Observer Analyzer : Observer Analyzer : GigaStor Control Panel : Mining data from your GigaStor
Mining data from your GigaStor
Retrieving data from GigaStor and analyzing it is a primary function of the GigaStor Control Panel. You can use the information in the packet capture to identify numerous network conditions. By using filters and a specific analysis type, you can hone in on the exact information you want.
You have different options when you want to analyze captured data. You can analyze the data:
Without any filters.
With filters from the Observer filter editor.
With filters from the GigaStor Control Panel.
By combining filters from the GigaStor Control Panel and the Observer filter editor.
Note: All packets captured by the probe are time stamped immediately as it is seen by the capture card interface and then passed to the capture buffer. This ensures the most accurate timestamp.
Table 36 describes the different options available on the GigaStor Analysis Options screen that appears when you click the Analyze button on the GigaStor Control Panel.
Table 36. GigaStor Analysis Options
This option:
Allow you to do this:
Analysis Time Range
Shows the start and end time of the time range you selected in the Detail Chart. You can change the time here if you wish.
Analysis Options
Analyze all data (no filtering)
Takes all packets in the selected time frame on the Detail Chart and analyzes it using the analysis type chosen at the bottom of the screen, but without using any filter. See Analyzing data without any filters.
Select an existing filter
Takes all packets in the selected time frame on the Detail Chart and analyzes it using the analysis type chosen at the bottom of the screen and applies the filter you select (after clicking OK). See Analyzing data with filters from the Observer filter editor.
Filter using selected GigaStor entries
Takes all packets in the selected time frame on the Detail Chart and creates a one-time use filter for you using the options you chose from the Mac Stations, IP Stations, IP Pairs or any of the other tabs in the GigaStor Control Panel. See Analyzing data by combining GigaStor Control Panel and Observer filters
VoIP and Videoconferencing calls by SIP tag
Takes all of the packets in the selected time frame on the Detail Chart and allows you to extract VoIP and videoconferencing calls based on a SIP tag. For further details about the Settings, see How to extract VoIP and video calls from your GigaStor .
Reorder and filter based on trailer timestamp
Some switch aggregators add their own timestamp to packets and can cause packets to have a different order than they were actually seen by the GigaStor. If selected, Observer reorders and filters packets based on the timestamp information from the switch aggregator you chose from the list instead of from the GigaStor.
Include Expert information in analysis filter
Expert Information packets provide context of network conditions during the time that the traffic was captured. The expert frames may provide you insight into what was happening that may have influenced a condition within a packet capture you are analyzing.
Display selected filter before starting analysis
Allows you to view the filter before Observer begins analyzing the packet capture. For example, you might choose this option if you have already used the filter and the output is has excluded traffic you were expecting. By displaying the filter, you can inspect it to see why it may excluding the traffic.
Analysis Type
Expert analysis and decode
Along with the packet decode, this provides Observer's advanced expert analysis, such as protocol analysis, top talkers, Internet Observer, Application Transaction Analysis, VLAN information, and Forensic Analysis using Snort. Use this option if you want to deep dive into the packets with ability to view common services and applications, response performance by severity, port-based protocols with slow response, network and application problems with local traffic and WAN/Internet traffic distinction, and more.
Decode without expert analysis
Provides a packet decode without any of the insight of expert features listed above.
FIX analysis
Used in conjunction with a FIX analysis profile, the results are displayed on the FIX Analysis tab in the GigaStor Control Panel. See Analyzing FIX transactions. Use this option if you need to see the raw FIX protocol packets and headers, highlight just the FIX data, filter a trade by order ID for further analysis, or to validate a specific transaction.
Forensic analysis
Allows you to choose a profile where you have defined which Snort rules you want to use. The results are displayed on the Forensic Analysis tab in the GigaStor Control Panel. If you chose "Expert analysis and decode" and decided you also wanted to do forensic analysis, you could do that by clicking the Forensic Analysis tab, which prompts you for a profile. Use this option if you need to scan high-volume packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort rule syntax. You can enforce your "acceptable use" policies, fight industrial espionage, and assist with government regulations like Sarbanes Oxley or HIPPA requirements. Using network forensics you can provide pre-intrusion tracking and identification while delivering a paper trail after any intrusion. Or you can perform network troubleshooting using root-cause analysis and identify network problems that have been around awhile. See Examining your network traffic with forensic analysis.
Microburst analysis
Analyzes the selected time frame for any microbursts (as defined in the Microburst Analysis Settings dialog) and displays the results in the Microburst Analysis tab of the GigaStor Control Panel. This is an easier way to find microbursts across a much longer time frame than using the Detail Chart where the longest time frame that can be analyzed is 15 minutes. Use this option if you need to monitor applications that are sensitive to microbursts, such as financial, audio, video, or multicast applications. See Searching for microbursts.
Trading Multicast analysis
Analyzes the selected time frame for trading multicast streams issues on your network specifically related to stock exchanges. The streams can be analyzed for tracking UDP sequence numbers, multiple protocol data units (PDUs) within a UDP packet, and stream type or ID. Use this option if you want to analyze any of the Trading Multicast streams Observer supports.
See Trading Multicast for a list of default streams Observer has.
IPTV analysis
Analyzes the selected time frame for IPTV traffic on your network. IPTV is configured by providing the multicast stream IP (or range of IPs) and, optionally, the UDP ports used to transport the content, along with the receive capabilities of the devices consuming the IPTV feeds. These settings allow Observer to identify IPTV traffic of interest (the IP and UDP ports) and to accurately calculate metrics about the quality of the feed for the endpoints, such as MDI, by providing the Delay Factor and Media Loss Rate information.
See Choosing your network trending types for a list of default streams Observer has.
Multiple GigaStor analysis
Combines and analyzes data streams from two or more active probe instances. The active probe instances are typically from multiple GigaStor probes, but can also be from the same GigaStor probe. Use this option if your GigaStor probes captured the same data from two or more perspectives and you want to compare them using MultiHop Analysis. The MultiHop Analysis can be based on IP, IP Pair, IP port, or a filter. Or use it when two or more perspectives are capturing different parts of the same communication (one send and the other receive; or 50% of the connections to an application on one and 50% on the other) and you want to combine the data to get a complete picture of the communication. This might be due to the way traffic was routed (and eventually captured) or part of an architectural decision to load balance the traffic across multiple physical capture appliances.
For details about MultiHop Analysis, see Using MultiHop Analysis.
Third Party Decoder
Observer allows you to use other software to view packet decodes if you wish. You might do this because the other tool's interface or workflow. This option is only available if the Third Party Decoder option has already been enabled in Options > General Options and click the Third Party Decoder tab. By default the menu text is "Decode Capture File using Wireshark," but is completely configurable. See Third Party Decoder tab for details on how to change the menu text and what application is used.
Remember Analysis Options and Type
The selected the last analysis options are used for any subsequent analysis. This is useful if you typically use the same analysis options repeatedly.