system and a restore DVD
specific for your GigaStor.
F TAP kits for your topology (Ethernet, Fibre Channel, or
WAN), except for the GigaStor 2TE.
F Cables
F Ethernet cable for each 10/100/1000 interface in your
GigaStor.
F Connection cables to connect your GigaStor to a TAP or
switch.
rev. 1
Installing the GigaStor and connecting the cables
1 Install the GigaStor and any expansion units into your rack using
the supplied rails. Instructions for installing the rail kits are
provided in the rail kit box.
2 Install the drives into the GigaStor and any expansion units. See
“Installing the drives in your GigaStor” on page 50.
3 Connect the GigaStor, TAP, and cables. See:
Q “Tapping an Ethernet or Fibre Channel connection” on
page 37 for details about optical and copper Gigabit Ethernet,
10 Gigabit Ethernet, and Fibre Channel connections.
Q “Tapping a WAN connection” on page 42 for details about
T1/E1 and DS3 connections.
Q “Connecting the GigaStor Expandable to the expansion units”
on page 52.
Q See the fibre channel host bus adapter (QLogic or other third
party) documentation included in the GigaStor packaging if
you are using a GigaStor SAN.
Setting the GigaStor’s IP address
rev. 1
At this point you have physically installed the hardware and
connected all the cables. Now, you must turn on the GigaStor and
configure the software.
1 Connect a monitor, keyboard, and mouse to the GigaStor and
ensure the GigaStor is plugged into a power outlet. These are only
needed temporarily to set the IP address. You can disconnect them
when you are finished. Alternatively, you can use Windows
Remote Desktop to connect to the GigaStor to make these
changes. The default IP address is 192.168.1.10.
2 If you are using a GigaStor Expandable, remember to start the
disk expansion units.
3 Turn on the system. On the back of the GigaStor ensure the
power switch is turned on. Then on the front of the GigaStor,
press the power button until the system starts to turn on.
Installing the GigaStor and connecting the cables
Chapter 2 Installing Your GigaStor
19
4 Ensure that each drive’s power/activity light is lit. If a drive’s light
is not lit, it is likely that the drive is not seated properly. Turn off
the GigaStor and reseat the drives. For more information, see
“Installing the drives in your GigaStor” on page 50.
5 Log in using the Administrator account. The default
Administrator password is admin.
6 Click Start → Control Panel → Network and Internet Connections
→ Network Connections. Choose Local Area Connection and
right-click and choose Properties.
7 Select Internet Protocol (TCP/IP) from the list and click
Properties (Figure 2).
Figure 2 Default TCP/IP settings
Setting the GigaStor’s IP address
20
Chapter 2 Installing Your GigaStor
8 Set the IP address, subnet mask, gateway, and DNS server for your
environment and click OK. Click OK again to close the Local
Area Connection Properties dialog. Close the Network
Connections window.
9 Right-click the Probe Service Configuration Applet in the system
tray and choose Open Probe Configuration.
rev. 1
Figure 3 Probe Service Configuration Applet
10 The Probe Administration window opens. Click the Probe
Options tab (Figure 4).
Figure 4 Probe Options
rev. 1
11 Change the name of the probe to something meaningful to you.
The name might be the physical location of the probe. Click
Apply to save your changes and close the window.
By default the GigaStor runs the Expert Probe as a Windows
service and starts automatically at system startup. This prevents
you from using the Observer console on the GigaStor. You must
connect to the GigaStor using Observer on a different system. If
you want to use the Observer console locally, see “Using the
Observer console locally on the GigaStor” on page 108.
Setting the GigaStor’s IP address
Chapter 2 Installing Your GigaStor
21
Connecting Observer to the GigaStor
This section assumes you have already installed Observer on your
desktop or laptop. If not, install the software. You can download from
the Network Instruments website.
There are three main tasks to connect Observer to your GigaStor
Q “Redirecting the GigaStor probe” on page 22
Q “Probe administration” on page 24
Q “GigaStor Capture Analysis” on page 29
Redirecting the GigaStor probe
1 Choose Start → All Programs → Observer → Observer. Observer
opens.
2 Select Actions → Redirect Probe (Figure 5).
Figure 5 Remote Probe Administration and Redirection
Connecting Observer to the GigaStor
22
Chapter 2 Installing Your GigaStor
3 Click New to add the GigaStor to the Probe Administration and
Redirection list. Figure 6 appears.
rev. 1
Figure 6 Edit Remote Probe Entry
4 Type the IP address that you assigned to the GigaStor in step 7 in
“Setting the GigaStor’s IP address” on page 19 and click OK. You
may leave the other fields blank. If you type a name, the name
will change after Observer connects to the remote probe. The
GigaStor appears in the list of probes available for redirection
(Figure 7).
Figure 7 Probe added to Remote Probe Administration and Redirection
rev. 1
5 Select the GigaStor probe and then click Redirect Selected Probe
(Figure 8).
Connecting Observer to the GigaStor
Chapter 2 Installing Your GigaStor
23
Figure 8 Probe Instance Redirection
6 Select the probe instance and click Redirect Selected Instance.
Figure 9 appears.
Figure 9 Redirecting Probe or Probe Instance
7 Choose the “Redirect to this Observer” option, then click the
8 Close the Probe Instance Redirection window.
Probe administration
Now that your GigaStor is connected to your Observer console, you
can administer it.
Connecting Observer to the GigaStor
24
Chapter 2 Installing Your GigaStor
Redirect button. Within 30 seconds the GigaStor will connect to
the local Observer. If you use NAT, see “NAT” on page 124.
rev. 1
1 Click Probe Administration (see Figure 7). The Probe
Administration Login window opens.
Figure 10 Remote Probe Administration
2 Ensure “Login using a user account configured for this Probe” is
selected and click OK.
The Probe Administration window opens to the Memory
Management tab (Figure 11).
Figure 11 Memory Management tab
rev. 1
3 Select the Network 1 probe instance and click Rename. Choose a
name that is meaningful to you for the probe instance name and
click OK. By default, Network 1 is your active probe instance for
your GigaStor. For details about active and passive probe instance,
see “Probe Instances” on page 111.
Connecting Observer to the GigaStor
Chapter 2 Installing Your GigaStor
25
By default all of the installed memory on the GigaStor is
dedicated for one probe instance. You must first release the
memory so that you can assign the freed memory to other probe
instances.
4 With the newly renamed probe instance still selected, click
Configure Memory (Figure 12) at the top of the window.
Figure 12 Edit Probe Instance: Capture Buffer Memory
Connecting Observer to the GigaStor
26
Chapter 2 Installing Your GigaStor
5 Use the arrows to release some memory. Free enough memory to
create your probe instances and click OK. At a minimum each
probe instance requires12 MB memory. It uses 4 MB for statistics
and 8 MB for packet capture. Don’t worry about freeing too
much memory. If you determine you released too much, you can
reallocate it later to the capture buffer or operating system.
Because Observer operates in real-time, its buffers must always
remain in RAM; if the buffers resided in standard Windows user
memory, nothing would prevent the buffer file from being
swapped out to disk and subsequent packet loss. For this reason,
the probe reserves its memory from Windows upon startup so
that no other applications can use it and cause the buffer to be
swapped out to disk.
For more information about buffers, see “Packet capture buffer
and statistics buffer” on page 54.
6 Click the GigaStor Instances tab (Figure 13).
rev. 1
Figure 13 GigaStor Instances
7 Click New Instance. Figure 14 appears.
Figure 14 Edit Probe Instance: Name
rev. 1
8 You are configuring a GigaStor probe to capture data and write it
to the hard drive. Therefore ensure “Probe instance” is selected in
the Instance type. Type a name and description and click Next.
Connecting Observer to the GigaStor
Chapter 2 Installing Your GigaStor
27
Figure 15 Edit Probe Instance: Configure Memory
9 From the RAM that you released earlier, assign some of it to this
probe instance and click Next.
10 Ensure the correct network adapter is selected and click Finish to
redirect the GigaStor to your local Observer console.
Figure 16 Edit Probe Instance: Connect to Console
Connecting Observer to the GigaStor
28
Chapter 2 Installing Your GigaStor
rev. 1
11 Repeat step 7 through step 10 until you have created all of your
probe instances. Any unused memory should be reallocated to the
packet capture buffer of the active probe instance or to the
operating system.
12 Click OK to close the Probe administration windows. After a
moment the GigaStor probe and any probe instances appear in
the Observer Probe list found along the left side of the main
Observer window.
GigaStor Capture Analysis
1 Click Capture → GigaStor Capture Analysis to begin viewing
network traffic that passes through the GigaStor probe. The
GigaStor Control Panel opens (Figure 17).
Figure 17 GigaStor Control Panel
rev. 1
At this point the data is not being written to disk unless you
manually click the Start button. With most GigaStor installations,
you want the GigaStor probe to always be writing its data to disk.
2 Click Settings in the middle of the top menu bar. The GigaStor
Settings window opens. Click the Schedule tab.
Connecting Observer to the GigaStor
Chapter 2 Installing Your GigaStor
29
Figure 18 GigaStor Settings Schedule tab
3 In the Schedule GigaStor Capture section, select Always. For
more information about a packet capture vs. GigaStor capture, see
“Packet Capture or GigaStor Capture” on page 53.
4 In the Reserve scheduling for section, select GigaStor and click
OK. You may receive a notice about scheduling reservation. If you
do, click Yes to change the scheduling.
Connecting Observer to the GigaStor
30
Chapter 2 Installing Your GigaStor
You have installed your GigaStor! Now you must configure some
settings in Observer before getting the maximum results from your
new network analysis tool.
Q If you are monitoring a Gigabit connection, you must
configure the WAN device. See “Configuring Observer for
your Gigabit device” on page 31 for details.
Q If you are monitoring a WAN connection, you must configure
the WAN device. See “Configuring Observer for your WAN
device” on page 33 for details.
Q If you are monitoring any other connection, begin using
Observer to analyze the data. To get started, take use the
GigaStor Control Panel. It is described in “GigaStor Control
Panel” on page 57.
rev. 1
Loading...