Instruction/ maintenance manual of the product 114ff Network Instruments
Go to page of 146
1 rev. 1 GIGAST OR ™.
.
3 rev. 1 GigaS to r U ser Gu ide.
4 rev. 1 Trademark Notices ©2008 Network Instrument s,® LLC. Al l rights rese rved. Networ k Instruments, Observer® Gen2,TM and all as sociated logos are trademarks or registered trademarks of Network Instruments, LLC.
5 rev. 1 Limited Warranty—Software Network Instruments, LLC (“DEVELOPER”) warrants that for a pe riod of sixty (60) days from the date of shipment from DEVELOPER: (i) the media on which the SOFT.
6 rev. 1 Ownership and Confidentiality END-USER agre es that Network Inst rument s, LLC owns all relevant copyrights, tr ade secrets and al l intellectual p roperty related to the SOFTWARE. End User License Agreement (EULA) PLEASE READ THIS SOFTWARE LICENS E AGREEMENT CARE FULLY BEFORE DOWNLOADING OR USING THE SOFTWARE.
7 rev. 1 Technical Support Network In strument s provides t echnical s upport by phone (d epending on w here you a re locate d): US & countries outside Eu rope at (952) 358-3800 UK and Europe a t .
8 rev. 1.
9 rev. 1 Co n t e n t s Chapter 1: About the GigaStor GigaStor versio ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Chapter 2: Installing Your GigaStor Unpacking and inspecting th e parts .
10 rev. 1 Tapping a WAN conn ection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 T1/E1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 rev. 1 Chapter 7: Observer on the GigaStor Using the O bserver conso le locally on the GigaSt or . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0 8 Chapter 8: Probe Instances What is a pro be instance? . . . . . . .
12 rev. 1.
Chapter 1 About the GigaStor 13 rev. 1 C h a p t e r 1 About the GigaS tor.
GigaStor versions Chapter 1 About the GigaStor 14 rev. 1 GigaStor v ersions The GigaStor is an enterprise-stre ngth network probe app liance . The GigaStor combines a multi-teraby te , high-performance Redundant Array of Independent Disks (RAID) with a dedicated, high-speed network captu re card in a modu lar , easy-to-deploy app liance .
GigaStor versions Chapter 1 About the GigaStor 15 rev. 1 possible to use the same probe to monitor different ty pes of links as needed. For example , you can easily convert the capture card from optical to copper , allowi ng you to connect the GigaS tor to different test access points (T APs) or switch port analyzer (SP AN) or mirror interfaces .
GigaStor versions Chapter 1 About the GigaStor 16 rev. 1.
Chapter 2 Installing Your GigaStor 17 rev. 1 C h a p t e r 2 Installing Y our GigaSt or.
Unpacking and inspecting the parts Chapter 2 Installing Your GigaStor 18 rev. 1 The general steps to in stall your GigaStor are: F “Unpacking and inspecting the parts” on page 18 F “Installing t.
Installing the GigaStor and connecting the cables Chapter 2 Installing Your GigaStor 19 rev. 1 Installing the GigaStor and c onnec ting the c ables 1 Install the GigaStor and any expans ion units into your rack using the supplied r ails . Instructions for installing the r ail kits ar e provided in the rail kit box.
Setting the GigaStor’s IP address Chapter 2 Installing Your GigaStor 20 rev. 1 4 Ensure that each drive’s power/activit y light is lit. If a drive’s light is not lit, it is lik ely that the dr ive is not seated properly . T urn off the GigaStor and reseat the driv es .
Setting the GigaStor’s IP address Chapter 2 Installing Your GigaStor 21 rev. 1 F igure 3 Probe Ser vice Configuration Applet 10 The Probe Administration wi ndow opens . Click the Prob e Options tab (Figure 4). Fig u r e 4 P ro b e O p t io n s 11 Change the name of the probe to something meaningful to you.
Connecting Obs erver to the GigaSt or Chapter 2 Installing Your GigaStor 22 rev. 1 C onnec ting Obser ver to the GigaStor This section assumes you have alr eady installed Observer on your desktop or la ptop . If not, install the soft ware . Y ou can downloa d from the Network Instruments website .
Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor 23 rev. 1 Fi gure 6 Edit Remote Pr obe Entr y 4 T ype the IP address that you assi gned to the GigaStor in step 7 in “Setting the GigaStor’s IP addres s” on page 19 and cli ck OK.
Connecting Obs erver to the GigaSt or Chapter 2 Installing Your GigaStor 24 rev. 1 Fig u r e 8 P ro b e I n s t an c e R e d ir e c t i o n 6 Select the probe instance and clic k Redirect Selected Instance .
Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor 25 rev. 1 1 Click Probe Administration (see Figure 7). The Probe Administr ation Login window opens . F igure 10 Re mote Pr obe Ad ministration 2 Ensure “Login using a user account configured for this Probe” is selected and click OK.
Connecting Obs erver to the GigaSt or Chapter 2 Installing Your GigaStor 26 rev. 1 By default all of the installed memory on the Gig aStor is dedicated for one probe instance . Y ou must first release the memory so that you can assign the freed memory to other probe instances .
Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor 27 rev. 1 Fig u r e 13 G i g a S to r I n s t an c e s 7 Click New Instance . Figure 14 appears . Figur e 14 Edit Probe Instance: Name 8 Y ou are configuring a Gi gaStor probe to capture data and write it to the hard drive .
Connecting Obs erver to the GigaSt or Chapter 2 Installing Your GigaStor 28 rev. 1 Figure 1 5 Edit Probe I ns tanc e: Con figu re M emo r y 9 F rom the RAM th at you released earli er , assign some of it to this probe instance and click Next.
Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor 29 rev. 1 11 Repeat step 7 through step 1 0 unti l you have created all of your probe instances . Any unus ed memory should be reallocated to the packet capture buffer of the act ive probe instance or to the operating system.
Connecting Obs erver to the GigaSt or Chapter 2 Installing Your GigaStor 30 rev. 1 Figur e 18 GigaStor Settings S chedule tab 3 In the Schedu le GigaStor Capture se ction, select Always . For more information about a packet cap ture vs . GigaStor capture , see “P acket Capture or GigaS tor Capture” on page 53.
Configuring Observer for your Gigabit device Chapter 2 Installing Your GigaStor 31 rev. 1 C onfiguring Observer for y our Gigabit device Depending on y our probe and you r network, you may need to make some changes from th e factory defaults .
Configuring Observer for your Gigabit device Chapter 2 Installing Your GigaStor 32 rev. 1 Figur e 19 Gigabit tab C onfiguring T erms of Ser vice and Quality of Service settings The T oS/QoS settings are co nfigure d for each probe . 1 Select the gigabit prob e and right-click.
Configuring Observer for your WAN device Chapter 2 Installing Your GigaStor 33 rev. 1 Figur e 20 T oS/QoS tab C onfiguring Observer for y our W AN devic e There are a number of se tup op tions and statistica l displays unique to W AN O bserver , whi ch are describ e d in the follow ing subsections .
Configuring Observer for your WAN device Chapter 2 Installing Your GigaStor 34 rev. 1 Digital DS3/E3/HSSI Probe Settings T o access the probe settings , select the probe , rig ht-click and choose Probe or Device Settin gs . Th en click the DS3/E3/HSSI tab (Figure 21).
Configuring Observer for your WAN device Chapter 2 Installing Your GigaStor 35 rev. 1 Digital T1/E1 Probe Settings T o access the probe settings , select the probe , right-click and choose Probe or Device Settings . Then click the T1/E1 ta b (Figure 22).
Configuring Observer for your WAN device Chapter 2 Installing Your GigaStor 36 rev. 1 Seri al T1 /E1 P robe Settin gs T able 3 describes fiel ds fo r a serial T1/E1 connection. Table 3 Serial T1 /E1 probe settings Setting Explanation WAN/Frame Relay Type Choose T1 or E1 to match the t ype of link you are analyzing.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your GigaStor 37 rev. 1 T apping an Ethernet or F ibre Channel c onnec tion This section describes how to connect the cables for th.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your GigaStor 38 rev. 1 Fi gure 23 Gen2 card por t assignments 6 Use the supplied Ethernet cable to connect the ne twork interface card in the GigaStor to the network. N OTE : S TRAIGHT - THROUGH C ABL E If you are using a switch ’s SP AN/mirror port, no n TA P i s required.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your GigaStor 39 rev. 1 F igure 24 GigaStor w ith an optical n TA P TX RX Gigabit Switch (DCE) Server (DTE) 10/100/1000 NIC for TCP.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your GigaStor 40 rev. 1 Gigabit c opper The Gigabit copper kit includes: Q Copper n TA P Q 1, 2, or 4 standard Ethernet cables Q 2,.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your GigaStor 41 rev. 1 6 Use the supplied Ethernet cable to connect the ne twork interface card in the GigaSto r to the network. N OTE : P ASS - THR OUGH C ABLE If you are using a switch ’s SP AN/mirror port, no n TA P i s required.
Tapping a WAN connection Chapter 2 Installing Your GigaStor 42 rev. 1 T apping a W AN connec tion This section describes how to connect the cables for these environments: Q “T1/E1” on page 42 Q “DS3/E3” on page 46 T1/E1 See “Digital” on page 42 or “Serial” on page 44 depend ing on your needs .
Tapping a WAN connection Chapter 2 Installing Your GigaStor 43 rev. 1 Now that you ha ve physically conn ected the cables fo r the GigaStor, you must now configure its softwa re .
Tapping a WAN connection Chapter 2 Installing Your GigaStor 44 rev. 1 Serial The serial T1/E1 kit includes: Q One seri al T1/E1 W AN T AP Q One serial Y cable Q One serial T1 W AN cable 1 If you have a GigaSto r Expandab le , see “Con necting the GigaStor Expandable to the ex pansion unit s” on page 52 for details about connecting them.
Tapping a WAN connection Chapter 2 Installing Your GigaStor 45 rev. 1 F igure 28 W A N Serial T1/E1 T AP Router (DCE) CSU/DSU (DTE) 10/100/1000 NIC for TCP/IP GigaStor or GigaStor Expandable Serial T1.
Tapping a WAN connection Chapter 2 Installing Your GigaStor 46 rev. 1 DS3/E3 See “Digital” on page 46 or “Seria l/HSSI” on page 48 depend ing on your needs .
Tapping a WAN connection Chapter 2 Installing Your GigaStor 47 rev. 1 Fig u r e 29 D S 3 / E 3 T A P POWER DTE E3 LOF LOS IN OUT DCE LOF LOS IN OUT OUT (TX) IN (RX) RX RX DS3 Line (DCE) CSU/DSU (DTE) .
Tapping a WAN connection Chapter 2 Installing Your GigaStor 48 rev. 1 Serial/HSSI The serial DS3 kit includes: Q One seri al DS3/E3 T AP Q One HSSI Y -cable Q One HSSI cable Q One Ethernet cable 1 If .
Tapping a WAN connection Chapter 2 Installing Your GigaStor 49 rev. 1 F igure 30 W AN HSSI Router (DCE) CSU/DSU (DTE) 10/100/1000 NIC for TCP/IP GigaStor or GigaStor Expandable HSSI TAP Observer Conso.
Installing the drives i n your GigaS tor Chapter 2 Installing Your GigaStor 50 rev. 1 Installing the driv es in y our GigaStor C AUTION H ANDLI NG THE D RIVES Be especially careful when handling and installing the hard drives . Pro per handling is paramount to the longevity of the unit.
Installing the drives in your GigaStor Chapter 2 Installing Your GigaStor 51 rev. 1 Figure 31 shows how the drive numbers correspond to slot locations .
Installing the drives i n your GigaS tor Chapter 2 Installing Your GigaStor 52 rev. 1 C onnec ting the GigaStor Expand able to the expansion units After you have installed the drives Use the supplied cables to c onnect the expansion units to the GigaStor Expandable .
Chapter 3 Packet Capture or GigaStor Capture 53 rev. 1 C h a p t e r 3 P ack et Captur e or GigaStor C apture.
Capturing Packets with the GigaStor Chapter 3 Packet Capture or GigaStor Ca pture 54 rev. 1 Captur ing Pack ets with the GigaStor A GigaStor can accumulate terabytes of stored network traffic . T o manage the sheer volume of da ta, the GigaStor includes an alternative , spec ialized capture and analysis control panel.
Packet capture buffer and statistics buffer Chapter 3 Packet Capture or GigaStor Capture 55 rev. 1 However , if you are pushing the li mits of the system on which the probe is installed by creating many probe instances , y ou may be able to avoid some performance prob lems by fine-tuning the memory allocation for each probe instance .
Packet capture buffer and statistics buffer Chapter 3 Packet Capture or GigaStor Ca pture 56 rev. 1.
Chapter 4 GigaStor Control Panel 57 rev. 1 C h a p t e r 4 GigaSt or C ontrol P anel.
Chapter 4 GigaStor Control Panel 58 rev. 1 Once the GigaSto r is up and runn ing on the network, yo u can run Expert Observer or Observer Su ite to connect to the GigaStor running as a probe to begin .
Display Contro ls Chapter 4 GigaStor Control Panel 59 rev. 1 etc ., by click ing on the appro pri ate tab and selecting the items you want to see on the time line chart. Display C ontrols Charts and statistical tables are ref reshed only w hen you click the Update Chart or U pdate Statistics button.
Right-click me nus Chapter 4 GigaStor Control Panel 60 rev. 1 Right- click menus As with other Observer display s , th e charts and tables of the GigaStor control panel offer many right-click sh ortcuts .
Analyze button Chapter 4 GigaStor Control Panel 61 rev. 1 Analyze but ton F igure 36 GigaSt or Contr ol Pa nel Analyze butt on When you click the Analyze button to view the results, you are prompted to selec t how to filter the packet captu re for display (Figure 37).
Analyze button Chapter 4 GigaStor Control Panel 62 rev. 1 Figur e 37 GigaStor Analysis Options window T able 4 describes what the fields in the various sections control.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 63 rev. 1 C onfiguring the GigaStor through the C ontrol P anel Just as wit h the standard Observer packet capture interface , you can set the colors of the capture graph and schedule captures to be automatically launched (o r to run all the time).
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 64 rev. 1 GigaStor Options tab This tab lets you c onfigure many option s for the GigaStor. Follow the instructions in “Con figuring the GigaStor through the Control P anel” on page 63 to o pen the Giga Stor Options tab (F igure 39).
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 65 rev. 1 Table 5 GigaStor Options tab Field Description Capture Buffer size Allows you to set th e amount of Windows memory t hat Observer will dedicate to the capture bu ffe r cache for this instance.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 66 rev. 1 Start/Stop Packet Capture marker frames When checked, saved packet ca pt ure buffers will include markers that timestam p when packet ca pt ures were started and stopped.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 67 rev. 1 GigaStor Chart tab This tab lets you c hoose the app earance , colors , and scale of the GigaStor Control P an el’s time line ch art.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 68 rev. 1 Figur e 41 GigaStor Outline.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 69 rev. 1 Captur e Graph tab Click Settings and the tab for the ty pe of graph or chart for which you want to set the display properties .
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 70 rev. 1 GigaStor Schedule tab This tab lets you sched ule GigaStor pa cket captures to occur at preset times and days of the week.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 71 rev. 1 Q Choose Daily at specified ti mes or By day-of-wee k at specified times to automatical ly schedule packet captures during the specif ied time inte rv als (which you can add by clicking the Add butto n at th e bottom of the dialog; see below).
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 72 rev. 1 F igure 44 Statistics Lists tab Subnet Y ou can specify subnet properties for the GigaStor. Follow the instructions in “Con figuring the GigaStor through the Control P anel” on page 63 to open the Su bnet tab (F igure 45).
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 73 rev. 1 Fi gure 45 GigaSt or Subnet tab Figure 46 shows how the subn et settings show up in the GigaStor Control P anel.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 74 rev. 1 Figur e 46 Subnet a nd IP Stations.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 75 rev. 1 GigaS tor r eports There are several default reports a vailable for you. 1 F ollow the instructions in “Confi guring the GigaS tor through the Control P anel” on page 63 to open the GigaStor Reports tab (Figure 47).
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 76 rev. 1 Figur e 48 R eport S etup 3 Use the arrow button s to position graphs and tables on your report. 4 Double-click a sectio n of the report to mo dify its caption , detail, and number format (Figure 48).
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 77 rev. 1 Expor t Y ou can export your Gi gaS tor-collected data on a scheduled basis . Use the Export tab to configure when an d to where your data i s saved or to manually expo rt your data.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 78 rev. 1.
Chapter 5 Using Observer with a WAN Probe 79 rev. 1 C h a p t e r 5 U sing Obser v er with a W AN Probe.
Discover Network Names Chapter 5 Using Observer with a WAN Probe 80 rev. 1 In general, the W AN analysis works much like Ethernet analysis . One difference is that, when appropriate , Observer identifies W AN links by their Data Link Connection Identi fier (DLCI) ra ther than by MAC address as is done with standard pr o tocol analysis .
Discover Network Names Chapter 5 Using Observer with a WAN Probe 81 rev. 1 T o set the CIR for a D LCI or group of DLCI s 1 Choose T ool s → Discover Network Na mes . The Discover Network Names pane o pens . 2 In the pane , click the edit DLCI CIR bu tton on the Discove r Network Names mode window (Figu re 51).
WAN Bandwidth Utilization Chapter 5 Using Observer with a WAN Probe 82 rev. 1 5 Click OK when you are done . For encapsulations th at do not use DLCI (such as X.
WAN Vital Signs by DLCI Chapter 5 Using Observer with a WAN Probe 83 rev. 1 W AN V ital Signs by DL CI In Observer , the Network Vital Sign s display is replaced by the W AN V ital Signs by DLCI mode . This mode provides a summary of the errors occurring on a W AN lin k (E1/T1/DS3/E3).
WAN Load by DLCI Chapter 5 Using Observer with a WAN Probe 84 rev. 1 WA N L o a d b y D L C I In a W AN installation, Observer’s Network Activity Disp lay is called W AN Load by DLCI. This mod e show s critical W AN transfer r ate and congestion statistics in a number of formats .
WAN Load by DLCI Chapter 5 Using Observer with a WAN Probe 85 rev. 1 Fig u r e 55 WAN Lo a d b y D LCI The W AN Load by DLCI mode c an be viewed as a dial, graph, or list display . Except for li st view , there are no setu p options for W AN Load by DLCI mode.
WAN Top Talkers Chapter 5 Using Observer with a WAN Probe 86 rev. 1 Figur e 57 W AN Load by DL CI Graph View The W AN Load display in graph view shows these same statistics (transfer r ate , CRC error rate , and FECN/BECN frame rates) as superimposed spike meter s .
WAN Filtering Chapter 5 Using Observer with a WAN Probe 87 rev. 1 second, etc .) that apply to W AN is a subset of th ose av ailable for standard network analysis . For encap sulations that do not use DLCI (such as X.25), the corr ect address value is show n even though it is still labeled DLCI.
Triggers and Alarms Chapter 5 Using Observer with a WAN Probe 88 rev. 1 Fig u r e 59 A c t i ve Fi l t er s T riggers and Alarms W AN Observer adds W AN-related criteria to the standa rd T riggers and Alarms mode . 1 Click the Alarm Settin gs button locat ed in the lower left corner of Observer’s main window .
Triggers and Alar ms Chapter 5 Using Observer with a WAN Probe 89 rev. 1 Fi gure 61 P robe Alarm Settings 4 Select the alarms you want s et. 5 Click the T riggers tab to set the cr iteria by which th e alarms will be triggered.
Triggers and Alarms Chapter 5 Using Observer with a WAN Probe 90 rev. 1 Most W AN alarms can be set on the DTE or DCE si de or both. The Committed Information R ate displayed is that which you set in Discover Network Names mode . See “Setting the Committed Information Rate (CIR) for a DLCI” on page 80.
Chapter 6 Forensic An alysis using Snort 91 rev. 1 C h a p t e r 6 F orensic A naly sis using Snor t.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort 92 rev. 1 F orensic A nalysis , ex clusive to the GigaStor v ersion of Observer , is a powerful t ool for scannin g high-volu me packet ca ptures for int rusion signatures and other traf fic patterns that can be specified using the familiar Snort rule syntax.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic An alysis using Snort 93 rev. 1 that of native Sn ort. When you import a set of Snort rules that includes configuration settings , Obse rver imports rules classifications , but uses its own def aults fo r the preprocessor sett ings .
Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort 94 rev. 1 Figur e 64 Gig aStor Analysis Opti ons - Forensic Analy sis sec tion If you already have a forensic analys is profile , you choose the profile from the Profile list (Figure 64) an d cl ick OK.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic An alysis using Snort 95 rev. 1 Figur e 66 GigaStor Analysis Options 3 Select the profile that y ou want or click Edit. 4 Click the Settin gs Profile Edit butt on to view and define the fields as you need.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort 96 rev. 1 If this is the first time forensic analysis has been run, you must import some rules . 5 Click the Import Snort Fil es button to display a file selection dialog .
Starting Forensic Analysis using Snort rules Chapter 6 Forensic An alysis using Snort 97 rev. 1 Fig u r e 69 R u l e s t ab 9 Select the boxes ne xt to the rule s you want to enable . The right- click menu has options to enable/disab le all rules , and to show the actual Snort rule that was imported.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort 98 rev. 1 10 Click OK to close the Forensic Analysis Profile dialog. Click OK again to close the Forensic Settings dialog . Click OK to close the GigaStor Analysis Options dialog .
Starting Forensic Analysis using Snort rules Chapter 6 Forensic An alysis using Snort 99 rev. 1 results , you may want to adjust preprocessor set tings to eliminate these conditions . In truders often attempt to exceed the limitations of forensic an alysis to hide maliciou s content.
Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort 100 rev. 1 right-click menu. Y ou can also jump to the Deco de display of the packet that triggered the alert. F orensic Analy sis Profile field descriptions This section d escribes in detail the fields on t he Settings and Rules tab .
Forensic Analysis Profile field descriptions Chapter 6 Forensic An alysis using Snort 101 rev. 1 Table 8 Forensic Analys is Profile Settings tab Field Description Settings Profile Settings Profiles provide a mechanism to save and load different preprocessor settings, and share them with other Observer consoles.
Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort 102 rev. 1 TCP Stream Reassembly (Continued) Q Log preprocessor events—Checking this box causes forensic analysis to display all activity generated by the TCP stream assembly prep rocessor to the log.
Forensic Analysis Profile field descriptions Chapter 6 Forensic An alysis using Snort 103 rev. 1 TCP Stream Reassembly (Continued) Q Reassembly error action—Discard and fl ush writes the reassembled stream fo r analysis, excluding the pac ket that caused the error.
Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort 104 rev. 1 HTTP URI Normalization (Continued) Q Normalize percent-U encodings—Con vert Microsoft-style %u-encoded characters to standard format. The se cond check box allows you to enable logging when such encoding is encountered during preprocessing.
Forensic Analysis Profile field descriptions Chapter 6 Forensic An alysis using Snort 105 rev. 1 ARP Inspection Ethernet uses Address Resolut ion Prot ocol (ARP) to map IP addresses to a particular machine (MAC) addresses.
Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort 106 rev. 1 Rules tab The web site ww w .snort.org provides Snort rule d ocumentation, and downloadable rule sets . There are three sets of rules available at www .snort.
Chapter 7 Observer on the GigaStor 107 rev. 1 C h a p t e r 7 Obser v er on the GigaStor.
Using the Observer console locally on the GigaStor Chapter 7 Observer on the GigaStor 108 rev. 1 U sing the Obser ver c onsole loc ally on the GigaStor Depending on how yo u want or need to use Observ.
Using the Observer console locally on the GigaStor Chapter 7 Observer on the GigaStor 109 rev. 1 Figur e 74 Probe Options 3 In the Service Settings section, cl ear the “Run Probe as a Windows Service” option a nd click OK. This un installs the Network Instrument s Expert Pr obe service fr om Windows .
Using the Observer console locally on the GigaStor Chapter 7 Observer on the GigaStor 110 rev. 1 5 Choose Options → Switch betw een Observ er and Expert Probe Interface . The Choose Program Interface window opens . 6 Choose Observer and cli ck OK. Y ou must cl ose Observer and restart it to switc h into the console interface .
Chapter 8 Probe Instances 111 rev. 1 C h a p t e r 8 Pr obe Instanc es.
What is a pro be instance? Chapter 8 Probe Instances 112 rev. 1 Wha t is a probe instance ? T IP ! For instructions on setting up a probe instance , see “Probe administration” on page 24. Observer uses probes to capture ne twork data. In some cases you ma y want or need more than one prob e in a specific location.
What is a probe instance? Chapter 8 Probe Instances 113 rev. 1 instances to the Gen2 adapter if at all po ssible . A copy of all packets are sent from the ad apter to every passive probe instance attached to it. If yo u have several passive probe instances attached to th e Gen2 adapter , the Gen2’s performance is significantly affected.
What is a pro be instance? Chapter 8 Probe Instances 114 rev. 1 N OTE : By default there is one active probe instance for GigaStor. It binds to th e network adap ter and its p orts .
Chapter 9 Gen 2 Capture Card 115 rev. 1 C h a p t e r 9 Gen2 Captur e C ard.
Swapping the Gen2 card’s SFP or XFP interfaces Chapter 9 Gen2 Capture Card 116 rev. 1 The Gen2 card is designed a nd manufactured by Network Instrumen ts and is o ptimized fo r the GigaStor. The Gen2 card comes in two , four , o r eight port models .
Configuring virtual adapters on the Gen2 card Chapter 9 Gen 2 Capture Card 117 rev. 1 Q P orts 1-4 are monitoring a collecti on of trunked links Q The remaining ports are each connected to the SP AN (.
Configuring virtual adapters on the G en2 card Chapter 9 Gen2 Capture Card 118 rev. 1 Figur e 78 Assign P or t to Virtual Adapter: Default view 3 Select the ports to remove and cl ick Remove . This places them in the A vailable P orts list. 4 Change the name of the adapter to something mean ingful to you and click OK (Figure 79).
Configuring virtual adapters on the Gen2 card Chapter 9 Gen 2 Capture Card 119 rev. 1 Figur e 80 Edit Port Description 9 Repeat step 5 through step 8 unt il you have created all of your virtual adapters and given descriptio ns to your port s . The adapters appear in the list of adapters presented when you create a probe instance .
Viewing the Gen2 card’s properties and finding the board’s ID Chapter 9 Gen2 Capture Card 120 rev. 1 10 Right-click the GigaStor probe and choose Administer Sele cted Probe from the menu. Log in to th e probe . 11 Click the GigaStor Instance s tab along the bottom.
Viewing the Gen2 card’s properties and finding the board’s ID Chapter 9 Gen 2 Capture Card 121 rev. 1 2 In the tree on the left, select Device Manage r .
Viewing the Gen2 card’s properties and finding the board’s ID Chapter 9 Gen2 Capture Card 122 rev. 1 This tab shows all activ e physical ports on the Gen2 card and the board’s ID . The “Interr upt enabled” and “DMA enabled” lights are light green when Observer is running and dark green when Observer is not running .
Appendix A TCP/IP ports, NAT, and VPN 123 rev. 1 A p p e n d i x A T C P/IP por ts, NA T , and VPN.
TCP/IP ports Appendix A TCP/IP ports, NAT, and VPN 124 rev. 1 This section discusses the TCP/IP ports , N A T , and VPN . T CP/IP por ts Observer and all Network Instru ments probes use ports 25901 and 25903 to communicate . Th ese ports are register ed ports to Network Instruments .
VPN Appendix A TCP/IP ports, NAT, and VPN 125 rev. 1 Figur e 86 NA T If the Observer is outside the network where the probe is running, you must forward port 25903 from the Observer’ s address . Y ou must use the NA T outside IP address as th e probe’s IP address when trying to redirect and/or administer the probe from Observer.
VPN Appendix A TCP/IP ports, NAT, and VPN 126 rev. 1.
Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 127 rev. 1 A p p e n d i x B GigaSt or, GigaStor Expandable , and Expansion Unit C ases.
GigaStor Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 128 rev. 1 GigaSt or Figure 87 shows the front of the GigaStor. Figur e 87 GigaStor 13 9 5 1 14 10 6 2 15 11 7 3 16 12 8 4 1.
GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 129 rev. 1 GigaStor Expandable C ontroller unit Figur e 88 GigaStor Expandable controller P ower Button Reset But.
GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 130 rev. 1 Figure 89 shows the back of the GigaStor Expandable .
GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 131 rev. 1 Figure 91 shows the b ack of the exp ansion unit. Figur e 91 Expansion unit r ear view Table 12 Expansion Unit LEDs and Buttons LED/Button Description Individual Drive Activity These LEDs blink whenever there is activity on the drive in the RAID array.
GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 132 rev. 1.
Appendix C GigaStor Portable 133 rev. 1 A p p e n d i x C GigaStor P or table.
Appendix C GigaStor Portable 134 rev. 1 The portable GigaStor offers full-d uplex packet captu re and analysis at wire speed. De pending on whi ch version you ordere d, the system includes everything .
Appendix C GigaStor Portable 135 rev. 1 Figur e 92 Portable An alysis Platform System T our Y our GigaStor includes a number of components . T ake a moment after unpacking the system to ensu re that you re ceived all the parts.
Running Observer passively Appendix C GigaStor Portable 136 rev. 1 Fi gure 93 Portable GigaStor Gigabit and Fibre Chan nel systems have an appropriate copper or optical n T AP installed in the drive bay on the right side of th e system. W AN system T APs are shipp ed separatel y .
Using the portable GigaStor as a probe Appendix C GigaStor Portable 137 rev. 1 Dynamic Host Con trol Protocol (DHC P). For most applications of Observer , you should assi gn an address to the analyzer rather than depending on the DHCP assignment.
Using the portable GigaStor as a probe Appendix C GigaStor Portable 138 rev. 1.
Numerics – D Index 139 rev. 1 Legend: ff=Figure, t=Table Inde x Numerics 10 Gigabit Ethernet 14, 37, 116 Gen2 card 37 GigaStor Portable 134 tapping 19 10/100/1000 37 25901 124 25903 124 A alarms WAN.
E–G Index 140 rev. 1 Legend: ff=Figure, t=Table T1/E1 42 WAN alarms 90 WAN statistics 80, 82–83 DCE BECN under CIR 84 DCE FECN under CIR 84 DCE Kbits/s Avg 84 DCE KBits/s Max 84 denial of service .
H–I Index 141 rev. 1 Legend: ff=Figure, t=Table daughter board 38 DMA enabled 122 Fibre Channel 37 filter ports 66 Gigabit 37 Gigabit copper 40 Interrupt enabled 122 mirror port 38 passive probe ins.
L–P Index 142 rev. 1 Legend: ff=Figure, t=Table L LAPB 34–35 load preprocess settings 101 preprocessor 113 M MAC address 105 DLCI instead of 80 excluding 65 statistics 71 Top Talkers 86 MAC addres.
Q–V Index 143 rev. 1 Legend: ff=Figure, t=Table Probe Properties T1/E1 Tab 35 Probe Service Configuration Applet 21ff, 108ff Q QLogic 19 Quality of Service 32 R RAID 14, 113–114, 128, 131 RAM see .
W–X Index 144 rev. 1 Legend: ff=Figure, t=Table virtual adapter 114ff probe instances 119–120 Virtual Adapters tab 119ff VPN 125 W WAN alarms 80, 88 analysis 80 analyzing 33 bandwidth 80 CIR 80 co.
145 rev. 1.
146 rev. 1 ww w .networkinstruments.c om © 2008 Network Instruments, LL C. All rights reserved. Network Instrumen ts, Observer , and all associated logos ar e register ed trademarks of Net work Instruments , LL C.
An important point after buying a device Network Instruments 114ff (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Network Instruments 114ff yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Network Instruments 114ff - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Network Instruments 114ff you will learn all the available features of the product, as well as information on its operation. The information that you get Network Instruments 114ff will certainly help you make a decision on the purchase.
If you already are a holder of Network Instruments 114ff, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Network Instruments 114ff.
However, one of the most important roles played by the user manual is to help in solving problems with Network Instruments 114ff. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Network Instruments 114ff along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center