Observer Analyzer : Observer Analyzer : Packet Captures : How to configure the capture buffer settings
How to configure the capture buffer settings
Observer can perform packet captures without additional setup. However, to maximize Observer performance, you should consider configuring your capture settings manually.
During the creation of your probe instance(s), you set the size of your buffers. The capture buffer is used to store raw data captured from the network before it is written to disk, and the statistical buffer stores statistical data entries (example buffer change shown in Figure 16).
Note: All packets seen by the capture card interface are time-stamped immediately, then are passed to the capture buffer. This ensures the most accurate time stamp.
Experimenting with buffer sizes is encouraged; it may take some time to find a balance between how large or small your buffer sizes should be for a probe instance, and it depends greatly on how the probe instance is used. Try finding the best balance between what the probe instance needs to operate efficiently and how much RAM a fully-maxed buffer would leave for other services to use.
The default settings for the statistical buffer work perfectly well for most installations—change them if they do not. The packet capture buffer, however, typically needs increasing or decreasing to best reflect your system.
 
Figure 16: Changing your buffer sizes
 
To change the buffer sizes of probe instances, complete the following:
1. On the Home tab, in the Probe group, click Setup > Memory and Security Administration.
2. Double-click the probe instance you want to configure.
3. Change the buffer sizes to better match the needs of your chosen probe instance.
4. Select a statistics memory configuration from the list.
These choices affect the maximum number of entries per statistic tracked in real-time statistic modes. A larger choice allows more statistical entries to be held in non-reserved system memory (RAM available to Windows) than its preceding, smaller choice. The size shown is the maximum memory allowed to be used for this purpose—the memory footprint can grow up to this size but never greater. The memory used here follows FIFO rules (first-in, first-out), meaning if the limit is reached, the oldest data is discarded as the newest data arrives. Remember, this setting only affects real-time statistics modes only, and any statistics modes running will continue to fill up to your chosen limit for however long your real-time statistics tools are running. This is because the memory is not flushed until all statistical mode windows are closed.
5. Select a trending memory configuration from the list.
These choices affect the maximum number of entries per statistic tracked in network trending during a 1-minute collection interval. One IP pair would be an example of one entry. The size shown is the maximum memory allowed to be used for this purpose—the memory footprint can grow up to this size but never greater. The memory used here follows FIFO rules (first-in, first-out), meaning if the limit is reached, the oldest data is discarded as the newest data arrives.
6. Click OK twice to confirm and save your changes.
 
You successfully changed the buffer sizes of a chosen probe instance. In the future, you may need to re-evaluate your buffer sizes using the same process; this is especially true after adding or removing memory from your system or after adding new probe instances.