Network Instruments Gigastor 114Ff Users Manual
2015-02-05
: Network-Instruments Network-Instruments-Gigastor-114Ff-Users-Manual-494299 network-instruments-gigastor-114ff-users-manual-494299 network-instruments pdf
Open the PDF directly: View PDF .
Page Count: 146
Download | ![]() |
Open PDF In Browser | View PDF |
GIGASTOR ™ 1 rev. 1 GigaStor User Guide 3 rev. 1 Trademark Notices ©2008 Network Instruments,® LLC. All rights reserved. Network Instruments, Observer® Gen2,TM and all associated logos are trademarks or registered trademarks of Network Instruments, LLC. Open Source Copyright Notices Portions of this product include software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http:// www.openssl.org/), Copyright © 1998-2008 The OpenSSL Project. All rights reserved. Portions of this product include software written by the University of Cambridge, Copyright © 1997-2008 University of Cambridge All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the University of Cambridge nor the name of Google Inc. nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Limited Warranty—Hardware Network Instruments, LLC. (“Network Instruments”) warrants this hardware product against defects in materials and workmanship for a period of 90 days from the date of shipment of the product from Network Instruments, LLC. Warranty is for depot service at Network Instruments corporate headquarters in Minneapolis, MN, or Network Instruments’ London, UK office. Warranties and licenses may give you more coverage in certain local jurisdictions; Network Instruments also offers extended warranties as part of its maintenance agreement program. If a defect exists during the initial warranty period or prior to expiration of a pre-paid maintenance program, at its option Network Instruments will (1) repair the product at no charge, using new or refurbished replacement parts, or (2) exchange the product with a product that is new or which has been manufactured from new or serviceable used parts and is at least functionally equivalent to the original product. A replacement product assumes the remaining warranty of the original product or 60 days, whichever provides longer coverage for you. When a product or part is exchanged, any replacement item becomes your property and the replaced item becomes Network Instruments' property. The information in this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Network Instruments, LLC. Network Instruments, LLC assumes no responsibility or liability for any errors or inaccuracies that may appear in this manual. Network Instruments, LLC does not warrant that the hardware will meet your requirements or that the operation of the hardware will be uninterrupted or that the hardware will be errorfree. Network Instruments, LLC SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL Network Instruments, LLC BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGE, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES. Network Instruments, LLC makes no other warranty, expressed or implied. 4 rev. 1 Limited Warranty—Software Network Instruments, LLC (“DEVELOPER”) warrants that for a period of sixty (60) days from the date of shipment from DEVELOPER: (i) the media on which the SOFTWARE is furnished will be free of defects in materials and workmanship under normal use; and (ii) the SOFTWARE substantially conforms to its published specifications. Except for the foregoing, the SOFTWARE is provided AS IS. This limited warranty extends only to END-USER as the original licensee. END-USER's exclusive remedy and the entire liability of DEVELOPER and its suppliers under this limited warranty will be, at DEVELOPER or its service center's option, repair, replacement, or refund of the SOFTWARE if reported (or, upon request, returned) to the party supplying the SOFTWARE to END-USER. DEVELOPER does not warrant that the software will meet END-USER requirements, and in no event does DEVELOPER warrant that the SOFTWARE is error free or that END-USER will be able to operate the SOFTWARE without problems or interruptions. Should DEVELOPER release a newer version of the SOFTWARE within 60 days of shipment of the product, DEVELOPER will update the copy of the SOFTWARE upon request, provided request is made by the licensed END-USER within the 60 day period of shipment of the new version. This update may consist of a CD or a manual or both at the discretion of DEVELOPER. END-USER may be charged a shipping fee for updates. The information in the SOFTWARE manuals is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by DEVELOPER. DEVELOPER assumes no responsibility or liability for any errors or inaccuracies that may appear in any SOFTWARE manual. This warranty does not apply if the software (a) has been altered, except by DEVELOPER, (b) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by DEVELOPER, (c) has been subjected to abnormal physical or electrical stress, misuse, negligence, or accident, or (d) is used in ultrahazardous activities. DISCLAIMER. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. The above warranty DOES NOT apply to any beta software, any software made available for testing or demonstration purposes, any temporary software modules or any software for which DEVELOPER does not receive a license fee. All such software products are provided AS IS without any warranty whatsoever. This License is effective until terminated. END-USER may terminate this License at any time by destroying all copies of SOFTWARE including any documentation. This License will terminate immediately without notice from DEVELOPER if ENDUSER fails to comply with any provision of this License. Upon termination, END-USER must destroy all copies of SOFTWARE. DEVELOPER makes no other warranty, express or implied. Liability IN NO EVENT WILL DEVELOPER OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE EVEN IF DEVELOPER OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DEVELOPER SHALL NOT BE LIABLE FOR MATERIAL, EQUIPMENT, DATA, OR TIME LOSS CAUSED DIRECTLY OR INDIRECTLY BY PROPER OR IMPROPER USE OF THE SOFTWARE. IN CASES OF LOSS, DESTRUCTION, OR CORRUPTION OF DATA, DEVELOPER SHALL NOT BE LIABLE. DEVELOPER DOES NOT TAKE ANY OTHER RESPONSIBILITY. In no event shall DEVELOPER's or its suppliers' liability to END-USER, whether in contract, tort (including negligence), or otherwise, exceed the price paid by END-USER. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. DEVELOPER SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL DEVELOPER BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGE, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES. DEVELOPER’S liability to the END-USER under this agreement shall be limited to the amount actually paid to DEVELOPER by END-USER for the SOFTWARE giving rise to the liability. 5 rev. 1 Ownership and Confidentiality END-USER agrees that Network Instruments, LLC owns all relevant copyrights, trade secrets and all intellectual property related to the SOFTWARE. End User License Agreement (EULA) PLEASE READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY BEFORE DOWNLOADING OR USING THE SOFTWARE. BY CLICKING ON THE “ACCEPT” BUTTON, OPENING THE PACKAGE, DOWNLOADING THE PRODUCT, OR USING THE EQUIPMENT THAT CONTAINS THIS PRODUCT, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE “DO NOT ACCEPT” BUTTON AND THE INSTALLATION PROCESS WILL NOT CONTINUE, RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND, OR DO NOT DOWNLOAD THE PRODUCT. The SOFTWARE is neither shareware nor freeware. The SOFTWARE is a commercial software package that is subject to international copyright laws. Single User License Grant: Network Instruments, LLC (“DEVELOPER”) and its suppliers grant to END-USER a nonexclusive and nontransferable license to use the DEVELOPER software (“SOFTWARE”) in object code form solely on a single central processing unit owned or leased by END-USER or otherwise embedded in equipment provided by DEVELOPER. Multiple-Users License Grant: DEVELOPER and its suppliers grant to END-USER a nonexclusive and nontransferable license to use the DEVELOPER SOFTWARE in object code form: (i) installed in a single location on a hard disk or other storage device of up to the number of computers owned or leased by END-USER for which END-USER has paid individual license fees purchased; or (ii) provided the SOFTWARE is configured for network use, installed on a single file server for use on a single local area network for either (but not both) of the following purposes: (a) permanent installation onto a hard disk or other storage device of up to the number of individual license fees purchased; or (b) use of the SOFTWARE over such network, provided the number of computers connected to the server does not exceed the individual license fees purchased. ENDUSER may only use the programs contained in the SOFTWARE (i) for which END-USER has paid a license fee (or in the case of an evaluation copy, those programs END-USER is authorized to evaluate) and (ii) for which END-USER has received a product authorization keys (“PAK”). END-USER grants to DEVELOPER or its independent accountants the right to examine its books, records and accounts during END-USER's normal business hours to verify compliance with the above provisions. In the event such audit discloses that the Permitted Number of Computers is exceeded, END-USER shall promptly pay to DEVELOPER the appropriate licensee fee for the additional computers or users. At DEVELOPER's option, DEVELOPER may terminate this license for failure to pay the required license fee. END-USER may make one (1) archival copy of the SOFTWARE provided END-USER affixes to such copy all copyright, confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY AUTHORIZED ABOVE, END-USER SHALL NOT: COPY, IN WHOLE OR IN PART, SOFTWARE OR DOCUMENTATION; MODIFY THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE SOFTWARE. END-USER agrees that aspects of the licensed materials, including the specific design and structure of individual programs, constitute trade secrets and/or copyrighted material of DEVELOPER. END-USER agrees not to disclose, provide, or otherwise make available such trade secrets or copyrighted material in any form to any third party without the prior written consent of DEVELOPER. END-USER agrees to implement reasonable security measures to protect such trade secrets and copyrighted material. Title to SOFTWARE and documentation shall remain solely with DEVELOPER. SOFTWARE, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. END-USER agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, reexport, or import SOFTWARE. This License shall be governed by and construed in accordance with the laws of the State of Minnesota, United States of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall remain in full force and effect. This License constitutes the entire License between the parties with respect to the use of the SOFTWARE. Restricted Rights - DEVELOPER's software is provided to non-DOD agencies with RESTRICTED RIGHTS and its supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the Government is subject to the restrictions as set forth in subparagraph “C” of the Commercial Computer SOFTWARE - Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the government's rights in software, supporting documentation, and technical data are governed by the restrictions in the Technical Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202. Manufacturer is Network Instruments, 10701 Red Circle Drive, Minnetonka, MN 55343, USA. 6 rev. 1 Technical Support Network Instruments provides technical support by phone (depending on where you are located): US & countries outside Europe at (952) 358-3800 UK and Europe at +44 (0) 1959 569880 By fax (depending on where you are located): US & countries outside of Europe at (952) 358-3801 UK and Europe at +44 (0) 1959 569881 Or by e-mail at: US & countries outside of Europe: support@networkinstruments.com UK and Europe: support@networkinstruments.co.uk Network Instruments provides technical support for a period of 90 days after the purchase of the product at no charge. After the 90-day initial support period, support will only be provided to those customers who have purchased a maintenance agreement. Telephone technical support hours are between 9:00 am and 5:00 pm (local time for each office). Suggestions are welcomed. Many of the improvements made to our products have originated as end user suggestions. Please submit detailed suggestions in writing to: support@networkinstruments.com or by fax at: (952) 358-3801. Please submit any corrections to or criticism of Network Instruments’ publications to: pubs@networkinstruments.com or by fax at (952) 358-3801. To subscribe to the Network Instruments e-mail newsletter (delivered in HTML format), send an e-mail to listserver@networkinstruments.com with the word “subscribe” in the subject line. 7 rev. 1 8 rev. 1 Contents Chapter 1: About the GigaStor GigaStor versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Chapter 2: Installing Your GigaStor Unpacking and inspecting the parts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing the GigaStor and connecting the cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting the GigaStor’s IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting Observer to the GigaStor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Redirecting the GigaStor probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Probe administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GigaStor Capture Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Observer for your Gigabit device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jumbo Frame Support (Gigabit Ethernet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Terms of Service and Quality of Service settings . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Observer for your WAN device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Digital DS3/E3/HSSI Probe Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Digital T1/E1 Probe Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Serial T1/E1 Probe Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tapping an Ethernet or Fibre Channel connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10/100/1000, 10GbE Optical, and Fibre Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gigabit copper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 19 19 22 22 24 29 31 31 32 33 34 35 36 37 37 40 9 rev. 1 Tapping a WAN connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 T1/E1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 DS3/E3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Installing the drives in your GigaStor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Connecting the GigaStor Expandable to the expansion units . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Chapter 3: Packet Capture or GigaStor Capture Capturing Packets with the GigaStor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Packet capture buffer and statistics buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Chapter 4: GigaStor Control Panel Display Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Right-click menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Analyze button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Configuring the GigaStor through the Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 GigaStor Options tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 GigaStor Chart tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 GigaStor Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Capture Graph tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 GigaStor Schedule tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Statistics Lists tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 GigaStor reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Chapter 5: Using Observer with a WAN Probe Discover Network Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Setting the Committed Information Rate (CIR) for a DLCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 WAN Bandwidth Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 WAN Vital Signs by DLCI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 WAN Load by DLCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 WAN Top Talkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 WAN Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Triggers and Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Chapter 6: Forensic Analysis using Snort Starting Forensic Analysis using Snort rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Creating a forensic analysis profile from the GigaStor control panel . . . . . . . . . . . . . . . . . . . . 94 About Forensic Analysis tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 About the Forensic Analysis Log tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Forensic Analysis Profile field descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Forensic Analysis Profile Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Rules tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 10 rev. 1 Chapter 7: Observer on the GigaStor Using the Observer console locally on the GigaStor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Chapter 8: Probe Instances What is a probe instance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Chapter 9: Gen2 Capture Card Swapping the Gen2 card’s SFP or XFP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Configuring virtual adapters on the Gen2 card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Viewing the Gen2 card’s properties and finding the board’s ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Appendix A: TCP/IP ports, NAT, and VPN TCP/IP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Appendix B: GigaStor, GigaStor Expandable, and Expansion Unit Cases GigaStor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GigaStor Expandable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Controller unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Expansion unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 129 129 130 Appendix C: GigaStor Portable Running Observer passively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Using the portable GigaStor as a probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 11 rev. 1 12 rev. 1 Chapter 1 About the GigaStor 13 rev. 1 Chapter 1 About the GigaStor GigaStor versions The GigaStor is an enterprise-strength network probe appliance. The GigaStor combines a multi-terabyte, high-performance Redundant Array of Independent Disks (RAID) with a dedicated, high-speed network capture card in a modular, easy-to-deploy appliance. There are these versions of the GigaStor: Q Q Q Q GigaStor GigaStor Expandable: a controller PC along with one, two, or three disk expansion units that can store up to a total of 288 terabytes of data. GigaStor SAN: a controller PC that connects to your SAN to write its data. It uses a fibre channel host bus adapter that can operate at 1, 2, or 4 Gigabit speed for connectivity. GigaStor Portable: a portable GigaStor Figure 1 GigaStor models GigaStor GigaStor Expandable NOTE: GigaStor SAN GigaStor Portable Unless specifically noted, all information in this manual applies to all versions of the GigaStor: GigaStor, GigaStor Expandable, GigaStor SAN, and GigaStor Portable. If your GigaStor is configured to monitor Gigabit Ethernet, 10Gb Ethernet, and Fibre Channel connections, the capture card is a Gen2 card with SFP (or XFP) modules. This allows you to hot-swap any SFP-compliant connectors into the your appliance. This makes it 14 GigaStor versions Chapter 1 About the GigaStor rev. 1 possible to use the same probe to monitor different types of links as needed. For example, you can easily convert the capture card from optical to copper, allowing you to connect the GigaStor to different test access points (TAPs) or switch port analyzer (SPAN) or mirror interfaces. If your GigaStor is configured to monitor WAN (such as E1, T1, E3, DS3, or HSSI) connections, your GigaStor has a specialized WAN capture card. It does not have SFP or XFP connectors. The GigaStor can be used with the Expert Observer console or Observer Suite to troubleshoot your network. Alternatively, you can run the probe in “local console” mode, allowing you to analyze GigaStor-collected data locally.The local console on the GigaStor is Observer Expert. However, we recommend that you use Observer on a remote system to analyze the data. rev. 1 GigaStor versions 15 Chapter 1 About the GigaStor 16 GigaStor versions Chapter 1 About the GigaStor rev. 1 Chapter 2 Installing Your GigaStor 17 rev. 1 Chapter 2 Installing Your GigaStor The general steps to install your GigaStor are: F “Unpacking and inspecting the parts” on page 18 F “Installing the GigaStor and connecting the cables” on page 19 F “Connecting Observer to the GigaStor” on page 22 Additional steps to complete the installation are: F “Configuring Observer for your Gigabit device” on page 31 F “Configuring Observer for your WAN device” on page 33 F “Tapping an Ethernet or Fibre Channel connection” on page 37 F “Tapping a WAN connection” on page 42 F “Installing the drives in your GigaStor” on page 50 Unpacking and inspecting the parts Your GigaStor includes a number of components. Take a moment after unpacking the kit to locate all of the parts. F One rack-mountable GigaStor system with an installed 10/ 100/1000 Ethernet network interface (management) card. F Appropriate capture interface (Gen2 or WAN). F The rack unit may also include a rail kit depending on which model was purchased. F Windows XP 64-bit operating system and a restore DVD specific for your GigaStor. F TAP kits for your topology (Ethernet, Fibre Channel, or WAN), except for the GigaStor 2TE. F Cables F Ethernet cable for each 10/100/1000 interface in your GigaStor. F Connection cables to connect your GigaStor to a TAP or switch. 18 Unpacking and inspecting the parts Chapter 2 Installing Your GigaStor rev. 1 Installing the GigaStor and connecting the cables 1 Install the GigaStor and any expansion units into your rack using the supplied rails. Instructions for installing the rail kits are provided in the rail kit box. 2 Install the drives into the GigaStor and any expansion units. See “Installing the drives in your GigaStor” on page 50. 3 Connect the GigaStor, TAP, and cables. See: Q Q Q Q “Tapping an Ethernet or Fibre Channel connection” on page 37 for details about optical and copper Gigabit Ethernet, 10 Gigabit Ethernet, and Fibre Channel connections. “Tapping a WAN connection” on page 42 for details about T1/E1 and DS3 connections. “Connecting the GigaStor Expandable to the expansion units” on page 52. See the fibre channel host bus adapter (QLogic or other third party) documentation included in the GigaStor packaging if you are using a GigaStor SAN. Setting the GigaStor’s IP address At this point you have physically installed the hardware and connected all the cables. Now, you must turn on the GigaStor and configure the software. rev. 1 1 Connect a monitor, keyboard, and mouse to the GigaStor and ensure the GigaStor is plugged into a power outlet. These are only needed temporarily to set the IP address. You can disconnect them when you are finished. Alternatively, you can use Windows Remote Desktop to connect to the GigaStor to make these changes. The default IP address is 192.168.1.10. 2 If you are using a GigaStor Expandable, remember to start the disk expansion units. 3 Turn on the system. On the back of the GigaStor ensure the power switch is turned on. Then on the front of the GigaStor, press the power button until the system starts to turn on. Installing the GigaStor and connecting the cables 19 Chapter 2 Installing Your GigaStor 4 Ensure that each drive’s power/activity light is lit. If a drive’s light is not lit, it is likely that the drive is not seated properly. Turn off the GigaStor and reseat the drives. For more information, see “Installing the drives in your GigaStor” on page 50. 5 Log in using the Administrator account. The default Administrator password is admin. 6 Click Start →Control Panel →Network and Internet Connections →Network Connections. Choose Local Area Connection and right-click and choose Properties. 7 Select Internet Protocol (TCP/IP) from the list and click Properties (Figure 2). Figure 2 Default TCP/IP settings 8 Set the IP address, subnet mask, gateway, and DNS server for your environment and click OK. Click OK again to close the Local Area Connection Properties dialog. Close the Network Connections window. 9 Right-click the Probe Service Configuration Applet in the system tray and choose Open Probe Configuration. 20 Setting the GigaStor’s IP address Chapter 2 Installing Your GigaStor rev. 1 Figure 3 Probe Service Configuration Applet 10 The Probe Administration window opens. Click the Probe Options tab (Figure 4). Figure 4 Probe Options 11 Change the name of the probe to something meaningful to you. The name might be the physical location of the probe. Click Apply to save your changes and close the window. By default the GigaStor runs the Expert Probe as a Windows service and starts automatically at system startup. This prevents you from using the Observer console on the GigaStor. You must connect to the GigaStor using Observer on a different system. If you want to use the Observer console locally, see “Using the Observer console locally on the GigaStor” on page 108. rev. 1 Setting the GigaStor’s IP address 21 Chapter 2 Installing Your GigaStor Connecting Observer to the GigaStor This section assumes you have already installed Observer on your desktop or laptop. If not, install the software. You can download from the Network Instruments website. There are three main tasks to connect Observer to your GigaStor Q “Redirecting the GigaStor probe” on page 22 Q “Probe administration” on page 24 Q “GigaStor Capture Analysis” on page 29 Redirecting the GigaStor probe 1 Choose Start →All Programs →Observer →Observer. Observer opens. 2 Select Actions →Redirect Probe (Figure 5). Figure 5 Remote Probe Administration and Redirection 3 Click New to add the GigaStor to the Probe Administration and Redirection list. Figure 6 appears. 22 Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor rev. 1 Figure 6 Edit Remote Probe Entry 4 Type the IP address that you assigned to the GigaStor in step 7 in “Setting the GigaStor’s IP address” on page 19 and click OK. You may leave the other fields blank. If you type a name, the name will change after Observer connects to the remote probe. The GigaStor appears in the list of probes available for redirection (Figure 7). Figure 7 Probe added to Remote Probe Administration and Redirection 5 rev. 1 Select the GigaStor probe and then click Redirect Selected Probe (Figure 8). Connecting Observer to the GigaStor 23 Chapter 2 Installing Your GigaStor Figure 8 Probe Instance Redirection 6 Select the probe instance and click Redirect Selected Instance. Figure 9 appears. Figure 9 Redirecting Probe or Probe Instance 7 Choose the “Redirect to this Observer” option, then click the Redirect button. Within 30 seconds the GigaStor will connect to the local Observer. If you use NAT, see “NAT” on page 124. 8 Close the Probe Instance Redirection window. Probe administration Now that your GigaStor is connected to your Observer console, you can administer it. 24 Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor rev. 1 1 Click Probe Administration (see Figure 7). The Probe Administration Login window opens. Figure 10 Remote Probe Administration 2 Ensure “Login using a user account configured for this Probe” is selected and click OK. The Probe Administration window opens to the Memory Management tab (Figure 11). Figure 11 Memory Management tab 3 rev. 1 Select the Network 1 probe instance and click Rename. Choose a name that is meaningful to you for the probe instance name and click OK. By default, Network 1 is your active probe instance for your GigaStor. For details about active and passive probe instance, see “Probe Instances” on page 111. Connecting Observer to the GigaStor 25 Chapter 2 Installing Your GigaStor By default all of the installed memory on the GigaStor is dedicated for one probe instance. You must first release the memory so that you can assign the freed memory to other probe instances. 4 With the newly renamed probe instance still selected, click Configure Memory (Figure 12) at the top of the window. Figure 12 Edit Probe Instance: Capture Buffer Memory 5 Use the arrows to release some memory. Free enough memory to create your probe instances and click OK. At a minimum each probe instance requires12 MB memory. It uses 4 MB for statistics and 8 MB for packet capture. Don’t worry about freeing too much memory. If you determine you released too much, you can reallocate it later to the capture buffer or operating system. Because Observer operates in real-time, its buffers must always remain in RAM; if the buffers resided in standard Windows user memory, nothing would prevent the buffer file from being swapped out to disk and subsequent packet loss. For this reason, the probe reserves its memory from Windows upon startup so that no other applications can use it and cause the buffer to be swapped out to disk. For more information about buffers, see “Packet capture buffer and statistics buffer” on page 54. 6 Click the GigaStor Instances tab (Figure 13). 26 Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor rev. 1 Figure 13 GigaStor Instances 7 Click New Instance. Figure 14 appears. Figure 14 Edit Probe Instance: Name 8 rev. 1 You are configuring a GigaStor probe to capture data and write it to the hard drive. Therefore ensure “Probe instance” is selected in the Instance type. Type a name and description and click Next. Connecting Observer to the GigaStor 27 Chapter 2 Installing Your GigaStor Figure 15 Edit Probe Instance: Configure Memory 9 From the RAM that you released earlier, assign some of it to this probe instance and click Next. 10 Ensure the correct network adapter is selected and click Finish to redirect the GigaStor to your local Observer console. Figure 16 Edit Probe Instance: Connect to Console 28 Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor rev. 1 11 Repeat step 7 through step 10 until you have created all of your probe instances. Any unused memory should be reallocated to the packet capture buffer of the active probe instance or to the operating system. 12 Click OK to close the Probe administration windows. After a moment the GigaStor probe and any probe instances appear in the Observer Probe list found along the left side of the main Observer window. GigaStor Capture Analysis 1 Click Capture →GigaStor Capture Analysis to begin viewing network traffic that passes through the GigaStor probe. The GigaStor Control Panel opens (Figure 17). Figure 17 GigaStor Control Panel At this point the data is not being written to disk unless you manually click the Start button. With most GigaStor installations, you want the GigaStor probe to always be writing its data to disk. 2 rev. 1 Click Settings in the middle of the top menu bar. The GigaStor Settings window opens. Click the Schedule tab. Connecting Observer to the GigaStor 29 Chapter 2 Installing Your GigaStor Figure 18 GigaStor Settings Schedule tab 3 In the Schedule GigaStor Capture section, select Always. For more information about a packet capture vs. GigaStor capture, see “Packet Capture or GigaStor Capture” on page 53. 4 In the Reserve scheduling for section, select GigaStor and click OK. You may receive a notice about scheduling reservation. If you do, click Yes to change the scheduling. You have installed your GigaStor! Now you must configure some settings in Observer before getting the maximum results from your new network analysis tool. Q Q Q If you are monitoring a Gigabit connection, you must configure the WAN device. See “Configuring Observer for your Gigabit device” on page 31 for details. If you are monitoring a WAN connection, you must configure the WAN device. See “Configuring Observer for your WAN device” on page 33 for details. If you are monitoring any other connection, begin using Observer to analyze the data. To get started, take use the GigaStor Control Panel. It is described in “GigaStor Control Panel” on page 57. 30 Connecting Observer to the GigaStor Chapter 2 Installing Your GigaStor rev. 1 Configuring Observer for your Gigabit device Depending on your probe and your network, you may need to make some changes from the factory defaults. Q Q “Jumbo Frame Support (Gigabit Ethernet)” on page 31 “Configuring Terms of Service and Quality of Service settings” on page 32 Jumbo Frame Support (Gigabit Ethernet) When a Gigabit Ethernet GigaStor is the selected probe, Observer displays an additional Gigabit tab on the Probe or Device Setup dialog. This allows you to adjust the maximum frame size. The default is 1514 bytes (excluding the frame checksum), which is appropriate for standard Ethernet. If the network link you are analyzing is configured to support jumbo frames (i.e., frames larger than 1514 bytes) you may want to change this setting to match the frame size of the Gigabit network, up to a maximum size of 9014 bytes. Observer will then discard frames that exceed this maximum frame size, generating a “Frame too large” error. rev. 1 1 Select the gigabit probe and right-click. A menu appears. Choose Probe or Device Settings. 2 Click the Gigabit tab (Figure 19). 3 Change the frame size to suit your needs and click OK. Configuring Observer for your Gigabit device 31 Chapter 2 Installing Your GigaStor Figure 19 Gigabit tab Configuring Terms of Service and Quality of Service settings The ToS/QoS settings are configured for each probe. 1 Select the gigabit probe and right-click. A menu appears. Choose Probe or Device Settings. 2 Click the ToS/QoS tab (Figure 20). 3 Specify the IP precedence bits for the terms of service/quality of service for your network. 32 Configuring Observer for your Gigabit device Chapter 2 Installing Your GigaStor rev. 1 Figure 20 ToS/QoS tab Configuring Observer for your WAN device There are a number of setup options and statistical displays unique to WAN Observer, which are described in the following subsections. Before you can analyze the WAN link, you must set some device options. You must also have the appropriate administrative privileges to change WAN device settings. Q “Digital DS3/E3/HSSI Probe Settings” on page 34 Q “Digital T1/E1 Probe Settings” on page 35 Q “Serial T1/E1 Probe Settings” on page 36 After configuring your connection, you should begin using Observer to monitor your connections. To get started, use the information in “Using Observer with a WAN Probe” on page 79. rev. 1 Configuring Observer for your WAN device 33 Chapter 2 Installing Your GigaStor Digital DS3/E3/HSSI Probe Settings To access the probe settings, select the probe, right-click and choose Probe or Device Settings. Then click the DS3/E3/HSSI tab (Figure 21). Figure 21 DS3/E3/HSSI Probe Settings Table 1 describes fields in Figure 21. Table 1 DS3/E3/HSSI probe settings Setting Explanation WAN Type Choose DS3 (T3), E3 or HSSI to match the type of link you are analyzing, then choose the frame check sequence (FCS) standard: CRC-16 (the default) or CRC32. Encapsulation You must set this to match the settings on the frame relay CSU/DSU. Subprotocol If ATM or LAPB is the selected encapsulation method, you must choose the subprotocols on the link. Fractionalized Check if your link is configured for fractionalized operation. Fractionalized DS3 and E3 are not supported. Bandwidth (HSSI) Set to match the bandwidth and channel settings of the fractionalized HSSI link under analysis. 34 Configuring Observer for your WAN device Chapter 2 Installing Your GigaStor rev. 1 Digital T1/E1 Probe Settings To access the probe settings, select the probe, right-click and choose Probe or Device Settings. Then click the T1/E1 tab (Figure 22). Figure 22 T1/E1 WAN Probe Settings Table 2 describes fields in Figure 22. Table 2 T1/E1 WAN Probe Settings Setting Explanation WAN/Frame Relay Type Choose T1 or E1 to match the type of link you are analyzing. Encapsulation You must set this to match the settings on the frame relay CSU/DSU. Subprotocol If ATM or LAPB is the selected encapsulation method, you must choose the subprojects on the link. Link 1 and Link 2 Channel Settings (Note that for the link and settings to be activated, you must check the On check box for that link). Fractionalized Check if this link is configured for fractionalized operation. Channel selector check boxes Choose the channels you want to be included in the analysis. Include in Util. Thermometer. Check if you want to include statistics from this link in the Bandwidth Utilization Thermometer. rev. 1 Configuring Observer for your WAN device 35 Chapter 2 Installing Your GigaStor Serial T1/E1 Probe Settings Table 3 describes fields for a serial T1/E1 connection. Table 3 Serial T1/E1 probe settings Setting Explanation WAN/Frame Relay Type Choose T1 or E1 to match the type of link you are analyzing. Encapsulation You must set this to match the settings on the frame relay router. Fractionalized Check if your link is configured for fractionalized operation. Bandwidth Set to match the bandwidth setting of the link you are analyzing. 36 Configuring Observer for your WAN device Chapter 2 Installing Your GigaStor rev. 1 Tapping an Ethernet or Fibre Channel connection This section describes how to connect the cables for these environments: Q Q “10/100/1000, 10GbE Optical, and Fibre Channel” on page 37 “Gigabit copper” on page 40 10/100/1000, 10GbE Optical, and Fibre Channel The optical Ethernet kit includes: Q Q Q Optical TAP One, two, or four full duplex optical cables depending on which Gen2 card you purchased. One, two, or four optical Y-analyzer cables To connect the TAP to the GigaStor: rev. 1 1 Insert the supplied SFP connectors (XPF connectors for 10GbE) into the open slots on the back of the Gen2 card(s). 2 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting the expansion units. After connecting them, continue with step 3. 3 Connect the TX Data Circuit-terminating Equipment (DCE) or SAN port to the Link A port on the nTAP. 4 Connect the TX port on the Gigabit switch (DCE) or Fibre Channel Fabric to the Link B port on the nTAP. 5 Use the Y-analyzer cable to connect the nTAP to the Gen2 capture card in the GigaStor. If you have more than one nTAP, repeat for each additional nTAP. Tapping an Ethernet or Fibre Channel connection 37 Chapter 2 Installing Your GigaStor Figure 23 Gen2 card port assignments 1 1 1 1 1 3 1 1 5 1 DCE 2 DCE 2 DTE DCE 2 DTE 3 2 2-port 6 NOTE: STRAIGHTTHROUGH CABLE 2 6 DTE 3 DCE 4 4-port 2 DCE DTE 7 DCE 4 DTE DCE 2 DCE 8 DTE 4 DTE DTE 8-port: mainboard and daughter board 2 2-port 10 Gb Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. If you are using a switch’s SPAN/mirror port, no nTAP is required. Simply plug any straight-through or Fibre cable between the SPAN/mirror port and one of the ports on the Gen2 capture card. Fibre Channel has auto-negotiation disabled by default. You must enabled it first, then connect it to the SPAN or mirror port on your switch. Now that you have physically connected the cables for the GigaStor, you must now configure its software. See “Setting the GigaStor’s IP address” on page 19. Figure 24 shows the GigaStor cabled to analyze a server. The TAP can replace the connection between any DCE (Data Circuit-terminating Equipment) and DTE (Data Terminal Equipment) device or connection. 38 Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your GigaStor rev. 1 Figure 24 GigaStor with an optical nTAP Gen2 RX Optical TAP TX RX TX RX 10/100/1000 NIC for TCP/IP Server (DTE) rev. 1 Gigabit Switch (DCE) GigaStor or GigaStor Expandable Observer Console Tapping an Ethernet or Fibre Channel connection 39 Chapter 2 Installing Your GigaStor Gigabit copper The Gigabit copper kit includes: Q Copper nTAP Q 1, 2, or 4 standard Ethernet cables Q 2, 4, or 8 analyzer cables To connect the TAP to the GigaStor: 1 Insert the supplied SFP connectors into the open slots on the back of the Gen2 card(s). 2 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 3. 3 Connect the TX Data Circuit-terminating Equipment (DCE) or SAN port to the Link A port on the nTAP. 4 Connect the TX port Gigabit switch (DCE) to the Link B port on the nTAP. 5 Use the two analyzer cables to connect the analyzer port on the nTAP to the Gen2 capture card in the GigaStor. If you have more than one nTAP, repeat for each additional nTAP. Figure 25 8-port Gen2 card port assignments 1 1 1 1 1 DCE 2 1 DCE 2 DTE DTE 3 4 2-port 4-port 40 Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your GigaStor DTE 7 DCE 4 DTE DCE 6 DTE DCE 2 5 DCE 2 3 2 3 2 DCE 8 DTE 4 DTE 8-port: mainboard and daughter board rev. 1 6 NOTE: PASS-THROUGH CABLE Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. If you are using a switch’s SPAN/mirror port, no nTAP is required. Simply plug any straight-through Ethernet cable into the SPAN/mirror port on the switch and one of the ports on the Gen2 capture card. Now that you have physically connected the cables for the GigaStor, you must now configure its software. See “Setting the GigaStor’s IP address” on page 19. Figure 26 shows the GigaStor as it would be cabled to analyze a server. The TAP can replace the gigabit connection between any DCE (Data Circuit-terminating Equipment) and DTE (Data Terminal Equipment) device or connection. Figure 26 GigaStor with a copper TAP Gen2 Gigabit Copper TAP 10/100/1000 NIC for TCP/IP Server (DTE) rev. 1 Gigabit Switch (DCE) GigaStor or GigaStor Expandable Observer Console Tapping an Ethernet or Fibre Channel connection 41 Chapter 2 Installing Your GigaStor Tapping a WAN connection This section describes how to connect the cables for these environments: Q “T1/E1” on page 42 Q “DS3/E3” on page 46 T1/E1 See “Digital” on page 42 or “Serial” on page 44 depending on your needs. Digital The digital T1/E1 kit includes: Q One T1/E1 dual link TAP Q One T1/E1 WAN analyzer cable Q Two T1/E1 Ethernet cables 1 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 2. 2 Connect the TAP to the GigaStor using the T1/E1 WAN analyzer cable. 3 From your T1/E1 cable that connects the DCE to your CSU/ DSU, unplug the CSU/DSU end and plug it into the Link 1 IN port on the TAP. 4 Using one of the supplied T1/E1 Ethernet cables, connect the Link 1 OUT port of the TAP to the CSU/DSU. 5 If you have a second T1 you want to monitor, repeat step 3 and step 4 using Link 2. 6 Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. 42 Tapping a WAN connection Chapter 2 Installing Your GigaStor rev. 1 Now that you have physically connected the cables for the GigaStor, you must now configure its software. See “Setting the GigaStor’s IP address” on page 19. Figure 27 shows the GigaStor as it would be cabled to analyze T1/E1 link with a Channel Service Unit/Data Service Unit (CSU/DSU)1. Figure 27 Digital T1/E1 Tap Gen2 T1 TAP 10/100/1000 NIC for TCP/IP Router or CSU/DSU (DTE) T1 Line (DCE) GigaStor or GigaStor Expandable Observer Console 1. The 4-Port version of this system has an additional PC interface card and an additional TAP and cable kit. Connect the second TAP kit as shown in the diagram. rev. 1 Tapping a WAN connection 43 Chapter 2 Installing Your GigaStor Serial The serial T1/E1 kit includes: Q One serial T1/E1 WAN TAP Q One serial Y cable Q One serial T1 WAN cable 1 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 2. 2 Connect the TAP to the GigaStor using the serial T1/E1 WAN cable. 3 Using the serial Y cable, connect it to the TAP and then to your CSU/DSU and your router. 4 Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. Now that you have physically connected the cables for the GigaStor, you must now configure its software. See “Setting the GigaStor’s IP address” on page 19. 44 Tapping a WAN connection Chapter 2 Installing Your GigaStor rev. 1 Figure 28 WAN Serial T1/E1 TAP MODE DTE A B DCE POWER OUTPUT ACTIVE Serial T1/E1 TAP 10/100/1000 NIC for TCP/IP CSU/DSU (DTE) rev. 1 Router (DCE) GigaStor or GigaStor Expandable Observer Console Tapping a WAN connection 45 Chapter 2 Installing Your GigaStor DS3/E3 See “Digital” on page 46 or “Serial/HSSI” on page 48 depending on your needs. Digital The digital DS3/E3 kit includes: Q One digital DS3/E3 TAP Q One digital DS3/E3 WAN cable Q Two full-duplex DS3/E3 coax cables 1 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 2. 2 Connect the TAP to the GigaStor using the supplied digital DS3/ E3 WAN cable. 3 From your coax cables that connects the router to your CSU/ DSU, unplug the ends of both cables connected to the CSU/DSU and plug them into the IN ports on the TAP. 4 Using the supplied coax cables, connect them from the OUT ports on the TAP to the CSU/DSU. 5 Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. Now that you have physically connected the cables for the GigaStor, you must now configure its software. See “Setting the GigaStor’s IP address” on page 19. 46 Tapping a WAN connection Chapter 2 Installing Your GigaStor rev. 1 Figure 29 DS3/E3 TAP DCE E3 LOS DTE LOS LOF POWER IN LOF OUT OUT IN DS3 TAP IN (RX) OUT (TX) OUT (TX) IN (RX) CSU/DSU (DTE) rev. 1 TX DS3 Line (DCE) RX TX RX 10/100/1000 NIC for TCP/IP GigaStor or GigaStor Expandable Observer Console Tapping a WAN connection 47 Chapter 2 Installing Your GigaStor Serial/HSSI The serial DS3 kit includes: Q One serial DS3/E3 TAP Q One HSSI Y-cable Q One HSSI cable Q One Ethernet cable 1 If you have a GigaStor Expandable, see “Connecting the GigaStor Expandable to the expansion units” on page 52 for details about connecting them. After connecting them, continue with step 2. 2 Connect the TAP to the GigaStor using the supplied HSSI Ycable. 3 From your serial HSSI cable that connects the router to your CSU/DSU, unplug the CSU/DSU end and plug it into the IN port on the TAP. 4 Using the supplied HSSI cable, connect it to OUT port on the TAP. 5 Use the supplied Ethernet cable to connect the network interface card in the GigaStor to the network. Now that you have physically connected the cables for the GigaStor, you must now configure its software. See “Setting the GigaStor’s IP address” on page 19. 48 Tapping a WAN connection Chapter 2 Installing Your GigaStor rev. 1 Figure 30 WAN HSSI HSSI OUT HSSI IN HSSI TAP 10/100/1000 NIC for TCP/IP CSU/DSU (DTE) rev. 1 Router (DCE) GigaStor or GigaStor Expandable Observer Console Tapping a WAN connection 49 Chapter 2 Installing Your GigaStor Installing the drives in your GigaStor CAUTION HANDLING THE DRIVES Be especially careful when handling and installing the hard drives. Proper handling is paramount to the longevity of the unit. The internal mechanism of the hard drive can be seriously damaged if the hard drive is subjected to forces outside its environmental specifications. When transporting the hard drive, always use the original packaging in which the hard drive was delivered to you, and avoid exposing the hard drive to extreme changes in temperature to minimize the risk of condensation. Q Q Q Q Never drop the unit. Handle it with care. Never place the hard drive in the vicinity of equipment giving off strong magnetic fields, such as CRT monitors, televisions, or loudspeakers. Always use an anti-static mat and wrist strap when handling the hard drive. Hold the hard drive by the base and never touch the components on the circuit board assembly. If the temperature difference between the storage location and installation location exceeds 50°F/10°C, for temperature acclimation purposes, leave the hard drive in the new location for at least two hours before turning it on. Each drive for the GigaStor is packed in shock-resistant boxes. The tray that holds each drive has two optical pipes that run along the right side. These pipes are connected to the indicator lights on the front of the tray and are prone to cracking or breaking if you squeeze the sides of the tray too tightly. Stickers on each drive identify which slot (and expansion unit) it should be installed in. The drive labeled A1 must be installed in the lower left slot. The disk expansion units for the GigaStor Expandable are labeled A, B, or C on the back of the expansion unit’s case. 1 Open the locking latch by pushing the release tab until the tray panel pops out. 2 Gently, but firmly, push the A1 drive into the appropriate slot until you feel the pins engage and the latch closes slightly. 50 Installing the drives in your GigaStor Chapter 2 Installing Your GigaStor rev. 1 Figure 31 shows how the drive numbers correspond to slot locations. Figure 31 GigaStor drive locations A7 A5 A3 A1 A8 A6 A4 A2 A1 1 14 10 6 2 15 11 7 3 16 12 8 4 ! rev. 1 ! GigaStor (8 drive) Drive ID sticker 13 9 5 1 CAUTION GIGASTOR EXPANDABLE DRIVE LOCATION 2 1 2 A13 A9 A5 A1 A14 A10 A6 A2 A15 A11 A7 A3 A16 A12 A8 A4 A13 A9 A5 A1 A14 A10 A6 A2 A15 A11 A7 A3 A16 A12 A8 A4 B13 B9 B5 B1 B14 B10 B6 B2 B15 B11 B7 B3 B16 B12 B8 B4 C13 C9 C5 C1 C14 C10 C6 C2 C15 C11 C7 C3 C16 C12 C8 C4 GigaStor (16 drive) GigaStor Expandable expansion units It is important that you install the drives in the correct drive slot, and in correct expansion unit if you have a GigaStor Expandable. Failure to install the drives in the proper order will result in poor read/write performance or possibly RAID array failure. 3 Push the latch in all the way until it clicks. 4 Repeat until all drives are in the chassis. For the GigaStor Expandable continue with B1-B16 and C1-C16 as appropriate. 5 If you are installing a GigaStor Expandable, you must also connect the cables. See “Connecting the GigaStor Expandable to the expansion units” on page 52. Otherwise, continue with “Installing the GigaStor and connecting the cables” on page 19. Installing the drives in your GigaStor 51 Chapter 2 Installing Your GigaStor Connecting the GigaStor Expandable to the expansion units After you have installed the drives Use the supplied cables to connect the expansion units to the GigaStor Expandable. Figure 32 shows how to cable the GigaStor Expandable to the expansion units. Figure 32 Cable diagram for the GigaStor Expandable A1 2 3 4 B 1 2 3 4 C 1 2 3 4 A1 2 3 4 B1 2 3 4 B1 2 3 4 C1 2 3 4 C1 2 3 4 Otherwise, continue with “Installing the GigaStor and connecting the cables” on page 19. NOTE: GIGASTOR EXPANDABLE When turning the GigaStor Expandable components on and off, follow this order to ensure proper drive recognition and operation: 52 Installing the drives in your GigaStor Chapter 2 Installing Your GigaStor Start the disk expansion units before turning on the capture/controller PC unit. Shut down the capture/controller PC unit before turning off the disk expansion units. rev. 1 Chapter 3 Packet Capture or GigaStor Capture 53 rev. 1 Chapter 3 Packet Capture or GigaStor Capture Capturing Packets with the GigaStor A GigaStor can accumulate terabytes of stored network traffic. To manage the sheer volume of data, the GigaStor includes an alternative, specialized capture and analysis control panel. The GigaStor Control Panel manages the capture, indexing, and storage of large numbers of packets over long periods of time. While the GigaStor control panel is active, standard packets captures are unavailable. You cannot run the two types of captures simultaneously. While actively capturing packets, the GigaStor control tracks network statistics and indexes them by time as it saves the packets to disk. This allows you to quickly scan the traffic for interesting activity and create filters to focus on specific traffic using the slider controls and constraint options. The GigaStor control panel also automates storage management by deleting the oldest data before storage runs out. This maintains a multi-terabyte “sliding windows” of time within which you can review and decode traffic. It also allows for passive (in other words, virtual) probe instances, which allow users to have their own instances (and security credentials) without duplicating data collection or storage. You can view the sliding window as a time line chart. Depending on what constraint are in effect and your display options determine what appears on the chart. By using time selection sliders and other options, you can quickly acquire and analyze the packets by clicking the Analyze button. This opens the standard packet decode and analysis window. From there you can view packets, save them, and perform further filtering if desired. Packet capture buffer and statistics buffer There are two kinds of buffers that a probe uses to store data in realtime: capture buffers and statistical buffers. The capture buffer stores the raw data captured from the network while the statistical buffer stores data entries that are snapshots of a given statistical data point. Selecting an appropriate capture buffer size given system resources is all most users need to worry about; the default settings for the statistical buffers work perfectly fine in the vast majority of circumstances. 54 Capturing Packets with the GigaStor Chapter 3 Packet Capture or GigaStor Capture rev. 1 However, if you are pushing the limits of the system on which the probe is installed by creating many probe instances, you may be able to avoid some performance problems by fine-tuning the memory allocation for each probe instance. For example, suppose you want to give a number of remote administrators access to Top Talkers data from a given probe. You will be able to add more probe instances within a given system’s memory constraints if you set up the statistics buffers to only allocate memory for tracking Top Talkers and to not allocate memory for statistics that no one will be looking at. Observer has no limitations on the amount of RAM that can be used for a buffer. You can allocate up to 4 gigabytes, limited only by the physical memory installed on your Windows system. Note that when run on a 64-bit Windows, there is no 4 GB limitation for the capture buffer; you are limited only by the amount of physical memory installed on the probe. In all cases, the actual buffer size (Max Buffer Size) is also reduced by 7% for memory management purposes. Should you try and exceed the Max Buffer Size an error dialog will be displayed indicating the minimum and maximum buffer size for your Observer (or probe) buffer. For passive probe instances, which are most often used for troubleshooting, the default settings should be sufficient. If you are creating an active probe instance (one that writes to disk and not just reads from it), then you may want to use the following formula as a rough guideline to determine how much RAM to reserve for the probe instance when doing a packet capture. (This formula does not apply when doing a GigaStor capture to disk. It is only for passive probe instances doing packet captures.) Network Speed × Average Throughput (MB/second) = Seconds of data storeable in RAM TIP ! C APTURE B UFFER rev. 1 You want a buffer that will handle your largest, worst case burst. Packet capture buffer and statistics buffer 55 Chapter 3 Packet Capture or GigaStor Capture 56 Packet capture buffer and statistics buffer Chapter 3 Packet Capture or GigaStor Capture rev. 1 Chapter 4 GigaStor Control Panel 57 rev. 1 Chapter 4 GigaStor Control Panel Once the GigaStor is up and running on the network, you can run Expert Observer or Observer Suite to connect to the GigaStor running as a probe to begin analyzing the network, or you can run the GigaStor in Console mode via Windows Terminal Server (or a monitor and keyboard that are physically attached). Observer works with the GigaStor just as it does any other Network Instruments probe, with some GigaStor-specific enhancements (described below). The GigaStor Control Panel is available from the probe itself (when running in Console Mode), and also from any Observer Expert or Observer Suite console when it is connected to a GigaStor. In either case, choose GigaStor Capture Analysis from Observer’s Capture menu, and a screen like the following is displayed: Figure 33 GigaStor Control Panel The GigaStor Control Panel shows traffic on a time line graph, allowing you to select packets for decoding, analysis, and display by defining the time period you want to view, and the types of packets you want to include. Use the sliders at the top of the time line chart to select the time period you are interested in analyzing. If desired, you can further constrain the display of packets by MAC Stations, IP Stations, IP Pairs, 58 Chapter 4 GigaStor Control Panel rev. 1 etc., by clicking on the appropriate tab and selecting the items you want to see on the time line chart. Display Controls Charts and statistical tables are refreshed only when you click the Update Chart or Update Statistics button. The buttons will flash with a red border when a refresh is necessary. You can also have the display auto-update. For details, “GigaStor Options tab” on page 64. You can change the Screen resolution (in other words, the time scale) and which Data type (i.e., packets or bytes, either per second or totals) to chart by using the drop-down controls and per second check box. The Statistics interval control lets you display network statistics based on the entire visible chart, or only show data derived from the time interval you have selected to analyze. The FIFO gauge on the right side of the control pane tracks how well GigaStor’s disk hardware is keeping up with the current traffic load; if the FIFO gauge shows 90% or greater, you should consider reducing the load using one or more of the following methods: Q Q Q Allocate more memory to the GigaStor instance. See the instructions in “Probe administration” on page 24 for details about allocating memory for the probe instance. Activate dynamic sampling, or increase the fixed sampling ratio. See details about packet capture in “Packet capture buffer and statistics buffer” on page 54. Activate partial packet capture or reduce the size of portion captured. See details about partial packet capture in “Capture partial packets” on page 65. The Rate: field shows how much traffic the GigaStor will be able to archive given the active instance’s current disk usage rate. It is updated dynamically as the usage rates change. To increase the archivable time window, activate partial packet capture and sampling as described above, or apply pre-filtering. rev. 1 Display Controls 59 Chapter 4 GigaStor Control Panel Right-click menus As with other Observer displays, the charts and tables of the GigaStor control panel offer many right-click shortcuts. Q Right-clicking on the chart portion of the Control Panel displays the following options for navigating and displaying traffic data: Figure 34 Chart right-click menu Q Q Settings brings up GigaStor Control panel settings; the Zoom to Cursor Click Position options let you select from different chart resolutions, centering the display at the current cursor position. Right-clicking on any table (such as Summary, TCP, UDP, etc.) presents a context-sensitive menu. The TCP right-click menu is typical: Figure 35 TCP right-click menu Q 60 Right-click menus Chapter 4 GigaStor Control Panel The options themselves are self-explanatory. Filtering options displayed depend on which table you right-clicked on. rev. 1 Analyze button Figure 36 GigaStor Control Panel Analyze button When you click the Analyze button to view the results, you are prompted to select how to filter the packet capture for display (Figure 37). After you click OK, any filters you have chosen are applied, and a standard decode window is displayed, unless you have checked the “Display selected filter before starting analysis” option, in which case the filter editor is displayed. rev. 1 Analyze button 61 Chapter 4 GigaStor Control Panel Figure 37 GigaStor Analysis Options window Table 4 describes what the fields in the various sections control. Table 4 GigaStor Analysis Options Field section Description GigaStor Analysis Filter Choose whether to Analyze all traffic in the analysis period, Select an Observer filter to apply before decoding, or Create an analysis filter using checked GigaStor entries (in other words, based on the constraints you have selected using the GigaStor control panel). Subsequent check boxes let you choose which criteria from the Control Panel selection to include in the analysis. The Include expert information in analysis filter option should be checked if you plan on using Observer’s Expert Analysis on the packet buffer; otherwise leave it unchecked. Analysis Time Range Set the start and end time for analysis. The fields are pre-filled based on the time slider selections made from the GigaStor Control Panel. Analysis Type Choose between Expert analysis and decode, Decode without expert analysis, or Forensic analysis only. Load time is significantly reduced (especially with large files) by bypassing analysis processing for features you are not interested in. Forensic Analysis Select a Forensic Analysis profile. See “Starting Forensic Analysis using Snort rules” on page 92 for details on using this Snortcompatible feature. 62 Analyze button Chapter 4 GigaStor Control Panel rev. 1 Configuring the GigaStor through the Control Panel Just as with the standard Observer packet capture interface, you can set the colors of the capture graph and schedule captures to be automatically launched (or to run all the time). In addition, there are a number of GigaStor-specific settings that allow you to fine-tune performance based on your particular needs. 1 Open the GigaStor Control Panel (Capture →GigaStor Capture Analysis). 2 Click the Settings button. 3 Click the tab for the settings you want to change. Figure 38 GigaStor Control Panel Analyze button These options and settings are described in rev. 1 Q “GigaStor Options tab” on page 64 Q “GigaStor Chart tab” on page 67 Q “GigaStor Outline” on page 67 Q “Capture Graph tab” on page 69 Q “GigaStor Schedule tab” on page 70 Q “Statistics Lists tab” on page 71 Q “Subnet” on page 72 Q “GigaStor reports” on page 75 Q “Export” on page 77 Configuring the GigaStor through the Control Panel 63 Chapter 4 GigaStor Control Panel GigaStor Options tab This tab lets you configure many options for the GigaStor. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Options tab (Figure 39). Figure 39 GigaStor Options tab See Table 5 for a description of each field of the GigaStor Options tab. 64 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev. 1 Table 5 GigaStor Options tab Field Description Capture Buffer size Allows you to set the amount of Windows memory that Observer will dedicate to the capture buffer cache for this instance. Values are in megabytes. This configuration value has been pre-set for optimum performance given a single GigaStor collection instance. The factory settings also allow enough memory to set up a number of passive or virtual instances, which will allow multiple users to view the analysis results while avoiding redundant processing, memory, and disk storage consumption. If you wish to run multiple collection instances to monitor multiple links or networks, you can decrease the capture buffer size dedicated to GigaStor collection which will release some memory for creating other probe collection instances, but be careful. Inadequate memory allocation to GigaStor collection can affect performance and result in dropped packets during high load periods. A GigaStor Instance can be as large as the physical memory installed on your system after subtracting the memory dedicated to Windows and other probe Instances. To change the allocation for this probe instance, click the Configure button, which will display the probe Instance, Memory and Security Administration dialog. In all cases, the actual buffer size (Max Buffer Size) is also reduced by 7% for memory management purposes. Should you try to exceed the Max Buffer Size an error dialog will be displayed indicating the minimum and maximum buffer size for your Observer (or probe) buffer. Do not include traffic from Observer/ Probe local MAC address Excludes packets sent and received from the station running Observer or probe (the MAC address of the station from which you are capturing packets). Capture partial packets By default, Observer will capture the entire packet. This option allows you to define a specific amount of each packet to capture to the buffer. For example, a setting of 64 bytes will result in Observer only capturing the first 64 bytes of every packet. Most of the pertinent information about the packet (as opposed to the information contained in the packet) is at the beginning of the packet, so this option allows you to collect more packets for a specific buffer size by only collecting the first part of the packet. In some forensic situations, a warrant may only allow an officer/agent to collect, for example, e-mail headers. Also, if the system is having trouble keeping up with bandwidth spikes, collecting partial packets can resolve the issue. To change the number of bytes captured in each packet, click the Change Size... Note that this setting affects all consoles that connect to this probe. You cannot change this setting unless you have administrative privileges to do so. Network Load When checked, Observer will not strip out the informational markers used by Expert Time Interval and What If analysis modes. Leave this box unchecked unless you intend to use these modes. rev. 1 Configuring the GigaStor through the Control Panel 65 Chapter 4 GigaStor Control Panel Table 5 GigaStor Options tab Field Description Start/Stop Packet Capture marker frames When checked, saved packet capture buffers will include markers that timestamp when packet captures were started and stopped. Wireless Channel Change When checked, saved packet capture buffers will include markers that show what channel was currently being listened to. This is useful if you are using Wireless Site Survey to scan channels. Packet Sampling Packet sampling applies to the control panel statistical displays, not saved packets. On probes connected to highly-saturated networks (especially multi-port probes), sometimes it is desirable to adjust the rate of statistical indexing to conserve probe processing and storage resources. The default (and recommended) setting is for Observer to automatically scale back the packets it uses to update the console display based on system load. Alternatively, you can specify a Fixed Sampling Ratio to consider when updating the GigaStor Control Panel Charts and statistical displays. Capture Indexing Information Maximums Depending on what kinds of information you are interested in tracking, you can conserve probe processing and espeically storage resources by only indexing the information that is useful to you. Of special note is the “Track statistics information per physical port” option. When selected, causes the GigaStor to index the data it collects by Gen2 capture card physical ports. You can then display GigaStor Control Panel statistics by physical port (see the next bullet item). Display Indexing Information Maximums Depending on what kinds of information you are interested in tracking, you can conserve probe processing and resources by only indexing the information that is useful to you. Collect and Show GigaStor indexing information by Depending on what kinds of information you are interested in tracking, you can conserve probe processing and storage resources by only indexing the information that is useful to you. Track statistics information per physical port When selected, causes the GigaStor to index the data it collects by Gen2 capture card physical ports. You can then display GigaStor Control Panel statistics by physical port (see the next bullet item). Use physical port selections to filter statistics (requires per port tracking information) If the previous check box is selected, you can choose this option to display, within the GigaStor Control Panel, statistics sorted by Gen2 Capture Card physical port. This is useful, for example, when you want to troubleshoot the individual links without having to load the capture buffer by clicking Analyze. Stop capture when disk is full When activated, the GigaStor stops capturing packets when the disk array is full. The default behavior is to use circular (i.e. FIFO) disk writes, causing the oldest buffer files to be overwritten as newer traffic is captured. Auto-update GigaStor chart on statistics tab or selection change When selected, causes the listed actions to have the same effect as clicking the Update Chart/Statistics buttons. Keep focus on GigaStor when running Forensic Analysis and creating a decode Keeps the focus in the GigaStor Control Panel instead of switching to the decode pane. Update display during statistics processing in 30 second intervals When selected all charts will received updates in 30 second intervals when processing statistics. 66 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev. 1 GigaStor Chart tab This tab lets you choose the appearance, colors, and scale of the GigaStor Control Panel’s time line chart. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Chart tab (Figure 40). Figure 40 GigaStor Chart tab GigaStor Outline Click Settings and the GigaStor Outline tab to modify the display of the GigaStor outline graph. See Figure 33 on page 58 for an example of the GigaStor outline graph. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Outline tab (Figure 41). rev. 1 Configuring the GigaStor through the Control Panel 67 Chapter 4 GigaStor Control Panel Figure 41 GigaStor Outline 68 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev. 1 Capture Graph tab Click Settings and the tab for the type of graph or chart for which you want to set the display properties. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Capture Graph tab (Figure 42). Figure 42 Capture Graph tab Table 6 Capture Graph fields Field Description Item allows you to select which item will be configured. Item color allows you to select the color of the display item. Item plot allows you to select the item to be displayed as Lines or Bars. This dropdown will only be active if “Lines” is selected in the “Item plot” dropdown. Item line thickness allows you to select the thickness of the displayed item (in pixels). Graph Time option buttons allows you to set how the “X” axis will be displayed. Clock time will show times using a 24-hour clock (i.e., the current time). Relative time will display times from the start of the activation of the mode. rev. 1 Configuring the GigaStor through the Control Panel 69 Chapter 4 GigaStor Control Panel GigaStor Schedule tab This tab lets you schedule GigaStor packet captures to occur at preset times and days of the week. Although the dialog looks identical to the standard Packet Capture schedule tab, the two types of schedules can not be in effect at the same time. If you attempt to schedule GigaStor packet captures when standard packet captures are already scheduled (or the reverse), an error message is displayed. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Schedule tab (Figure 43). Figure 43 Schedule tab Q Q Choose No Scheduling to turn off any automatically scheduled packet captures for the selected probe or probe instance. Choosing Always causes the selected probe or probe instance to capture packets whenever the probe is running. 70 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev. 1 Q Choose Daily at specified times or By day-of-week at specified times to automatically schedule packet captures during the specified time intervals (which you can add by clicking the Add button at the bottom of the dialog; see below). Adding, Modifying, and Deleting Time Intervals To add or modify a time interval to a schedule option, choose that option (in other words, Daily or the day-of-week for which you want to schedule a capture) and click the appropriate button. A time interval specification dialog is displayed that allows you to set the time period for the capture to be performed. To delete a time interval from a schedule option, simply highlight the interval you wish to delete and click the Delete button. Time intervals include the last minute of the interval. All time periods are specified in 24-hour (also known as military) time. Statistics Lists tab Observer tracks and makes many statistics available to you. You can control how those statistics are displayed for your GigaStor. This tab lets you customize how MAC address, IP address, IP Pair, and port information are displayed in the various constraint tab statistical listings. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Statistics Lists tab (Figure 44). rev. 1 Configuring the GigaStor through the Control Panel 71 Chapter 4 GigaStor Control Panel Figure 44 Statistics Lists tab Subnet You can specify subnet properties for the GigaStor. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Subnet tab (Figure 45). Use the Add, Delete, Modify, and Delete All buttons to configure the subnet settings for the GigaStor. When you define subnets in the GigaStor, Observer adds that subnet information to the index files. All future data analyzed will have subnet filtering readily available as well as statistical data. On the IP stations tab you see your subnets and you can perform statistical analysis based on subnets. When you analyze data from captures with index files without any subnets defined, there will be no subnet available in the IP stations tab even if the analyzed data includes some index files with the new subnet information. 72 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev. 1 Figure 45 GigaStor Subnet tab Figure 46 shows how the subnet settings show up in the GigaStor Control Panel. They appear on the IP Stations tab. rev. 1 Configuring the GigaStor through the Control Panel 73 Chapter 4 GigaStor Control Panel Figure 46 Subnet and IP Stations 74 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev. 1 GigaStor reports There are several default reports available for you. 1 Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the GigaStor Reports tab (Figure 47). Figure 47 GigaStor Reports tab 2 rev. 1 Select a report name and click Edit to change the report’s characteristics (Figure 48). Configuring the GigaStor through the Control Panel 75 Chapter 4 GigaStor Control Panel Figure 48 Report Setup 3 Use the arrow buttons to position graphs and tables on your report. 4 Double-click a section of the report to modify its caption, detail, and number format (Figure 48). Figure 49 Table Setup 76 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev. 1 Export You can export your GigaStor-collected data on a scheduled basis. Use the Export tab to configure when and to where your data is saved or to manually export your data. Follow the instructions in “Configuring the GigaStor through the Control Panel” on page 63 to open the Export tab (Figure 50). Figure 50 Exports tab rev. 1 Configuring the GigaStor through the Control Panel 77 Chapter 4 GigaStor Control Panel 78 Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel rev. 1 Chapter 5 Using Observer with a WAN Probe 79 rev. 1 Chapter 5 Using Observer with a WAN Probe In general, the WAN analysis works much like Ethernet analysis. One difference is that, when appropriate, Observer identifies WAN links by their Data Link Connection Identifier (DLCI) rather than by MAC address as is done with standard protocol analysis. In addition, many WAN statistical modes break out the data by DCE, DTE, and summary to reflect the full-duplex nature of WAN links. Modes unrelated to WAN analysis are greyed out and unavailable. The following sections describe how the available Observer modes operate to analyze a WAN link. Q “Discover Network Names” on page 80 Q “WAN Bandwidth Utilization” on page 82 Q “WAN Vital Signs by DLCI” on page 83 Q “WAN Load by DLCI” on page 84 Q “WAN Top Talkers” on page 86 Q “WAN Filtering” on page 87 Q “Triggers and Alarms” on page 88 Discover Network Names To access this mode, choose Tools →Discover Network Names Discover Network Names mode will show DLCIs instead of MAC addresses. You can also define the Committed Information Rate for each DLCI you are monitoring with WAN Observer. Setting the Committed Information Rate (CIR) for a DLCI The Committed Information Rate defines the guaranteed bandwidth for a WAN connection. If you want Observer’s WAN Vital Signs and WAN Load by DLCI to monitor CIR compliance, you must specify the CIR. A number of WAN triggers and alarms also use this information, allowing you to be notified if the link is not performing to the CIR. For encapsulations that do not use DLCI (such as X.25), just use the address scheme for your encapsulation. 80 Discover Network Names Chapter 5 Using Observer with a WAN Probe rev. 1 To set the CIR for a DLCI or group of DLCIs 1 Choose Tools → Discover Network Names. The Discover Network Names pane opens. 2 In the pane, click the edit DLCI CIR button on the Discover Network Names mode window (Figure 51). Figure 51 Edit DCLI 3 Click Add to add a new DLCI. 4 Type the CIR in Kbits/sec for the DLCI. Figure 52 DLCI Configuration dialog rev. 1 Discover Network Names 81 Chapter 5 Using Observer with a WAN Probe 5 Click OK when you are done. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. WAN Bandwidth Utilization To see the percentages of bandwidth saturation on DCE, DTE and DCE+DTE (Summary) for each configured link, choose Statistics → Bandwidth Utilization. The mode starts automatically: Figure 53 WAN bandwidth utilization WAN links have two ports (DCE and DTE), so for a dual link T1, you could display up to 5 charts (including the summary). The mode is available in chart, pie, graph, and dial views. The display setup dialog (click Settings to access), lets you choose what ports to display as well as color and scale options. NOTE: BANDWIDTH UTILIZATION AND FILTERS The Bandwidth Utilization display is not subject to any filters as it compares the actual activity on the network to the network’s theoretical capacity. 82 WAN Bandwidth Utilization Chapter 5 Using Observer with a WAN Probe rev. 1 WAN Vital Signs by DLCI In Observer, the Network Vital Signs display is replaced by the WAN Vital Signs by DLCI mode. This mode provides a summary of the errors occurring on a WAN link (E1/T1/DS3/E3). Choose Statistics → WAN Vital Signs by DLCI. You can choose what portion of traffic you wish to view from the list box in the upper left corner of the window: DCE, DTE, DCE plus DTE, and so forth. Figure 54 WAN Vital Signs by DLCI pane DTE (Data Terminal Equipment), in the context of a WAN link, refers to the DSU/CSU. DCE (Data Circuit-terminating equipment) refers to the WAN switch (which may reside remotely at the line provider's site). Summary view shows a concatenation of traffic from both ends of the link. The following statistics are shown, broken down by DLCIs (which are listed in the left most column). You can change the sort order by clicking on any of the column headings: rev. 1 WAN Vital Signs by DLCI 83 Chapter 5 Using Observer with a WAN Probe Table 7 WAN statistics Column Description DLCI Data Link Connection Identifier of the statistics that follow. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. DCE KBits/s Max The maximum bit rate sensed so far from the DCE side of this DLCI, in Kbits per second. DTE KBits/s Max The maximum bit rate sensed so far from the DTE side of this DLCI, in Kbits per second. DCE Kbits/s Avg The average bit rate sensed on the DCE side of this DLCI, in Kbits per second. DTE Kbits/s Avg The average bit rate sensed on the DTE side of this DLCI, in Kbits per second. DCE FECN under CIR The number of packets seen on the DCE side of the link that had the Forward Explicit Congestion Notification bit set, even though the bandwidth usage was within the Committed Information Rate (CIR). Normally this number should be zero. If bandwidth usage exceeds CIR, congestion is expected. DTE FECN under CIR The number of packets seen on the DTE side of the link that had the Forward Explicit Congestion Notification bit set, even though the bandwidth usage was within the Committed Information Rate (CIR). Normally this number should be zero. If bandwidth usage exceeds CIR, congestion is expected. DCE BECN under CIR The number of packets seen on the DCE side of the link that had the Backward Explicit Congestion Notification bit set, even though the bandwidth usage was within the Committed Information Rate (CIR). Normally this number should be zero. If bandwidth usage exceeds CIR, congestion is expected. DTE BECN under CIR The number of packets seen on the DTE side of the link that had the Backward Explicit Congestion Notification bit set, even though the bandwidth usage was within the Committed Information Rate (CIR). Normally this number should be zero. If bandwidth usage exceeds CIR, congestion is expected. WAN Load by DLCI In a WAN installation, Observer’s Network Activity Display is called WAN Load by DLCI. This mode shows critical WAN transfer rate and congestion statistics in a number of formats. This display can show you the health of a WAN link at a glance and can warn of impending slowdowns due to congestion or other error conditions. 1 Choose Statistics → WAN Load by DLCI. 2 Press Start to begin capturing load data. 84 WAN Load by DLCI Chapter 5 Using Observer with a WAN Probe rev. 1 Figure 55 WAN Load by DLCI The WAN Load by DLCI mode can be viewed as a dial, graph, or list display. Except for list view, there are no setup options for WAN Load by DLCI mode. Every view includes a dropdown box that lets you select which DLCI you want to monitor. Figure 56 WAN Load by DLCI Dial View The WAN Load by DLCI mode in dial view shows transfer rate, CRC error rate, FECN/BECN frame rates graphed on dial meters. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. rev. 1 WAN Load by DLCI 85 Chapter 5 Using Observer with a WAN Probe Figure 57 WAN Load by DLCI Graph View The WAN Load display in graph view shows these same statistics (transfer rate, CRC error rate, and FECN/BECN frame rates) as superimposed spike meters. The Committed Information Rate (CIR) is also shown, allowing you to view the network activity against the baseline performance you have contracted to receive from your WAN service provider You can select line, point, or bar-style meter, and the colors for each statistic by right-clicking on the chart. The dropdown menus at the top of the display let you select what DLCIs to view, and how the chart should be scaled (linearly, logarithmically, or auto-scale). For linear scales, you can also set the CIR or the line rate as the maximum value for the chart. WAN Top Talkers Just as in standard Observer, Top Talkers shows the IP and MAC address of stations on your network sorted by volume of traffic generated and received. In WAN Observer, the MAC Address tab shows DLCIs sorted by volume of traffic. Also, the sorting and charting statistical criteria (such as percentage of packets, packets per 86 WAN Top Talkers Chapter 5 Using Observer with a WAN Probe rev. 1 second, etc.) that apply to WAN is a subset of those available for standard network analysis. For encapsulations that do not use DLCI (such as X.25), the correct address value is shown even though it is still labeled DLCI. 1 Choose Statistics → Top Talkers Statistics. 2 Press Start to begin capturing load data. Figure 58 WAN Top Talkers TIP ! If you are looking to identify additional top talkers beyond the DLCI, using Ethernet Top Talkers may be more beneficial for you. WAN Filtering In addition to the standard Observer packet filtering rules (station address, pattern matching, etc.), there are two WAN-specific filtering rules available for use with WAN probes: Q Q DLCI Address, which lets you enter the number of the DLCI address you wish to include or exclude. WAN Conditions, which let you include or exclude frames based on flow direction, forward and backward congestion, and discard eligibility. To create a WAN filter rule: rev. 1 1 Choose Actions →Filter Setup for Selected Probe. 2 Select an existing filter or click New Filter to create your own. See the filtering information in the Observer manual for full details about creating a custom filter from scratch. WAN Filtering 87 Chapter 5 Using Observer with a WAN Probe Figure 59 Active Filters Triggers and Alarms WAN Observer adds WAN-related criteria to the standard Triggers and Alarms mode. 1 Click the Alarm Settings button located in the lower left corner of Observer’s main window. Figure 60 Alarm Settings A dialog appears that allows you to select the probe or probes for which you want to set alarms. 2 Check the probes you wish to set. 3 Select an probe for which you want to set alarms and then click the Selected Instance Alarm Settings button. Figure 61 appears. 88 Triggers and Alarms Chapter 5 Using Observer with a WAN Probe rev. 1 Figure 61 Probe Alarm Settings 4 Select the alarms you want set. 5 Click the Triggers tab to set the criteria by which the alarms will be triggered. Figure 62 Triggers tab rev. 1 Triggers and Alarms 89 Chapter 5 Using Observer with a WAN Probe Most WAN alarms can be set on the DTE or DCE side or both. The Committed Information Rate displayed is that which you set in Discover Network Names mode. See “Setting the Committed Information Rate (CIR) for a DLCI” on page 80. 6 Click the Actions tab to define actions to launch if an alarm is triggered. You can log messages, send e-mail, or even send a pager alarm. 90 Triggers and Alarms Chapter 5 Using Observer with a WAN Probe rev. 1 Chapter 6 Forensic Analysis using Snort 91 rev. 1 Chapter 6 Forensic Analysis using Snort Forensic Analysis, exclusive to the GigaStor version of Observer, is a powerful tool for scanning high-volume packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort rule syntax. You can obtain the rules from www.snort.org, or, if you know the Snort rule syntax, you can write your own rules. Snort began as an open source network intrusion detection system (NIDS). Snort’s rule definition language is the standard way to specify packet filters aimed at sensing intrusion attempts. Snort rules (or Snort-style rules) imported into Observer operate much like Observer’s Expert conditions, telling Observer how to examine each packet to determine whether it matches specified criteria, triggering an alert when the criteria is met. They differ from Expert conditions in that they only operate post-capture, and the rules themselves are text files imported into Observer. NOTE: Only rules with alert actions are imported. Rules with log, activate, dynamic, or any actions other than alert are simply ignored. Except for RULE_PATH, variable declarations (Snort var statements) are imported. Rule classifications (config classification) are imported, but any other config statements are ignored. Another difference is that Observer, unlike Snort, supports IPv6 addressing. After you import the rules into Observer you are able to enable and disable rules and groups of rules by their classification as needed. Starting Forensic Analysis using Snort rules Forensics profiles provide a mechanism to define and load different pairings of settings and rules profiles. Settings profiles define preprocessor settings that let you tune performance; rules profiles define which forensic rules are to be processed during analysis. Observer lets you configure preprocessor settings to tune performance, and to perform specialized processing designed to catch threats against particular target operating systems and web servers. Because Observer performs signature matching on existing captures rather than in real time, its preprocessor configuration differs from 92 Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort rev. 1 that of native Snort. When you import a set of Snort rules that includes configuration settings, Observer imports rules classifications, but uses its own defaults for the preprocessor settings. NOTE: There is a difference between enabling the preprocessor and enabling logs for the preprocessor. For example, you can enable IP defragmentation with or without logging. Without logging, IP fragments are simply reassembled; only time-out or maximum limit reached messages are noted in the Forensics Log and in the Forensic Analysis Summary window. If logging is enabled, all reassembly activity is displayed in the Forensics Log (but not displayed in the Forensic Analysis Summary). Forensics analysis is available from both the Decode/Analysis window displayed when you load a saved capture buffer locally from GigaStor, and also from the GigaStor control panel. In either case, if you have not yet imported any rules, or if you wish to add or modify rules, click Edit to display the Forensic Settings dialog. Q From the Decode/Analysis Display: After loading a previously-saved capture buffer, click the Forensics tab. The Select Forensics Analysis dialog is displayed: Figure 63 Select Forensic Analysis Profile dialog Q rev. 1 From the GigaStor Control Panel: Select the time window you wish to analyze, then click Analyze. At the bottom of the GigaStor Analysis Options dialog you can select or edit a Forensics profile. This is described in detail in “Creating a forensic analysis profile from the GigaStor control panel” on page 94. Starting Forensic Analysis using Snort rules 93 Chapter 6 Forensic Analysis using Snort Figure 64 GigaStor Analysis Options - Forensic Analysis section If you already have a forensic analysis profile, you choose the profile from the Profile list (Figure 64) and click OK. For more information about the analysis output, see: Q “About Forensic Analysis tab” on page 98 Q “About the Forensic Analysis Log tab” on page 99 Creating a forensic analysis profile from the GigaStor control panel 1 Click the Forensics Analysis tab on the far right of the screen. Figure 65 Forensic Analysis tab 2 Click the Analyze button at the top of the screen. The GigaStor Analysis Options dialog opens. 94 Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort rev. 1 Figure 66 GigaStor Analysis Options 3 Select the profile that you want or click Edit. 4 Click the Settings Profile Edit button to view and define the fields as you need. The fields are described in full in “Forensic Analysis Profile Settings tab” on page 100. Figure 67 Forensic Settings rev. 1 Starting Forensic Analysis using Snort rules 95 Chapter 6 Forensic Analysis using Snort If this is the first time forensic analysis has been run, you must import some rules. 5 Click the Import Snort Files button to display a file selection dialog. Browse to the directory where the rules you wish to import are located and select them. You can select multiple files using either CTRL-clicks or by simply dragging the cursor across the files you wish to select. If you do not yet have the Snort rules, see “Rules tab” on page 106. 6 Click OK when you are done selecting files. Observer displays a progress bar and then an import summary showing the results of the import. Because Observer’s forensic analysis omits support for rule types and options not relevant to a post-capture system, the import summary will probably list a few unrecognized options and rule types. This is normal, and unless you are debugging rules that you wrote yourself, can be ignored. 7 Close the Import Summary Window. 8 Click the Edit button to the right of the Rules profile dropdown menu. Figure 68 Forensic Settings The Rule Settings dialog is displayed (Figure 69). The top portion of the window lists the rules that were imported, grouped in a tree with branches that correspond to the files that were imported. 96 Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort rev. 1 Figure 69 Rules tab 9 Select the boxes next to the rules you want to enable. The rightclick menu has options to enable/disable all rules, and to show the actual Snort rule that was imported. It also lets you jump to webbased threat references such as bugtraq for further information about the alert. Rule classifications offer another level of control. Check the “Rules must also match rule classifications” box to display a list of defined rule classifications. Classifications are defined at import time by parsing the Snort config classification statements encountered in the rule set. Rules are assigned a classification in the rule statement’s classtype option. Select the rule classification(s) you want to enable. If classification matching is enabled, a rule and its classification must both be enabled for that rule to be processed. For example, suppose you want to enable all policy violation rules: simply right-click on the rule list, choose Enable all rules, and then enable the policy violation classification. rev. 1 Starting Forensic Analysis using Snort rules 97 Chapter 6 Forensic Analysis using Snort 10 Click OK to close the Forensic Analysis Profile dialog. Click OK again to close the Forensic Settings dialog. Click OK to close the GigaStor Analysis Options dialog. Observer applies the rules and filters to the capture data and displays the results in the Forensics Summary tab. A new tab is also opened that contains the decode. For details about the tabs, see: Q “About Forensic Analysis tab” on page 98 Q “About the Forensic Analysis Log tab” on page 99 About Forensic Analysis tab This display summarizes alerts and preprocessor events in a navigable tree. Figure 70 Forensic Summary TIP ! P REPROCESSOR M AXIMUMS It is important to examine the preprocessor results to ensure that time-outs and other maximum value exceeded conditions haven’t compromised the analysis. In Figure 70, both the IP Flow and TCP Stream Reassembly preprocessors have timed out on hundreds of flows and streams. If you see similar 98 Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort rev. 1 results, you may want to adjust preprocessor settings to eliminate these conditions. Intruders often attempt to exceed the limitations of forensic analysis to hide malicious content. The right-click menu lets you examine the rule that triggered the alert (if applicable). It also lets you jump to web-based threat references such as bugtraq for further information about the alert. These references must be coded into the Snort rule to be available from the right-click menu. About the Forensic Analysis Log tab The Forensic Analysis Log comprehensively lists all rule alerts and preprocessor events in a table, letting you sort individual occurrences by priority, classification, rule ID, or any other column heading. Just click on the column heading to sort the alerts by the given criteria. Figure 71 Forensic Analysis Log tab The right-click menu lets you examine the rule that triggered the alert (if applicable). It also lets you jump to web-based threat references such as bugtraq for further information about the alert. These references must be coded into the Snort rule to be available from the rev. 1 Starting Forensic Analysis using Snort rules 99 Chapter 6 Forensic Analysis using Snort right-click menu. You can also jump to the Decode display of the packet that triggered the alert. Forensic Analysis Profile field descriptions This section describes in detail the fields on the Settings and Rules tab. See: Q “Forensic Analysis Profile Settings tab” on page 100 Q “Rules tab” on page 106 Forensic Analysis Profile Settings tab Figure 72 Forensic Analysis Profile Settings tab Table 8 describes the fields in the Forensic Analysis Profile Settings tab. 100 Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort rev. 1 Table 8 Forensic Analysis Profile Settings tab Field Description Settings Profile Settings Profiles provide a mechanism to save and load different preprocessor settings, and share them with other Observer consoles. IP Flow Packets belong to the same IP flow if they share the same layer 3 protocol, and also share the same source and destination addresses and ports. If this box is checked, forensic analysis identifies IP flows (also known as conversations), allowing Snort rules to isolate packets by direction and connection state via the flow option. If this pre-processor is disabled, flow keywords are ignored, but the rest of the rule is processed. The remaining settings allow you to throttle flow analysis by limiting the number of flows tracked, and by decreasing the time window within which a flow is considered active. IP Defragmentation Some types of attacks use packet fragmentation to escape detection. Enabling this preprocessor causes forensic analysis to identify and reconstruct fragmented packets based on the specified fragment reassembly policy. Rules are then run against the reconstructed packets during forensic analysis. The fragment reassembly policy mimics the behavior of various operating systems in what to do when ambiguous fragments are received. Choose the policy to match the OS of the server (or servers) being monitored (see the table below). If the buffer contains traffic targeting hosts with different operating systems, use post-filtering to isolate the traffic before forensic analysis so that you can apply the correct policy. Defragmentation Policy is: BSD = AIX, FreeBSD, HP-UX B.10.20, IRIX, IRIX64, NCD Thin Clients, OpenVMS, OS/2, OSF1, SunOS 4.1.4, Tru64 Unix, VAX/VMS Last data in = Cisco IOS BSD-right = HP JetDirect (printer) First data in = HP-UX 11.00, MacOS, SunOS 5.5.1 through 5.8 Linux = Linux, OpenBSD Solaris = Solaris Windows = Windows (95/98/NT4/W2K/XP) Refer to www.snort.org for more detailed version-specific information. The remaining options allow you to enable logging of alerts and reconstruction progress, limit the number of active packet fragments to track, and change the length of fragment inactivity that causes the fragment to be dropped from analysis. TCP Stream Reassembly Another IDS evasion technique is to fragment the attack across multiple TCP segments. Because hackers know that IDS systems attempt to reconstruct TCP streams, they use a number of techniques to confuse the IDS so that it reconstructs an incorrect stream (in other words, the IDS processes the stream differently from that of the intended target). As with IP fragmentation, forensic analysis must configured to mimic how the host processes ambiguous and overlapping TCP segments, and the topology between attacker and target to accurately reassemble the same stream that landed on the target. Re-assembly options are described below: rev. 1 Forensic Analysis Profile field descriptions 101 Chapter 6 Forensic Analysis using Snort Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description TCP Stream Reassembly (Continued) Q Log preprocessor events—Checking this box causes forensic analysis to display all activity generated by the TCP stream assembly preprocessor to the log. Q Maximum active TCP streams tracked—If this value is set too high given the size of the buffer being analyzed, performance can suffer because of memory consumption. If this value is set too low, forensic analysis can be susceptible to denial of service attacks upon the IDS itself (i.e., the attack on the target is carried out after the IDS has used up its simultaneous sessions allocation). Q Drop TCP streams inactive for this duration—A TCP session is dropped from analysis as soon as it has been closed by an RST message or FIN handshake, or after the time-out threshold for inactivity has been reached. Exercise caution when adjusting the time-out, because hackers can use TCP tear-down policies (and the differences between how analyzers handle inactivity vs. various operating systems) to evade detection. Q TTL delta alert limit—Some attackers depend on knowledge of the target system’s location relative to the IDS to send different streams of packets to each by manipulating TTL (Time To Live) values. Any large swing in Time To Live (TTL) values within a stream segment can be evidence of this kind of evasion attempt. Set the value too high, and analysis will miss these attempts. Setting the value too low can result in excessive false positives. Q Overlapping packet alert threshold—The reassembly preprocessor will generate an alert when more than this number of packets within a stream have overlapping sequence numbers. Q Process only established streams—Check this box if you want analysis to recognize streams established during the given packet capture. Q Reconstruct Client to Server streams—Check this box to have analysis actually reconstruct streams received by servers. Q Reconstruct Server to Client streams—Check this box to have analysis actually reconstruct streams received by clients. Q Overlap method—Different operating systems handle overlapping packets using one of these methods. Choose one to match the method of the systems being monitored. 102 Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort rev. 1 Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description TCP Stream Reassembly (Continued) Q Reassembly error action—Discard and flush writes the reassembled stream for analysis, excluding the packet that caused the error. Insert and flush writes the reassembled stream, but includes the packet that caused the error. Insert no flush includes the error-causing packet and continues stream reassembly. Q Reassembled packet size threshold range—Some evasion strategies attempt to evade detection by fragmenting the TCP header across multiple packets. Reassembling the stream in packets of uniform size makes this easier for attackers to slip traffic past the rules, so forensic analysis reassembles the stream using random packet sizes. Here you can set the upper and lower limits on the size of these packets. Q Reassembled packet size seed value—Changing the seed value will cause forensic analysis to use a different pattern of packet sizes for stream reassembly. Running the analysis with a different seed value can catch signature matches that would otherwise escape detection. Q Port List—Enabling the Port List option limits analysis to (or excludes from analysis) the given port numbers. HTTP URI Normalization rev. 1 Many HTTP-based attacks attempt to evade detection by encoding URI strings in UTF-8 or Microsoft %u notation for specifying Unicode characters. This preprocessor includes options to circumvent the most common evasion techniques. To match patterns against the normalized URIs rather than the unconverted strings captured from the wire, the VRT Rules use the uricontent option, which depends on this preprocessor. Without normalization, you would have to include signatures for the pattern in all possible formats (using the content option), rather than in one canonical version. Q Log preprocessor events—Checking this box causes forensic analysis to save any alerts generated by the HTTP preprocessor to the log, but not the Forensic Summary Window. Q Maximum directory segment size—Specifies the maximum length of a directory segment (i.e., the number of characters allowed between slashes). If a URI directory is larger than this, an alert is generated. 200 characters is reasonable cutoff point to start with. This should limit the alerts to IDS evasions. Q Unicode Code Page—Specify the appropriate country code page for the traffic being monitored. Q Normalize ASCII percent encodings—This option must be enabled for the rest of the options to work. The second check box allows you to enable logging when such encoding is encountered during preprocessing. Because such encoding is considered standard, logging occurrences of this is not recommended. Forensic Analysis Profile field descriptions 103 Chapter 6 Forensic Analysis using Snort Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description HTTP URI Normalization (Continued) Q Normalize percent-U encodings—Convert Microsoft-style %u-encoded characters to standard format. The second check box allows you to enable logging when such encoding is encountered during preprocessing. Because such encoding is considered non-standard (and a common hacker trick), logging occurrences of this is recommended. Q Normalize UTF-8 encodings—Convert UTF-8 encoded characters to standard format. The second check box allows you to enable logging when such encoding is encountered during preprocessing. Because Apache uses this standard, enable this option when monitoring Apache servers. Although you might be interested in logging UTF-8 encoded URIs, doing so can result in a lot of noise because this type of encoding is common. Q Lookup Unicode in code page—Enables Unicode codepoint mapping during pre-processing to handle non-ASCII codepoints that the IIS server accepts. Q Normalize double encodings— This option mimics IIS behavior that intruders can use to launch insertion attacks. Normalize bare binary non ASCII encodings—This an IIS feature that uses non-ASCII characters as valid values when decoding UTF-8 values. As this is non-standard, logging this type of encoding is recommended. Q Normalize directory traversal—Directory traversal attacks attempt to access unauthorized directories and commands on a web server or application by using the /./ and /../ syntax. This preprocessor removes directory traversals and selfreferential directories. You may want to disable logging for occurrences of this, as many web pages and applications use directory traversals to reference content. Q Normalize multiple slashes to one—Another directory traversal strategy is to attempt to confuse the web server with excessive multiple slashes. Q Normalize Backslash—This option emulates IIS treatment of backslashes (i.e., converts them to forward slashes). 104 Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort rev. 1 Table 8 Forensic Analysis Profile Settings tab (Continued) Field Description ARP Inspection Ethernet uses Address Resolution Protocol (ARP) to map IP addresses to a particular machine (MAC) addresses. Rather than continuously broadcasting the map to all devices on the segment, each device maintains its own copy, called the ARP cache, which is updated whenever the device receives an ARP Reply. Hackers use cache poisoning to launch man-in-the-middle and denial of service (DoS) attacks. The ARP inspection preprocessor examines ARP traffic for malicious forgeries (ARP spoofing) and the traffic resulting from these types of attacks. Telnet Normalization Variable Name rev. 1 Q Log preprocessor events—Checking this box causes forensic analysis to save any alerts generated by the ARP Inspection preprocessor to the log, but not the Forensic Summary Window. Q Report non-broadcast requests—Non-broadcast ARP traffic can be evidence of malicious intent. Once scenario is the hacker attempting to convince a target computer that the hacker’s computer is a router, thus allowing the hacker to monitor all traffic from the target. However, some devices (such as printers) use non-broadcast ARP requests as part of normal operation. Start by checking the box to detect such traffic; disable the option only if analysis detects false positives. Hackers may attempt to evade detection by inserting control characters into Telnet and FTP commands aimed at a target. This pre-processor strips these codes, thus normalizing all such traffic before subsequent forensic rules are applied. Q Log preprocessor events—Checking this box causes forensic analysis to save any alerts generated by the Telnet Normalization preprocessor to the log, but not the Forensic Summary Window. Q Port List—Lets you specify a list of ports to include or exclude from Telnet preprocessing. The default settings are appropriate for most networks. A scrollable window located below the preprocessor settings lists the variables that were imported along with the Snort rules. Variables are referenced by the rules to specify local and remote network ranges, and common server IP addresses and ports. You can edit variable definitions by double-clicking on the variable you want to edit. The VRT Rule Set variable settings (and those of most publicly-distributed rule sets) will work on any network without modification, but you can dramatically improve performance by customizing these variables to match the network being monitored. For example, the VRT rules define HTTP servers as any, which results in much unnecessary processing at runtime. Address variables can reference another variable, or specify an IP address or class, or a series of either. Note that unlike native Snort, Observer can process IPv6 addresses. Port variables can reference another variable, or specify a port or a range of ports. To change a variable, simply double-click the entry. The Edit Forensic Variable dialog shows a number of examples of each type of variable which you can use as a template when changing values of address and port variables. Forensic Analysis Profile field descriptions 105 Chapter 6 Forensic Analysis using Snort Rules tab The web site www.snort.org provides Snort rule documentation, and downloadable rule sets. There are three sets of rules available at www.snort.org: Community Rules (which are available to anyone with a web browser), and three versions of the Vulnerability Response Team (VRT) Certified Rule Set. The most recent rule updates are available to paid subscribers only; non-paying registered users have access to the VRT Rule Set 30 days after subscribers, and unregistered users have access to snapshots of the rule sets that are distributed with Snort releases. All of the rule sets are distributed as tar archives; download the desired rule set and extract the archive to a directory that is accessible to the Observer console. Although it is recommended that you eventually register for at least the Certified Rule Set, here are the steps for obtaining the Snort release snapshot distribution. If you need archive software that can extract tar files, www.7-zip.org has a free, open source utility that handles most of the popular archive formats, including tar. 1 Go to www.snort.org. Click the Rules link on the left side banner. This displays the VRT rules main page. 2 Click the Download Rules link located on the right side banner. 3 Click the link to Sourcefire VRT Certified Rules (unregistered user release). 4 Click the Download button for the most recent unregistered user release. Save the file (which should have a name something like snortrules-pr-2.4.tar.gz). 5 Extract the rules directory from the archive you downloaded to a directory that is accessible to the GigaStor. 106 Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort rev. 1 Chapter 7 Observer on the GigaStor 107 rev. 1 Chapter 7 Observer on the GigaStor Using the Observer console locally on the GigaStor Depending on how you want or need to use Observer it can be either a graphic console to help you analyze your network data or it can be a probe to capture data and to which other Observer consoles can connect. Observer cannot simultaneously be a console and a probe. In some situations you may want to run Observer locally on your GigaStor instead of using a separate system. This is not the default behavior for a GigaStor. This section describes how to stop the probe that runs as a Windows service and launch Observer. On the local GigaStor system 1 Right-click the Probe Service Configuration Applet in the system tray and choose Open Probe Configuration. Figure 73 Probe Service Configuration Applet 2 The Probe Administration window opens. Click the Probe Options tab (Figure 74). 108 Using the Observer console locally on the GigaStor Chapter 7 Observer on the GigaStor rev. 1 Figure 74 Probe Options 3 In the Service Settings section, clear the “Run Probe as a Windows Service” option and click OK. This uninstalls the Network Instruments Expert Probe service from Windows. 4 Click Start →Programs →Observer →Observer. The Network Instruments Expert Probe window opens. Figure 75 Expert Probe interface rev. 1 Using the Observer console locally on the GigaStor 109 Chapter 7 Observer on the GigaStor 5 Choose Options →Switch between Observer and Expert Probe Interface. The Choose Program Interface window opens. TIP ! S WITCHING E XPERT P ROBE BACK TO 6 Choose Observer and click OK. You must close Observer and restart it to switch into the console interface. Click OK on the message dialog. 7 Click Start →Programs →Observer →Observer to open the console interface. In Observer, choose View → Switch between Observer and Expert Probe Interface. After the Expert Probe interface is open, choose Options → Probe Options to select the Run Probe as Windows Service option. You must manually start Network Instruments Expert Probe from the Windows Service Control Manger. It may take a moment before the service starts. You may need to restart the GigaStor for the setting changes to fully set. 110 Using the Observer console locally on the GigaStor Chapter 7 Observer on the GigaStor rev. 1 Chapter 8 Probe Instances 111 rev. 1 Chapter 8 Probe Instances What is a probe instance? TIP ! For instructions on setting up a probe instance, see “Probe administration” on page 24. Observer uses probes to capture network data. In some cases you may want or need more than one probe in a specific location. You can achieve that through probe instances. A probe instance provides you the ability to look at multiple network interfaces or to publish to multiple Observer consoles. Observer has only one kind of probe instance: the passive probe instance. If you have a GigaStor you have an additional probe instance type available to you: the active probe instance. Table 9 compares the features of active and passive probe instances. Table 9 Active probe instance compared to passive GigaStor Active GigaStor Passive Observer Start packet capture Stop packet capture Start GigaStor packet capture Schedule packet capture Change directories where data is stored Able to set permissions Able to redirect to different console, etc. Better suited for troubleshooting Better suited for data capture A passive probe instance captures packets to RAM and allows you to do reactive analysis or look at real-time statistics for troubleshooting. The passive probe instance binds to whichever network adapter you want. You can change whatever adapter a passive probe instance is bound to without affecting any active probe instance. CAUTION : PASSIVE PROBE INSTANCE AND THE GEN2 CARD 112 What is a probe instance? Chapter 8 Probe Instances With a GigaStor you have the option of which NIC to bind the passive probe instance. Do not bind any passive probe rev. 1 instances to the Gen2 adapter if at all possible. A copy of all packets are sent from the adapter to every passive probe instance attached to it. If you have several passive probe instances attached to the Gen2 adapter, the Gen2’s performance is significantly affected. Instead attach the passive probe instances to either a 10/100/1000 adapter or to a non-existent one. If you have a passive probe instance connected to a GigaStor, it can mine data that has already been written to the RAID disk by an active probe instance. There should be one passive probe instance for each simultaneous Observer user on a GigaStor. By using a passive probe instance instead of an active probe instance only one copy of data is being captured an written to disk, which reduces the processor load and the required storage space. For troubleshooting and most uses in Observer passive probe instances are appropriate. By default a passive probe instance uses 12 MB of RAM. You can reserve more memory for passive probe instances if you wish. An active probe instance on a GigaStor captures network traffic and writes it to the RAID array. A active probe instance should have as large of a RAM buffer as possible to cushion between the network throughput rate and the array write rate. Like a passive probe instance, it can also be used to mine data from the hard disk, however a passive instance is better suited for the task. An active probe instance cannot start a packet capture while the GigaStor Control Panel is running. TIP ! A CTIVE PROBE INSTANCE BEST Q PRACTICES Q Q Q rev. 1 Only one active probe instance per GigaStor. Set scheduling to Always for the active probe instance so that it is constantly capturing and writing data. Use a passive probe instance to mine the data. Do not pre-filter, unless you know exactly what you want to capture. Of course, if something occurs outside the bounds of the filter, you will not have the data in the GigaStor. Do not allow remote users access to the active probe instance. What is a probe instance? 113 Chapter 8 Probe Instances NOTE: By default there is one active probe instance for GigaStor. It binds to the network adapter and its ports. If you have a specific need to separate the adapter’s ports and monitor them separately, you can do so through passive probe instances or you can create separate virtual adapters. See “Configuring virtual adapters on the Gen2 card” on page 116. Figure 76 shows how one active probe instance captures and writes to the GigaStor RAID. Passive probe instances 1 and 2 mine data from the RAID array. As a best practice the passive probe instances are bound to the slowest network adapter in the GigaStor. Additionally, passive probe instance 3 and 4 each are capturing packets separate from each other and separate from the active probe instance. However, since they are also bound to the same adapter as the active probe instance, they are capturing the same data as the active probe instance. Figure 76 GigaStor capture and packet capture through probe instances Virtual Adapter 1 GigaStor capture m DCE 2 DTE 3 DCE 4 2 DTE Passive Instance 1 pac ket cap tur e pac ket cap tur e g inin RAID m in in g Active Instance 1 Passive Instance 2 RAM Passive Instance 3 RAM Passive Instance 4 Slowest Adapter 114 What is a probe instance? Chapter 8 Probe Instances rev. 1 Chapter 9 Gen2 Capture Card 115 rev. 1 Chapter 9 Gen2 Capture Card The Gen2 card is designed and manufactured by Network Instruments and is optimized for the GigaStor. The Gen2 card comes in two, four, or eight port models. This section describes Q Q Q “Swapping the Gen2 card’s SFP or XFP interfaces” on page 116 “Configuring virtual adapters on the Gen2 card” on page 116 “Viewing the Gen2 card’s properties and finding the board’s ID” on page 120 Swapping the Gen2 card’s SFP or XFP interfaces To connect the probe to a monitoring interface (TAP or SPAN/mirror) different from that shipped with the unit, simply obtain the necessary SFP for your application, remove the installed SFPs, and insert the desired interface. The SFPs can be hot-swapped, but you should disconnect any cables before changing the SFP modules. As with any electronic components, you should follow electrostatic discharge precautions (i.e., use a grounding strap or touch the chassis power supply before handling SFPs) to avoid damaging components. In addition, you should be careful to avoid exposure to laser radiation from optical components by keeping the dust plugs installed until you are ready to install cables. Configuring virtual adapters on the Gen2 card NOTE: Only GigaStor’s equipped for 10 Gigabit Ethernet, Gigabit Ethernet, and Fibre Channel use a Gen2 capture card. By default Observer recognizes a Gen2 capture card as a single adapter, regardless of how many ports are present. Sometimes this is desirable (as when monitoring a trunk that consists of multiple links), but for many applications it is more convenient for Observer to recognize a subset of Gen2 ports as a single adapter. For example, suppose you are deploying an 8-port Gen2 as follows: 116 Swapping the Gen2 card’s SFP or XFP interfaces Chapter 9 Gen2 Capture Card rev. 1 Q Q Ports 1-4 are monitoring a collection of trunked links The remaining ports are each connected to the SPAN (or mirror) port on a switch In this scenario, it makes sense for Observer to view Ports 1-4 as a single data stream and to separate each of the four remaining ports into separate data streams. Virtual adapters are a convenient way to accomplish this separation in real time, rather than depending on filters to sort through the traffic post-capture. A physical port cannot belong to more than one virtual adapter. To define a subset of Gen2 ports as a single virtual adapter, 1 Right-click the Gen2-equipped probe from Observer’s probe list and choose Probe or Device Properties from the menu.You can tell the probe is a GigaStor probe because (Gigabit) appears after the probe name (Figure 77). Figure 77 GigaStor probe 2 rev. 1 Click the Virtual Adapters tab and click Edit Adapter. By default all of the ports are assigned to the adapter. You must remove ports if you want to have multiple virtual adapters. See Figure 23 for a diagram of the physical ports assignments. Configuring virtual adapters on the Gen2 card 117 Chapter 9 Gen2 Capture Card Figure 78 Assign Port to Virtual Adapter: Default view 3 Select the ports to remove and click Remove. This places them in the Available Ports list. 4 Change the name of the adapter to something meaningful to you and click OK (Figure 79). Figure 79 Assign Ports to Virtual Adapter: Trunk 5 Click New Adapter. The Assign Ports to Virtual Adapter window opens. 6 Type a name in the Adapter Name box. 7 Select the ports you want to assign to this virtual adapter from the Available Ports list and click OK. 8 Select the port and click Edit Port. Type a useful description and click OK. This description appears in the GigaStor Control Panel in Observer. 118 Configuring virtual adapters on the Gen2 card Chapter 9 Gen2 Capture Card rev. 1 Figure 80 Edit Port Description 9 Repeat step 5 through step 8 until you have created all of your virtual adapters and given descriptions to your ports. The adapters appear in the list of adapters presented when you create a probe instance. This allows you to bind the probe instance to a virtual adapter. Figure 81 shows the example of the trunk with four ports assigned to it and four more adapters each with its own port. Figure 81 Virtual Adapters tab For each virtual adapter you must create an active probe instance and bind the virtual adapter to that probe instance. By default, new virtual adapters are not bound to any probe instance, so no data is collected on those ports until assigned to a probe instance. rev. 1 Configuring virtual adapters on the Gen2 card 119 Chapter 9 Gen2 Capture Card 10 Right-click the GigaStor probe and choose Administer Selected Probe from the menu. Log in to the probe. 11 Click the GigaStor Instances tab along the bottom. 12 For each virtual adapter listed as a passive probe instance that you want to promote to an active probe instance, select it, right click and choose Make Instance Active. Figure 82 Make Instance Active 13 A message appears with information about the change. Click Yes to accept the changes. Your virtual adapters are now configured. Viewing the Gen2 card’s properties and finding the board’s ID To retrieve the board’s ID or view the Gen2 card’s properties: 1 On the GigaStor system, choose Start → All Programs → Accessories → Windows Explorer. Choose My Computer and right-click and choose Manage. The Computer Management window opens. 120 Viewing the Gen2 card’s properties and finding the board’s ID Chapter 9 Gen2 Capture Card rev. 1 2 In the tree on the left, select Device Manager. 3 In the tree on the right, expand Network Instruments Capture Adapters (Figure 83). Figure 83 Computer Management window 4 Choose Network Instruments Gen2 Gigabit Capture Adapter, right-click and choose Properties. Click the Current State tab (Figure 84). Figure 84 Gen2 Card Properties – Current State tab rev. 1 Viewing the Gen2 card’s properties and finding the board’s ID 121 Chapter 9 Gen2 Capture Card This tab shows all active physical ports on the Gen2 card and the board’s ID. The “Interrupt enabled” and “DMA enabled” lights are light green when Observer is running and dark green when Observer is not running. CAUTION ADVANCED SETTINGS TAB Do not make any changes to the settings on the Advanced Settings tab unless directed by the Support department! The DMA buffer size and DMA copy size are optimized at the factory for your specific motherboard and Gen2 card. 122 Viewing the Gen2 card’s properties and finding the board’s ID Chapter 9 Gen2 Capture Card rev. 1 Appendix A TCP/IP ports, NAT, and VPN 123 rev. 1 Appendix A TCP/IP ports, NAT, and VPN This section discusses the TCP/IP ports, NAT, and VPN. TCP/IP ports Observer and all Network Instruments probes use ports 25901 and 25903 to communicate. These ports are registered ports to Network Instruments. All Network Instruments probes initiate connection with Observer using port 25901. Observer listens on port 25901. After a connection is established all communication between Observer and the probes occurs on port 25901, except probe redirection and administration, which uses port 25903. Figure 85 Port connections Observer Console Port 2 5 9 0 1 redirection n request request approved p Port 25903 25901 connection on request e connection established 25901 Any Probe NAT If you use network address translation (NAT) in your environment, you must make some configuration changes in Observer. Using the TCP/IP port information in “TCP/IP ports” on page 124, you should be able to set up the NAT properly. If the probe is outside the network where Observer is running, you must forward port 25901 from the probe’s address to the system running Observer. When redirecting the probe, you must specify the NAT outside IP address instead of the address that Observer puts in automatically. By default, Observer tries to use its local IP address, which the probe will not be able to find. Select “Redirect to a specified IP address” in the Redirecting Probe or Probe Instance dialog (Figure 86). 124 TCP/IP ports Appendix A TCP/IP ports, NAT, and VPN rev. 1 Figure 86 NAT If the Observer is outside the network where the probe is running, you must forward port 25903 from the Observer’s address. You must use the NAT outside IP address as the probe’s IP address when trying to redirect and/or administer the probe from Observer. VPN Using VPN is an easy way to get access to a probe on a remote LAN. The most common configuration change is when redirecting the probe. You must manually enter the Observer IP address. By default, Observer will use the LAN IP address configured to Observer. You must enter your VPN client’s IP address by selecting “Redirect to a specified IP address” in the probe redirection dialog. Select “Redirect to a specified IP address” in the Redirecting Probe or Probe Instance dialog (Figure 86) and type the VPN client’s IP address. rev. 1 VPN 125 Appendix A TCP/IP ports, NAT, and VPN 126 VPN Appendix A TCP/IP ports, NAT, and VPN rev. 1 Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 127 rev. 1 Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases GigaStor Figure 87 shows the front of the GigaStor. Figure 87 GigaStor A 13 9 5 1 14 10 6 2 15 11 7 3 B C D E F GH I 16 12 8 4 ! 13 9 5 1 14 10 6 2 15 11 7 3 16 12 8 4 ! 1 1 2 A. B. C. D. E. F. G. H. I. Individual Drive Activity System Reset Button Alarm Mute Button Primary Drive Activity Power LED Warning Notice LED LAN1 LED LAN2 LED Motherboard Power Button 2 Table 10 GigaStor LEDs and Buttons LED/Button Description Individual Drive Activity These LEDs blink whenever there is activity on the drive in the RAID array. The lights are red when there is a problem with the drive, otherwise they are green. System Reset Button When pushed, the system resets. Alarm Mute Button When an error or warning is detected the LED blinks and an alarm sounds. Pushing this button silences the alarm. This button is used in conjunction with the Warning Notice LED. Primary Drive Activity This LED blinks whenever there is activity on the main drive. This drive is where the operating system is installed. Power LED This LED is lit whenever the unit and motherboard are powered on and running. Warning Notice LED When the unit detects a problem such as a fan failure or excessively high temperature, the alarm sounds and this LED blinks. Even if the alarm is silenced, this LED will blink until the alarm condition is resolved. LAN1 LED Not used. LAN2 LED Not used. Motherboard Power Button The motherboard button works only when the power button on the rear of the GigaStor is on. Press to turn on the GigaStor. If you press and hold this button for a few seconds, the unit will do a a hard shut down. 128 GigaStor Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases rev. 1 GigaStor Expandable Controller unit Figure 88 GigaStor Expandable controller Power Button Reset Button Power LED Hard Drive Activity Fan LED Temperature LEDs Fan/Temperature Alarm Reset Table 11 GigaStor Expandable LEDs and Buttons LED/Button Description Power Button The power button works only when the power switch on the rear of the unit is on. Press to turn on the GigaStor. If you press and hold this button for a few seconds, the unit will do a a hard shut down. Reset Button When pressed, the unit will do a hard restart of the GigaStor Expandable. Power LED This LED is lit whenever the unit and motherboard are powered on and running. Hard Drive Activity This LED blinks whenever there is activity on the drive. This drive is where the operating system is installed. Fan LED When green, the fan is operating as expected. If it is red, there is a problem with the fan. The removable filter may need to be cleaned. Works in conjunction with the Alarm button. Even if the alarm is silenced, this LED will blink until the alarm condition is resolved. Temperature LEDs When lit green the unit’s temperature is within normal operating conditions. If it is red, then the unit is too hot. Works in conjunction with the Alarm button. Even if the alarm is silenced, this LED will blink until the alarm condition is resolved. Fan/Temperature Alarm Button When pressed, it silences the on board alarm. Alarms may sound with the unit is too hot or the fan has a problem. Even if the alarm is silenced, this LED will blink until the alarm condition is resolved. rev. 1 GigaStor Expandable 129 Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases Figure 89 shows the back of the GigaStor Expandable. Figure 89 GigaStor Expandable rear view Serial ATA Disk Interfaces (3) only available on GigaStor Exandable A 1 2 3 4 B 1 2 3 4 C 1 2 3 4 Power Supply Gen2 Capture Card On/Off Keyboard and Monitor 10/100/1000 Ethernet Expansion unit Figure 90 Expansion unit A C B D E F G A. B. C. D. E. F. G. A13 A9 A5 A1 A14 A10 A6 A2 A15 A11 A7 A3 Individual Drive Activity Temperature Probe Fan LED Power LED Reset Button Alarm Button Motherboard Power Button A16 A12 A8 A4 130 GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases rev. 1 Table 12 Expansion Unit LEDs and Buttons LED/Button Description Individual Drive Activity These LEDs blink whenever there is activity on the drive in the RAID array. The lights are red when there is a problem with the drive, otherwise they are green. Temperature probe When lit green the unit’s temperature is within normal operating conditions. If it is red, then the unit is too hot. Works in conjunction with the Alarm button. Even if the alarm is silenced, this LED will blink until the alarm condition is resolved. Fan LED When green, the fan is operating as expected. If it is red, there is a problem with the fan. The removable filter may need to be cleaned. Works in conjunction with the Alarm button. Even if the alarm is silenced, this LED will blink until the alarm condition is resolved. Power LED This LED is lit whenever the unit and motherboard are powered on and running. Reset Button This button is flush with the case. When pressed, the unit will do a hard restart. Alarm Button This button is flush with the case. When pressed, it silences the on board alarm. Alarms may sound with the unit is too hot or the fan has a problem. Even if the alarm is silenced, this LED will blink until the alarm condition is resolved. Motherboard Power Button The motherboard button works only when the power button on the rear of the GigaStor is on. Press to turn on the expansion unit. If you press and hold this button for a few seconds, the unit will do a a hard shut down. Figure 91 shows the back of the expansion unit. Figure 91 Expansion unit rear view Serial ATA Disk Interface A 1 2 3 4 Power Supply On/Off rev. 1 GigaStor Expandable 131 Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 132 GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases rev. 1 Appendix C GigaStor Portable 133 rev. 1 Appendix C GigaStor Portable The portable GigaStor offers full-duplex packet capture and analysis at wire speed. Depending on which version you ordered, the system includes everything you need to perform continuous, in-depth analysis of one of the following topologies: Q Gigabit Ethernet Q 10 Gigabit Ethernet Q Fibre Channel Q Wide Area Networks (WAN), in any of a number of different encapsulations The Portable Analysis Platform includes an internal probe that provides access to the network to which it is connected. The internal probe not only provides a point of visibility for the local Observer console, but also for remote Observer consoles that have been given administrative permission. In other words, the Portable Analysis Platform can double as a secure, remote probe, which can be indispensable for multi-site troubleshooting. All Ethernet and Fibre Channel versions of the platform feature Small Form-factor Portable (SFP or XFP) technology, allowing you to hotswap any SFP-compliant connectors into the system. This makes it possible to use the same system to monitor different types of links as needed without having to open the case to swap interface cards. For example, you can easily convert the capture card from optical to copper, allowing you to connect the system to different TAPs and Switch Port Analyzer (SPAN) interfaces. 134 Appendix C GigaStor Portable rev. 1 Figure 92 Portable Analysis Platform System Tour CD/DVD R/W combo drive and TAP bay e t wo r k instrum e n t s. co m 10 100 1000 A Link B A Analyzer B w w w. n Turn thumbscrews to open port access door Port layout varies by topology Your GigaStor includes a number of components. Take a moment after unpacking the system to ensure that you received all the parts. Q A ruggedized “portable” PC system with Observer Suite hardware interfaces and drivers for the relevant topology preinstalled: 135 rev. 1 Appendix C GigaStor Portable Figure 93 Portable GigaStor Gigabit and Fibre Channel systems have an appropriate copper or optical nTAP installed in the drive bay on the right side of the system. WAN system TAPs are shipped separately. Running Observer passively When analyzing a link using a TAP, Observer runs “passively.” Passive operation guarantees that analysis will not affect the link; however, it does have some implications when running Observer. Because there is no link over which the system can transmit packets or frames, the following features are unavailable: Q Traffic Generation Q Collision Test Q Replay Packet Capture The Portable GigaStor includes a standard 10/100/1000 Ethernet interface in addition to the WAN, Gigabit, or Fibre Channel interface(s). The standard Ethernet interface allows you to use the system on non-gigabit networks by simply connecting it to an Ethernet hub or switch using a standard Ethernet cable. The TCP/IP driver has been set to automatically obtain an IP address through the 136 Running Observer passively Appendix C GigaStor Portable rev. 1 Dynamic Host Control Protocol (DHCP). For most applications of Observer, you should assign an address to the analyzer rather than depending on the DHCP assignment. Using the portable GigaStor as a probe Although most administrators usually run the Observer console directly from the portable GigaStor, in some cases you may want to use the system as a distributed probe system. The probe software is included for this purpose. rev. 1 Using the portable GigaStor as a probe 137 Appendix C GigaStor Portable 138 Using the portable GigaStor as a probe Appendix C GigaStor Portable rev. 1 Index Numerics 10 Gigabit Ethernet 14, 37, 116 Gen2 card 37 GigaStor Portable 134 tapping 19 10/100/1000 37 25901 124 25903 124 A alarms WAN 90 Analysis Type 62 ARP Inspection, network forensics preprocessor 105 Assign Port to Virtual Adapter 118ff Assign Ports to Virtual Adapter 118ff ATM 34–35 B Board ID 120 buffer overrun 26 buffer statistics 54, 65 buffer, see capture buffer and statistics buffer bugtraq 97, 99 C Cable diagram for the GigaStor Expandable 52ff capture buffer 26ff, 54 32-bit Windows 55 64-bit Windows 55 expert analysis 62 FIFO 66 forensic analysis 93 IP defragmentation 101 limitations 55 loading a 93 Max Buffer Size 55 overwriting 66 Legend: ff=Figure, t=Table rev. 1 packet loss 26 physical ports 66 probe instance 113 RAM limitations 55 size 55, 65 swapping to disk 26 TCP stream 102 unused 26, 29 capture card, see Gen2 card Channel Service Unit, see CSU CIR 80–81, 84, 86 coax cable 46 Collect GigaStor indexing information by 66 collision test 136 Committed Information Rate 80, 84, 86, 90 copper Ethernet capture card 15 converting 134 Gigabit 40 GigaStor Portable 136 tapping 19, 40–41ff copper nTAP 40 CRC-16 34 CRC-32 34 CSU encapsulation 34–35 HSSI 48 tapping 42–44, 46 WAN statistics 83 D data circuit-terminating equipment, see DCE Data Link Connection Identifier, see DLCI Data Service Unit, see DSU Data Terminal Equipment, see DTE DCE copper Ethernet 40 Fibre Channel 37 optical Ethernet 37 Numerics–D 139 Index T1/E1 42 WAN alarms 90 WAN statistics 80, 82–83 DCE BECN under CIR 84 DCE FECN under CIR 84 DCE Kbits/s Avg 84 DCE KBits/s Max 84 denial of service 105 DHCP 137 DLCI 80–87 DLCI CIR Setup 81 DMA buffer size 122 DMA copy size 122 DMA enabled 122 DS3 see also HSSI DLCI 83 fractionalized 34 monitoring 15 probe settings 34 tapping 46–47 DS3/E3 TAP 47ff DSU encapsulation 34–35 HSSI 48 tapping 42–44, 46 WAN statistics 83 DTE WAN alarms 90 WAN statistics 80, 82–83 DTE BECN under CIR 84 DTE FECN under CIR 84 DTE Kbits/s Avg 84 DTE KBits/s Max 84 E E1 DLCI 83 monitoring 15 probe settings 35–36 tapping 42–45 WAN relay type 35–36 E3 see also HSSI DLCI 83 fractionalized 34 monitoring 15 140 E–G Index probe settings 34 tapping 46–47 Edit Port Description 119ff Edit Probe Instance Capture Buffer Memory 26ff Edit Probe Instance Configure Memory 28ff Edit Probe Instance Connect to Console 28ff Edit Probe Instance Name 27ff Edit Remote Probe Entry 23ff encapsulation 34–36, 80 Ethernet see also copper Ethernet 10 Gigabit 14, 116, 134 analysis 80 ARP inspection 105 cables 18, 41 Gigabit 14, 19, 116, 134 GigaStor Portable 134 hub 136 jumbo frame support 31 NIC 18, 136 TAP 18 tapping 37 Expert Probe interface 109ff F Fabric 37 Fibre Channel 14 Gen2 card 116 GigaStor Portable 134, 136 tapping 19, 37–38 fibre channel host bus adapter 14, 19 FIFO gauge 59 Forensic Analysis 62, 91 Forensics Settings 94 fractionalized 34–35 frame check sequence 34 G Gen2 card 18, 40, 115–116 10 Gigabit Ethernet 37 2-port 38 4-port 38 8-port 38 Advanced Settings 122 Board ID 120 cables 38 Legend: ff=Figure, t=Table rev. 1 daughter board 38 DMA enabled 122 Fibre Channel 37 filter ports 66 Gigabit 37 Gigabit copper 40 Interrupt enabled 122 mirror port 38 passive probe instance 113 performance 113 port assignments 38ff, 40ff ports 66 probe instance warning 112 properties 120 SFP 14, 116 SPAN port 38 statistics 66 swapping SFP or XFP 116 virtual adapters 116 XFP 14, 116 Gigabit 40–41, 136 defining probe as 117 Ethernet 116, 134 Fibre Channel 14 GigaStor Portable 134, 136 jumbo frame 31 Gigabit Ethernet 14, 19 Gigabit switch 37 Gigabit tab 31 gigabytes 55 GigaStor buttons 128ff buttons, meaning of 128, 131 case 127–128ff, 131ff copper TAP 41ff drive locations 51 expansion units 14, 19, 37, 50, 52 Expert Probe 110 LEDs 128ff LEDs, meaning of 128, 131 models 14ff Observer and 22 optical TAP 39ff Settings Schedule tab 30ff versions 14ff GigaStor Analysis Filter 62 GigaStor capture 114ff GigaStor Capture Analysis 29 Legend: ff=Figure, t=Table rev. 1 GigaStor Control Panel 29ff, 54 GigaStor Expandable 14, 51–52 buttons, meaning of 129 case 130ff connecting expansion units 52 LEDs, meaning of 129 setting IP address 19 turning on 52 GigaStor Instances 27ff GigaStor Packet Sampling 66 GigaStor Portable 14, 133–137 as probe 137 collision test 136 Fibre Channel 134 traffic generation 136 WAN taps 136 GigaStor probe 117ff administration 24 redirecting 22 H HSSI 15, 34, 48–49 probe settings 34 HTTP URI Normalization 103 I installing 17, 19 Interrupt enabled 122 IP address DHCP 136 GigaStor 19, 23 GigaStor Portable 136 IPv6 105 NAT 124 setting 19–20 statistics 71 TCP/IP ports 124 VPN 125 IP Defragmentation 101 IP Flow 101 IP masquerading, see NAT IP Pairs 58 IP Stations 58 IPv6 92 H–I 141 Index L LAPB 34–35 load preprocess settings 101 preprocessor 113 M MAC address 105 DLCI instead of 80 excluding 65 statistics 71 Top Talkers 86 MAC address tab 86 MAC stations 58 Make Instance Active 120ff Max Buffer Size 55, 65 megabytes 113 memory management 55 Memory Management tab 25ff mirror port 38, 41, 116–117 see also SPAN port N NAT 124–125ff Network 1 probe instance 25 Network Forensics 91 Network Intrusion Detection 91–92 network load 65 packet loss 65 viewing 59 network masquerading, see NAT NIDS 92 O optical 15, 37, 39, 116, 134 Gigabit Ethernet 19 GigaStor Portable 136 P packet 101 analyzing 92 decoding 100 loss 26, 65 sampling 66 packet alert threshold 102 142 L–P Index packet buffer 62 packet capture 53, 114ff active instance vs. passive instance 112 active probe instance 113 buffer 29, 54 buffers for 26 decoding 54 dynamic sampling 59 entire packet 65 filtering 61, 87 GigaStor capture 70 GigaStor Portable 134, 136 high-volume 92 load time 62 marker frames 66 partial 59 partial packet 65 reassembling 103 sampling ratio 59 scheduling 70 WAN 87 packet filters 92 packet fragmentation 101 pass-through cable 41 Probe added to Remote Probe Administration and Redirection 23ff probe instance 114ff active 55, 112–114 active vs.passive 112t assigning memory to 28 assigning to adapter 119 best practices 113 definition of 112 memory requirements 26, 29 memory reserved for 26 memory tuning 55 naming 25 Network 1 25 packet capture 70 passive 112–114 passive to active 120 redirecting 24 reserving memory 55 virtual adapters 119 Probe Instance Redirection 24ff Probe Options 21ff, 109ff Probe Properties DS3/E3 Tab 34 Probe Properties Serial T1/E1 Tab 36 Legend: ff=Figure, t=Table rev. 1 Probe Properties T1/E1 Tab 35 Probe Service Configuration Applet 21ff, 108ff Q QLogic 19 Quality of Service 32 T R RAID 14, 113–114, 128, 131 RAM see also buffer active probe instance 26 buffer size 113 capture buffer size 65 formula 55 limitations 55 packet capture 55, 112 packet loss 26 probe instance 26, 59, 113 releasing 26 statistics 55 TCP stream reassembly 102 tuning 55 unused 29 Windows 55 Rate field 59 Redirecting Probe or Probe Instance 24ff, 125ff Remote Probe Administration 25ff Remote Probe Administration and Redirection 22ff rules profiles 92 S SAN 14, 19, 37, 40 Screen resolution 59 Select Forensic Analysis Profile 93 serial 36, 44–45, 48 settings profiles 92 SFP 14–15, 37, 40, 116, 134 Gen2 card 116 Snort 62, 92–93, 96–97, 99 IP flow 101 IPv6 92, 105 rules 106 variable name 105 SPAN 15, 38, 41, 116–117, 134 statistics buffer 26, 54 Legend: ff=Figure, t=Table rev. 1 Statistics interval 59 straight-through cable 38 Subprotocol 34 switch 37 system load 66 T1 82 DLCI 83 monitoring 15 probe settings 35–36 tapping 42–45 WAN relay type 35–36 T1/E1 42 digital 42 digital tap 43ff serial 44 TAP 18–19, 37–38, 40–45, 48, 116, 136 10/100/1000 optical 37 10GbE optical 37 DS3 46–47ff DS3/E3 46 E3 46–47ff Fibre Channel 37 gigabit copper 40 HSSI 48 T1/E1 42 WAN 42 TCP 20, 60, 98, 101–103, 123–124, 136 TCP/IP 20, 123–124, 136 TCP/IP ports 124 TCP/IP settings 20ff Telnet Normalization 105 Terms of Service 32 Top Talkers 55, 86 Track statistics information per physical port 66 traffic generation 136 U UDP 60 Update Chart button 59, 66 Update Statistics button 59 Use physical port selections to filter statistics 66 V Variable Name 105 Q–V 143 Index virtual adapter 114ff probe instances 119–120 Virtual Adapters tab 119ff VPN 125 X X.25 80, 82, 84–85, 87 XFP 14–15, 116, 134 Gen2 card 116 W WAN alarms 80, 88 analysis 80 analyzing 33 bandwidth 80 CIR 80 congestion 84 DCE 82 DS3/E3 46 DTE 82 E1 42 filtering 87 full duplex 80 GigaStor 15 GigaStor Portable 134, 136 HSSI 49ff monitoring 15 Observer 33 probe 79 probes 87 serial 44 service provider 86 statistics 80 T1 42 TAP 18 tapping 42 triggers 80, 88 WAN alarms 90 WAN card 18 WAN load 80, 84–85 WAN Load by DLCI 84 WAN Serial T1/E1 TAP 45ff WAN switch 83 WAN Type 34–36 WAN Vital Signs 83 Windows 64-bit 18, 55 Remote Desktop 19 services 21, 108–110 wire speed 134 wireless 66 144 W–X Index Legend: ff=Figure, t=Table rev. 1 145 rev. 1 www.networkinstruments.com © 2008 Network Instruments, LLC. All rights reserved. Network Instruments, Observer, and all associated logos are registered trademarks of Network Instruments, LLC. 146 rev. 1
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Page Mode : UseOutlines XMP Toolkit : Adobe XMP Core 4.0-c320 44.293068, Sun Jul 08 2007 18:10:11 Creator Tool : FrameMaker 8.0 Modify Date : 2008:10:21 09:54:10-05:00 Create Date : 2008:10:21 09:44:21Z Metadata Date : 2008:10:21 09:54:10-05:00 Format : application/pdf Title : gigastor.book Creator : lief Producer : Acrobat Distiller 8.1.0 (Windows) Document ID : uuid:8f45ebfd-49ec-477e-a4d8-5bd9d29be747 Instance ID : uuid:7a80773c-4437-4cbe-a255-aa54ddc9f8cc Page Count : 146 Author : liefEXIF Metadata provided by EXIF.tools