Network Instruments GigaStor 114ff User Manual

1rev. 1GIGASTOR™

10rev. 1Tapping a WAN connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Forensic Analysis Profile field descriptionsChapter 6 Forensic Analysis using Snort100rev. 1right-click menu. You can also jump to the Decode display

Forensic Analysis Profile field descriptionsChapter 6 Forensic Analysis using Snort101rev. 1Table 8 Forensic Analysis Profile Settings tabField Descr

Forensic Analysis Profile field descriptionsChapter 6 Forensic Analysis using Snort102rev. 1TCP Stream Reassembly (Continued)Q Log preprocessor events

Forensic Analysis Profile field descriptionsChapter 6 Forensic Analysis using Snort103rev. 1TCP Stream Reassembly (Continued)Q Reassembly error action

Forensic Analysis Profile field descriptionsChapter 6 Forensic Analysis using Snort104rev. 1HTTP URI Normalization (Continued)Q Normalize percent-U en

Forensic Analysis Profile field descriptionsChapter 6 Forensic Analysis using Snort105rev. 1ARP Inspection Ethernet uses Address Resolution Protocol (

Forensic Analysis Profile field descriptionsChapter 6 Forensic Analysis using Snort106rev. 1Rules tabThe web site www.snort.org provides Snort rule do

Chapter 7 Observer on the GigaStor107rev. 1C h a p t e r 7

Using the Observer console locally on the GigaStorChapter 7 Observer on the GigaStor108rev. 1Using the Observer console locally on the GigaStorDependi

Using the Observer console locally on the GigaStorChapter 7 Observer on the GigaStor109rev. 1Figure 74 Probe Options3 In the Service Settings section

11rev. 1Chapter 7: Observer on the GigaStorUsing the Observer console locally on the GigaStor . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using the Observer console locally on the GigaStorChapter 7 Observer on the GigaStor110rev. 15 Choose Options → Switch between Observer and Expert Pro

Chapter 8 Probe Instances111rev. 1C h a p t e r 8

What is a probe instance?Chapter 8 Probe Instances112rev. 1What is a probe instance?TIP!For instructions on setting up a probe instance, see “Probeadm

What is a probe instance?Chapter 8 Probe Instances113rev. 1instances to the Gen2 adapter if at all possible. A copy of allpackets are sent from the ad

What is a probe instance?Chapter 8 Probe Instances114rev. 1NOTE:By default there is one active probe instance for GigaStor. Itbinds to the network ada

Chapter 9 Gen2 Capture Card115rev. 1C h a p t e r 9

Swapping the Gen2 card’s SFP or XFP interfacesChapter 9 Gen2 Capture Card116rev. 1The Gen2 card is designed and manufactured by Network Instruments an

Configuring virtual adapters on the Gen2 cardChapter 9 Gen2 Capture Card117rev. 1Q Ports 1-4 are monitoring a collection of trunked linksQ The remaini

Configuring virtual adapters on the Gen2 cardChapter 9 Gen2 Capture Card118rev. 1Figure 78 Assign Port to Virtual Adapter: Default view3 Select the p

Configuring virtual adapters on the Gen2 cardChapter 9 Gen2 Capture Card119rev. 1Figure 80 Edit Port Description9 Repeat step 5 through step 8 until

12rev. 1

Viewing the Gen2 card’s properties and finding the board’s IDChapter 9 Gen2 Capture Card120rev. 110 Right-click the GigaStor probe and choose Administ

Viewing the Gen2 card’s properties and finding the board’s IDChapter 9 Gen2 Capture Card121rev. 12 In the tree on the left, select Device Manager.3 In

Viewing the Gen2 card’s properties and finding the board’s IDChapter 9 Gen2 Capture Card122rev. 1This tab shows all active physical ports on the Gen2

Appendix A TCP/IP ports, NAT, and VPN123rev. 1A p p e n d i x A

TCP/IP portsAppendix A TCP/IP ports, NAT, and VPN124rev. 1This section discusses the TCP/IP ports, NAT, and VPN.TCP/IP portsObserver and all Network I

VPNAppendix A TCP/IP ports, NAT, and VPN125rev. 1Figure 86 NATIf the Observer is outside the network where the probe is running, you must forward por

VPNAppendix A TCP/IP ports, NAT, and VPN126rev. 1

Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases127rev. 1A p p e n d i x B

GigaStorAppendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases128rev. 1GigaStorFigure 87 shows the front of the GigaStor.Figure 87 GigaSt

GigaStor ExpandableAppendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases129rev. 1GigaStor ExpandableController unitFigure 88 GigaStor Ex

Chapter 1 About the GigaStor13rev. 1C h a p t e r 1

GigaStor ExpandableAppendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases130rev. 1Figure 89 shows the back of the GigaStor Expandable.Figu

GigaStor ExpandableAppendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases131rev. 1Figure 91 shows the back of the expansion unit.Figure 91

GigaStor ExpandableAppendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases132rev. 1

Appendix C GigaStor Portable133rev. 1A p p e n d i x C

Appendix C GigaStor Portable134rev. 1The portable GigaStor offers full-duplex packet capture and analysis at wire speed. Depending on which version yo

Appendix C GigaStor Portable135rev. 1Figure 92 Portable Analysis Platform System TourYour GigaStor includes a number of components. Take a moment aft

Running Observer passivelyAppendix C GigaStor Portable136rev. 1Figure 93 Portable GigaStorGigabit and Fibre Channel systems have an appropriate coppe

Using the portable GigaStor as a probeAppendix C GigaStor Portable137rev. 1Dynamic Host Control Protocol (DHCP). For most applications of Observer, yo

Using the portable GigaStor as a probeAppendix C GigaStor Portable138rev. 1

Numerics–DIndex139rev. 1Legend: ff=Figure, t=TableIndexNumerics10 Gigabit Ethernet 14, 37, 116Gen2 card 37GigaStor Portable 134tapping 1910/100/1000 3

GigaStor versionsChapter 1 About the GigaStor14rev. 1GigaStor versionsThe GigaStor is an enterprise-strength network probe appliance. The GigaStor com

E–GIndex140rev. 1Legend: ff=Figure, t=TableT1/E1 42WAN alarms 90WAN statistics 80, 82–83DCE BECN under CIR 84DCE FECN under CIR 84DCE Kbits/s Avg 84DC

H–IIndex141rev. 1Legend: ff=Figure, t=Tabledaughter board 38DMA enabled 122Fibre Channel 37filter ports 66Gigabit 37Gigabit copper 40Interrupt enabled

L–PIndex142rev. 1Legend: ff=Figure, t=TableLLAPB 34–35loadpreprocess settings 101preprocessor 113MMAC address 105DLCI instead of 80excluding 65statist

Q–VIndex143rev. 1Legend: ff=Figure, t=TableProbe Properties T1/E1 Tab 35Probe Service Configuration Applet 21ff, 108ffQQLogic 19Quality of Service 32R

W–XIndex144rev. 1Legend: ff=Figure, t=Tablevirtual adapter 114ffprobe instances 119–120Virtual Adapters tab 119ffVPN 125WWANalarms 80, 88analysis 80an

145rev. 1

146rev. 1www.networkinstruments.com © 2008 Network Instruments, LLC. All rights reserved. Network Instruments, Observer, and all associated logos are

GigaStor versionsChapter 1 About the GigaStor15rev. 1possible to use the same probe to monitor different types of links as needed. For example, you ca

GigaStor versionsChapter 1 About the GigaStor16rev. 1

Chapter 2 Installing Your GigaStor17rev. 1C h a p t e r 2

Unpacking and inspecting the partsChapter 2 Installing Your GigaStor18rev. 1The general steps to install your GigaStor are:F “Unpacking and inspecting

Installing the GigaStor and connecting the cablesChapter 2 Installing Your GigaStor19rev. 1Installing the GigaStor and connecting the cables1 Install

Setting the GigaStor’s IP addressChapter 2 Installing Your GigaStor20rev. 14 Ensure that each drive’s power/activity light is lit. If a drive’s light

Setting the GigaStor’s IP addressChapter 2 Installing Your GigaStor21rev. 1Figure 3 Probe Service Configuration Applet10 The Probe Administration win

Connecting Observer to the GigaStorChapter 2 Installing Your GigaStor22rev. 1Connecting Observer to the GigaStorThis section assumes you have already

Connecting Observer to the GigaStorChapter 2 Installing Your GigaStor23rev. 1Figure 6 Edit Remote Probe Entry4 Type the IP address that you assigned

Connecting Observer to the GigaStorChapter 2 Installing Your GigaStor24rev. 1Figure 8 Probe Instance Redirection6 Select the probe instance and click

Connecting Observer to the GigaStorChapter 2 Installing Your GigaStor25rev. 11 Click Probe Administration (see Figure 7). The Probe Administration Log

Connecting Observer to the GigaStorChapter 2 Installing Your GigaStor26rev. 1By default all of the installed memory on the GigaStor is dedicated for o

Connecting Observer to the GigaStorChapter 2 Installing Your GigaStor27rev. 1Figure 13 GigaStor Instances7 Click New Instance. Figure 14 appears.Figu

Connecting Observer to the GigaStorChapter 2 Installing Your GigaStor28rev. 1Figure 15 Edit Probe Instance: Configure Memory9 From the RAM that you r

Connecting Observer to the GigaStorChapter 2 Installing Your GigaStor29rev. 111 Repeat step 7 through step 10 until you have created all of your probe

3rev. 1GigaStor User Guide

Connecting Observer to the GigaStorChapter 2 Installing Your GigaStor30rev. 1Figure 18 GigaStor Settings Schedule tab3 In the Schedule GigaStor Captu

Configuring Observer for your Gigabit deviceChapter 2 Installing Your GigaStor31rev. 1Configuring Observer for your Gigabit deviceDepending on your pr

Configuring Observer for your Gigabit deviceChapter 2 Installing Your GigaStor32rev. 1Figure 19 Gigabit tabConfiguring Terms of Service and Quality o

Configuring Observer for your WAN deviceChapter 2 Installing Your GigaStor33rev. 1Figure 20 ToS/QoS tabConfiguring Observer for your WAN deviceThere

Configuring Observer for your WAN deviceChapter 2 Installing Your GigaStor34rev. 1Digital DS3/E3/HSSI Probe SettingsTo access the probe settings, sele

Configuring Observer for your WAN deviceChapter 2 Installing Your GigaStor35rev. 1Digital T1/E1 Probe SettingsTo access the probe settings, select the

Configuring Observer for your WAN deviceChapter 2 Installing Your GigaStor36rev. 1Serial T1/E1 Probe SettingsTable 3 describes fields for a serial T1/

Tapping an Ethernet or Fibre Channel connectionChapter 2 Installing Your GigaStor37rev. 1Tapping an Ethernet or Fibre Channel connectionThis section d

Tapping an Ethernet or Fibre Channel connectionChapter 2 Installing Your GigaStor38rev. 1Figure 23 Gen2 card port assignments6 Use the supplied Ether

Tapping an Ethernet or Fibre Channel connectionChapter 2 Installing Your GigaStor39rev. 1Figure 24 GigaStor with an optical nTAPTXRXGigabit Switch (D

4rev. 1Trademark Notices©2008 Network Instruments,® LLC. All rights reserved. Network Instruments, Observer® Gen2,TM and all associated logos are tra

Tapping an Ethernet or Fibre Channel connectionChapter 2 Installing Your GigaStor40rev. 1Gigabit copperThe Gigabit copper kit includes:Q Copper nTAPQ

Tapping an Ethernet or Fibre Channel connectionChapter 2 Installing Your GigaStor41rev. 16 Use the supplied Ethernet cable to connect the network inte

Tapping a WAN connectionChapter 2 Installing Your GigaStor42rev. 1Tapping a WAN connectionThis section describes how to connect the cables for these e

Tapping a WAN connectionChapter 2 Installing Your GigaStor43rev. 1Now that you have physically connected the cables for the GigaStor, you must now con

Tapping a WAN connectionChapter 2 Installing Your GigaStor44rev. 1SerialThe serial T1/E1 kit includes:Q One serial T1/E1 WAN TAPQ One serial Y cableQ

Tapping a WAN connectionChapter 2 Installing Your GigaStor45rev. 1Figure 28 WAN Serial T1/E1 TAPRouter (DCE)CSU/DSU (DTE)10/100/1000 NIC for TCP/IPGi

Tapping a WAN connectionChapter 2 Installing Your GigaStor46rev. 1DS3/E3See “Digital” on page 46 or “Serial/HSSI” on page 48 depending on your needs.D

Tapping a WAN connectionChapter 2 Installing Your GigaStor47rev. 1Figure 29 DS3/E3 TAPPOWERDTEE3LOFLOSINOUTDCELOFLOSINOUTOUT (TX)IN (RX)RXRXDS3 Line

Tapping a WAN connectionChapter 2 Installing Your GigaStor48rev. 1Serial/HSSIThe serial DS3 kit includes:Q One serial DS3/E3 TAPQ One HSSI Y-cableQ On

Tapping a WAN connectionChapter 2 Installing Your GigaStor49rev. 1Figure 30 WAN HSSIRouter (DCE)CSU/DSU (DTE)10/100/1000 NIC for TCP/IPGigaStor orGig

5rev. 1Limited Warranty—SoftwareNetwork Instruments, LLC (“DEVELOPER”) warrants that for a period of sixty (60) days from the date of shipment from DE

Installing the drives in your GigaStorChapter 2 Installing Your GigaStor50rev. 1Installing the drives in your GigaStorCAUTION HANDLINGTHE DRIVESBe esp

Installing the drives in your GigaStorChapter 2 Installing Your GigaStor51rev. 1Figure 31 shows how the drive numbers correspond to slot locations.Fig

Installing the drives in your GigaStorChapter 2 Installing Your GigaStor52rev. 1Connecting the GigaStor Expandable to the expansion unitsAfter you hav

Chapter 3 Packet Capture or GigaStor Capture53rev. 1C h a p t e r 3

Capturing Packets with the GigaStorChapter 3 Packet Capture or GigaStor Capture54rev. 1Capturing Packets with the GigaStorA GigaStor can accumulate te

Packet capture buffer and statistics bufferChapter 3 Packet Capture or GigaStor Capture55rev. 1However, if you are pushing the limits of the system on

Packet capture buffer and statistics bufferChapter 3 Packet Capture or GigaStor Capture56rev. 1

Chapter 4 GigaStor Control Panel57rev. 1C h a p t e r 4

Chapter 4 GigaStor Control Panel58rev. 1Once the GigaStor is up and running on the network, you can run Expert Observer or Observer Suite to connect t

Display ControlsChapter 4 GigaStor Control Panel59rev. 1etc., by clicking on the appropriate tab and selecting the items you want to see on the time l

6rev. 1Ownership and ConfidentialityEND-USER agrees that Network Instruments, LLC owns all relevant copyrights, trade secrets and all intellectual pr

Right-click menusChapter 4 GigaStor Control Panel60rev. 1Right-click menusAs with other Observer displays, the charts and tables of the GigaStor contr

Analyze buttonChapter 4 GigaStor Control Panel61rev. 1Analyze buttonFigure 36 GigaStor Control Panel Analyze buttonWhen you click the Analyze button

Analyze buttonChapter 4 GigaStor Control Panel62rev. 1Figure 37 GigaStor Analysis Options windowTable 4 describes what the fields in the various sect

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel63rev. 1Configuring the GigaStor through the Control PanelJust as wi

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel64rev. 1GigaStor Options tabThis tab lets you configure many options

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel65rev. 1Table 5 GigaStor Options tabField DescriptionCapture Buffer

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel66rev. 1Start/Stop Packet Capture marker framesWhen checked, saved p

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel67rev. 1GigaStor Chart tabThis tab lets you choose the appearance, c

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel68rev. 1Figure 41 GigaStor Outline

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel69rev. 1Capture Graph tabClick Settings and the tab for the type of

7rev. 1Technical SupportNetwork Instruments provides technical support by phone (depending on where you are located):US & countries outside Europe

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel70rev. 1GigaStor Schedule tabThis tab lets you schedule GigaStor pac

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel71rev. 1Q Choose Daily at specified times or By day-of-week at speci

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel72rev. 1Figure 44 Statistics Lists tabSubnetYou can specify subnet

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel73rev. 1Figure 45 GigaStor Subnet tabFigure 46 shows how the subnet

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel74rev. 1Figure 46 Subnet and IP Stations

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel75rev. 1GigaStor reportsThere are several default reports available

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel76rev. 1Figure 48 Report Setup3 Use the arrow buttons to position g

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel77rev. 1ExportYou can export your GigaStor-collected data on a sched

Configuring the GigaStor through the Control PanelChapter 4 GigaStor Control Panel78rev. 1

Chapter 5 Using Observer with a WAN Probe79rev. 1C h a p t e r 5

8rev. 1

Discover Network NamesChapter 5 Using Observer with a WAN Probe80rev. 1In general, the WAN analysis works much like Ethernet analysis. One difference

Discover Network NamesChapter 5 Using Observer with a WAN Probe81rev. 1To set the CIR for a DLCI or group of DLCIs1 Choose Tools → Discover Network N

WAN Bandwidth UtilizationChapter 5 Using Observer with a WAN Probe82rev. 15 Click OK when you are done. For encapsulations that do not use DLCI (such

WAN Vital Signs by DLCIChapter 5 Using Observer with a WAN Probe83rev. 1WAN Vital Signs by DLCIIn Observer, the Network Vital Signs display is replace

WAN Load by DLCIChapter 5 Using Observer with a WAN Probe84rev. 1WAN Load by DLCIIn a WAN installation, Observer’s Network Activity Display is called

WAN Load by DLCIChapter 5 Using Observer with a WAN Probe85rev. 1Figure 55 WAN Load by DLCIThe WAN Load by DLCI mode can be viewed as a dial, graph,

WAN Top TalkersChapter 5 Using Observer with a WAN Probe86rev. 1Figure 57 WAN Load by DLCI Graph ViewThe WAN Load display in graph view shows these s

WAN FilteringChapter 5 Using Observer with a WAN Probe87rev. 1second, etc.) that apply to WAN is a subset of those available for standard network anal

Triggers and AlarmsChapter 5 Using Observer with a WAN Probe88rev. 1Figure 59 Active FiltersTriggers and AlarmsWAN Observer adds WAN-related criteria

Triggers and AlarmsChapter 5 Using Observer with a WAN Probe89rev. 1Figure 61 Probe Alarm Settings4 Select the alarms you want set.5 Click the Trigge

9rev. 1ContentsChapter 1: About the GigaStorGigaStor versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Triggers and AlarmsChapter 5 Using Observer with a WAN Probe90rev. 1Most WAN alarms can be set on the DTE or DCE side or both. The Committed Informati

Chapter 6 Forensic Analysis using Snort91rev. 1C h a p t e r 6

Starting Forensic Analysis using Snort rulesChapter 6 Forensic Analysis using Snort92rev. 1Forensic Analysis, exclusive to the GigaStor version of Obs

Starting Forensic Analysis using Snort rulesChapter 6 Forensic Analysis using Snort93rev. 1that of native Snort. When you import a set of Snort rules

Starting Forensic Analysis using Snort rulesChapter 6 Forensic Analysis using Snort94rev. 1Figure 64 GigaStor Analysis Options - Forensic Analysis se

Starting Forensic Analysis using Snort rulesChapter 6 Forensic Analysis using Snort95rev. 1Figure 66 GigaStor Analysis Options3 Select the profile th

Starting Forensic Analysis using Snort rulesChapter 6 Forensic Analysis using Snort96rev. 1If this is the first time forensic analysis has been run, y

Starting Forensic Analysis using Snort rulesChapter 6 Forensic Analysis using Snort97rev. 1Figure 69 Rules tab9 Select the boxes next to the rules yo

Starting Forensic Analysis using Snort rulesChapter 6 Forensic Analysis using Snort98rev. 110 Click OK to close the Forensic Analysis Profile dialog.

Starting Forensic Analysis using Snort rulesChapter 6 Forensic Analysis using Snort99rev. 1results, you may want to adjust preprocessor settings toeli