Setting the GigaStor general options
The General Options tab configures packet capture and buffer size; whether partial packets are captured; indexing of MAC, IP, VLANs; capture and analysis options; sampling; analysis types; and more.
This tab lets you configure many options for the GigaStor.
2. Click the Settings button.
3. Click General Options. See Table 3 for a description of each field of the GigaStor General Options tab.
Figure 58: GigaStor General Options
Packet capture and GigaStor buffer size—This only applies to the active probe instance.
Partial packet capture size—This only applies to the active probe instance.
GigaStor indexing options—You may need to adjust the indexing information based on your network.
Capture and analysis options—What protocols are on your network? Are they all standard protocols, or do you have some custom or home grown protocols?
Other general GigaStor Control Panel options.
Table 3. GigaStor configuration options
Capture Buffer size
Only available if you are configuring an active GigaStor instance.
Allows you to set the amount of Windows memory that Observer will set aside to store captured packets. Observer will show the buffer percentage full and give you an idea of what the best buffer size is for a particular situation.
You will want to capture an event in as little time with as little buffer space as possible. Observer has no limitations on the amount of RAM that can be used for a buffer. On 64-bit systems, you are limited only by the amount of physical memory installed on the Observer PC.
It is not recommended that you use Observer to view packets going to or coming from the Observer PC. If you need to look at the traffic to/from the Observer PC, install Observer on another PC. There are many reasons why this is not a good idea but, in general, you will see varying amounts of your own data with a protocol analyzer on your own PC. This is due to the architecture of the PC and the inability of Windows to multi-task the receiving and analysis of the data going and coming from the Observer PC.
Capture Partial Packets
by default, Observer will capture the entire packet. This option allows you to define a specific amount of each packet to capture to the buffer. For example, a setting of 64 bytes will result in Observer only capturing the first 64 bytes of every packet. Most of the pertinent information about the packet (as opposed to the information contained in the packet) is at the beginning of the packet, so this option allows you to collect more packets for a specific buffer size by only collecting the first part of the packet. In some forensic situations, a warrant may only allow an officer/agent to collect, for example, email headers.
Also, if the system is having trouble keeping up with bandwidth spikes, collecting partial packets can resolve the issue. To change the number of bytes captured in each packet, click Change Size.
This setting affects all analyzers that connect to this probe. You cannot change this setting unless you have administrative privileges to do so.
Collect and Show GigaStor Indexing Information by
Choose whether to show or hide the following tabs in the GigaStor Control Panel: MAC Stations, IP Pairs, IP Addresses, TCP Applications, UDP Applications, VLANs, MPLS, Physical Ports, and Network Packet Broker (NPB) Port Tagging. These options are for controlling statistical display only. All packets that the GigaStor sees are written to disk and is available for analyzing using the Analyze button.
The value configured in these boxes determine the maximum number of stations that are indexed by the GigaStor and shown in the GigaStor Control Panel. If you are limiting MAC stations to 1000 (the default), it is the first 1000 MAC stations the GigaStor sees—not the most recent 1000.
The maximum allowable IP Addresses is 200,000 (the default is 1000). See Discovering current top talkers on the network for tips on how to narrow your time slice.
Capture and Analysis Options
Enable intelligent TCP protocol determination: Displays only known applications while hiding dynamic ports by using the TCP three-way handshake (SYN SYN+ACK ACK). Clearing this option shows all ports.
Limit to ports defined in “Protocol Definitions”: Select this option to limit the ports shown to only those listed in the Protocol Definitions. See the Discovery section in the Observer User Guide.
Track statistics information per physical port: When selected, causes the GigaStor to index the data it collects by capture card physical ports. You can then display GigaStor Control Panel statistics by physical port. If this option is selected, then you also may want to enable the “Use physical port selections…” option also on this tab.
Collect counts for all IP protocols in addition to TCP and UDP: Select this option to collect counts for all IP protocols (such as ICMP, OSPF, Multicast, etc.) not just TCP and UDP. If this option is not selected, TCP and UDP counts are still collected.
Enable Analysis Types:
Choose whether to enable the GigaStor Control Panel to process and display these types of data. By clearing these options, the corresponding tab is hidden in the GigaStor Control Panel and you cannot analyze packets for these data types:
Forensic Analysis (uses Snort rules)
FIX Analysis: used to process FIX financial transactions.
Microburst Analysis: used to process data to identify microbursts on your network, typically a concern for network administrators in trading firms, but also other companies.
Trading Multicast Analysis
IPTV Analysis
GigaStor Packet Sampling
Packet sampling applies to the GigaStor Control Panel statistical displays, not saved packets. On probes connected to highly-saturated networks (especially multi-port probes), sometimes it is desirable to adjust the rate of statistical indexing to conserve probe processing and storage resources. The default (and recommended) setting is for Observer to automatically scale back the packets it uses to update the analyzer display based on system load. Alternatively, you can specify a fixed sampling ratio to consider when updating the GigaStor Control Panel charts and statistical displays. A sampling ratio of 1 means every packet is analyzed. and a ration of 10 means every 10 packets are analyzed. From a statistics perspective analyzing every 10 or even 100 packets will provide the trends you need without burdening the system by analyzing every packet.
For even more details, see Differences between statistics and packets.
Use physical port selections…
You can choose this option to display statistics sorted by capture card physical port. This is useful when you want to troubleshoot the individual links without having to load the capture buffer by clicking Analyze.
If selected, you must also select the Track statistics information per physical port option in the Capture and Analysis Options section on this tab.
Auto-update GigaStor chart…
When selected, causes the listed actions to have the same effect as clicking the Update Chart/Statistics buttons.
Keep focus on GigaStor
Keeps the focus in the GigaStor Control Panel instead of switching to the decode pane.
Update display…in 30 second intervals
When selected all tables will update in 30 second intervals. This does not affect web-based reports, only the real-time displays in the analyzer.
Display only defined subnets
When selected only defined subnets are displayed. The subnets must be defined on the Subnet tab. See for details about defining a subnet.
Enable IP DNS resolution
Select this option to enable IP DNS resolution within the GigaStor. If you have several thousand hosts, you may wish to disable this option as it may take a long time to resolve names for reports.
Enable packet time charting…
Because the charts can be configured to show sub-second intervals that means that some packets will cross the boundaries of your chosen intervals. This makes it hard to tell in the chart how long your scenario occurred. When enabled, this setting makes the charts display every interval in which the bits were present from your packet, not just the first interval.
This setting works even if it was not enabled when the packet was captured. It can be enabled later and you will see every interval where a bit was present.
You set the general options for your GigaStor system. These options have a large effect on the operation of the GigaStor system, so if anything seems wrong or you are not seeing all the packets you anticipated, return to these settings and see if they should be changed.
Shorten your time slice to find a top talker
The Top Talker list may appear to be missing entries. This occurs because of a combination of two settings in your GigaStor Control Panel. Temporarily adjust these settings to get the data you want.
If you are trying to find what system or systems are responsible for certain traffic on your network, you’d typically use Top Talkers to identify them. There is, however, a limit to the number of systems that Top Talkers identifies. By default, that limit is 1000. As soon as the 1000th system is identified in a time slice—chronologically—all remaining systems are ignored even if they were “chattier” (that is, causing more traffic on the network) than any of the first 1000 systems. In other words, the GigaStor Control Panel does not show the 1000 most talkative systems, but the first 1000 systems it encounters.
The solution is to shorten your time slice, perhaps down to milliseconds if necessary so that the Top Talker list does not reach the 1000 stations. Additionally, you can increase the number of IP Addresses allowed in the list up to a maximum of 200,000.
Also keep in mind that in the GigaStor Control Panel you are looking at statistics, not actual packet data. Therefore, you could set the GigaStor Control Panel sampling ratio to 1 and set the maximum number of entries allowed to a very high number (100,000 or even higher). This won’t give you 100% accurate data, but you will get a very good idea of the situation based on statistics.
Caution: If you change the maximum IP address or sampling ratio, consider changing its value back after you have identified your top talker. The reason is that both settings affect memory and can adversely affect performance if there is a high number of IP address and extremely low sampling ratio. Returning these values to their defaults (10,000 IP Addresses and a sampling ratio of 10) will restore GigaStor performance.
The GigaStor Control Panel indexing maximums and sampling ratio are configured in Setting the GigaStor general options.