Observer Apex : Observer Apex : Reacting to network events : Understanding GigaStor trace extraction
Understanding GigaStor trace extraction
Trace extraction gives you unlimited real time access to GigaStor-collected traffic from anywhere you are—all without needing to open or use Observer. The extracted packet captures can be opened and analyzed in all of your favorite tools.
Trace extraction allows you to “pull” a packet capture out of the GigaStor using just a web browser. No interaction with Observer is necessary for extracting data stored in a GigaStor, nor do you need to have it installed on your laptop (for example). What is required though is LAN access to the Apex Lite web interface that runs on the target GigaStor system or a licensed Apex installation with the target GigaStor added as a data source. From the web interface, a trace extraction web page is available for configuring what you wish to extract from the GigaStor. The workflow is described in .
Each trace extraction request is considered a job, and a packet capture is the result of each successful job. Every trace extraction job has its own progress including a start and end. You can make multiple, concurrent trace extraction jobs that are queued in the order they were received. The next trace extraction job in queue begins after the first job completes, either successfully or by failure. To maintain optimal disk performance on the GigaStor system, only one job is active at any given time on each GigaStor.
You can retrieve the extracted packet capture in a few different ways. The resulting packet capture is either downloadable through your web browser, saved to a disk directory on the GigaStor, or saved to networked storage. This behavior depends entirely on the options of your extraction job:
If the job is set to create a downloadable file, the packet capture is downloadable from the trace extraction job viewer for 24 hours. After 24 hours, the packet capture expires and is automatically deleted. You can also delete the packet capture manually, before it expires, using the same job viewer. The actual storage area for these captures is the Observer Web Server temporary storage folder on the target GigaStor: C:\Program Files\Common Files\Observer Web Server\htdocs\obs\temp. Therefore, each extraction temporarily reduces the free space of that C:\ drive by the size of all captures there within any given 24-hour period.
If the job is set to save the packet capture to a directory, the packet capture must be retrieved from the location you specified. The packet capture cannot be downloaded through a web browser using this job option, but the capture is persistent and not automatically deleted. The target GigaStor needs disk write permissions to the specified directory or you will encounter an job error.
If the file path is to a local disk on the GigaStor and you are running in service mode, you should not encounter many write permission issues, if any at all.
If the file path is network storage (either a mapped or unmapped location) and you are running in service mode, the GigaStor Windows ‘system’ user account itself needs write permission to that directory. You could encounter write permission errors.
If you are running Observer in application mode, the Windows user account that is logged in and is the owner of the Observer process must have write permission to that directory.
Apex plays an important role in trace extraction. Apex—or Apex Lite which is automatically installed with Observer—uses REST API requests to communicate with the GigaStor and start a trace extraction. Using the same Observer REST API, it is possible to script and automate the extraction of packet captures without Apex involved, but Apex provides an easy-to-access interface for creating trace extraction jobs using just your web browser. To create these same REST requests on your own, the REST API documentation for extracting GigaStor data should be referenced.
Filtering can be applied before the packet capture is created. Instead of post-filtering the extracted packet capture, you can configure a filter beforehand through the extraction job options. This narrows the scope (and disk space required) of the packet capture to just the addresses, conversations, protocols, VLANs, or other criteria of interest. Existing Observer filters can also be used as filter strings. For more information, see the filtering syntax documentation when crafting a filter in the Filter box in your job settings.