What is a probe instance?
Observer has only one kind of probe instance: the probe instance. If you have a GigaStor then you have two special probe instance types available to you: the active probe instance and the passive probe instance.
 
Observer uses probes to capture network data. In some cases you may want or need more than one probe in a specific location. You can achieve that through probe instances. A probe instance provides you the ability to look at multiple network interfaces, have multiple views of the same interface, or to publish to multiple Observer.
Table 44 compares the features of active and passive probe instances with an Observer probe instance found on all non-GigaStor probes.
Table 44. Active vs. passive GigaStor instances and Observer probe
GigaStor Active probe instance
GigaStor Passive probe instance
Observer Probe1
Better suited for troubleshooting
X
X
Better suited for data capture
X
Start packet capture
X
X
X
Stop packet capture
X
X
X
Start GigaStor packet capture
X
Schedule packet capture
X
X
X
Change directories where data is stored
X
X
X
Able to set permissions
X
X
Able to redirect to different analyzer, etc.
X
X
X

1 An Observer probe is the Single Probe, Multi Probe, or Expert Probe software running on a non-GigaStor probe.

 
A passive probe instance may capture packets to RAM and allows you to do reactive analysis or look at real-time statistics for troubleshooting. The passive probe instance binds to a virtual adapter or a network adapter that has data coming to it that you want to capture. You can change whichever adapter a passive probe instance is bound to without affecting any active probe instance. By default a passive probe instance uses 12 MB of RAM. You can reserve more memory for passive probe instances if you wish.
Caution: With a GigaStor you have the option of which NIC to bind the passive probe instance. Do not bind any passive probe instances to the capture card adapter if at all possible. A copy of all packets is sent from the adapter to every passive probe instance attached to it. If you have several passive probe instances attached to the capture card adapter, the capture card’s performance is significantly affected. Instead attach the passive probe instances to either a 10/100/1000 adapter or to a non-existent one.
If you have a passive probe instance connected to a GigaStor, you can mine data that has already been written to the RAID disk by using an active probe instance. There should be one passive probe instance for each simultaneous Observer user on a GigaStor. By using a passive probe instance, instead of an active probe instance, only one copy of data is being captured and written to disk, which reduces the processor load and the required storage space. For troubleshooting and most uses in Observer passive probe instances are appropriate.
An active probe instance on a GigaStor captures network traffic and writes it to the RAID array. An active probe instance should have as large of a RAM buffer as possible to cushion between the network throughput rate and the array write rate. Like a passive probe instance, it can also be used to mine data from the hard disk, however a passive instance is better suited for the task. An active probe instance cannot start a packet capture while the GigaStor Control Panel is open.
By default there is one active probe instance for GigaStor. It binds to the network adapter and its ports. If you have a specific need to separate the adapter’s ports and monitor them separately, you can do so through passive probe instances or you can create separate virtual adapters.
Only one active probe instance per GigaStor.
Set scheduling to Always for the active probe instance so that it is constantly capturing and writing data. Use a passive probe instance to mine the data.
Do not pre-filter, unless you know exactly what you want to capture. Of course, if something occurs outside the bounds of the filter, you will not have the data in the GigaStor.
Do not allow remote users access to the active probe instance.
 
Figure 70: GigaStor capture and packet capture through probe instances
 
Figure 70 shows how one active probe instance captures and writes to the GigaStor RAID. Passive probe instances 1 and 2 mine data from the RAID array. As a best practice, the passive probe instances are bound to the slowest network adapter in the GigaStor.
Additionally, passive probe instance 3 and 4 are each capturing packets separate from each other and separate from the active probe instance. However, since they are also bound to the same adapter as the active probe instance, they are capturing the same data as the active probe instance.