Network Instruments GigaStor Portable User Manual Download Page 67 | Manualshive

Page: 67 / 115

background image

Understanding how a Probe Uses RAM | 67

Chapter 13: Understanding

how a Probe Uses RAM

How a probe uses RAM

A Windows computer uses Random Access Memory (RAM) as a form of temporary data storage. Windows
separates all available memory into three sections: protected memory, user memory, and reserved memory. An
Observer probe, depending on how it is configured, uses these types of memory differently.

The

protected memory

is used to load critical operating system files, such as device drivers. If any of this RAM is

dedicated to a driver or some other critical file, it cannot be used by another program. However, after Windows
finishes loading its drivers, the memory is freed and any program may access the remaining protected memory.

User memory

is all available memory beyond the protected memory. It is available to any application at any time.

The probe uses this memory to temporarily store statistical information, such as Top Talkers data.

Reserved memory

is user memory that you have specifically set aside for use by the Observer probe. Only the

probe may use that portion of RAM. When the RAM is reserved for the probe not even the operating system may
access it—even when Observer is closed.

By having RAM reserved specifically for the Observer probe, you ensure that the probe has the memory
necessary to capture packets and store these packets for statistical processing. If Observer runs without any
reserved memory, it requests and uses the operating system’s protected memory for capturing packets. There is
no adverse effect of running an Observer probe without reserved memory, but it is not the most efficient way to
run the probe. By default, the probe uses no reserved memory. Our recommendation is that you reserve memory
for Observer so that the probe runs efficiently and leaves the protected memory for the operating system and
other programs to use.

Packet captures are always written sequentially from the first open byte of RAM in reserved memory or in
Windowsprotected memory. They are written until all available space is used. If you are using a circular buffer,
then the first packet is overwritten with the newest packet. This is first-in, first out (FIFO). With Windows
protected memory, your capture space is limited to about 50 to 80 MB, but with reserved memory you have
the potential to store many gigabytes in memory.

Figure 14 (page 68)

describes the two different ways that

Observer runs.

«
...
65
66
67
68
69
...
»

Summary of Contents for GigaStor Portable

Page 1: ...GigaStor User Guide...

Page 2: ...inks 23 Monitoring wireless traffic 24 Deciding where to place probes in your network 24 Ports used by Network Instruments products 26 Chapter 5 Packet Captures 27 Capturing packets with the GigaStor...

Page 3: ...l Firm 59 Using Observer in financial firms 59 Analyzing FIX transactions 60 Configuring a FIX profile 61 Chapter 12 GigaStor RAID Maintenance 63 Monitoring and maintaining the GigaStor RAID array 63...

Page 4: ...0 Troubleshooting your GigaStor configuration 91 GigaStor Control Panel option is grayed out 91 GigaStor is full or does not have the history you expect 91 TCP applications are not appearing in the Gi...

Page 5: ...5 GigaStor Upgradeable...

Page 6: ...in your network 2 The GigaStor uses probe instances and in particular a unique probe instance called an active instance Learn more about probe instances and why you want to use them in What is a probe...

Page 7: ...in Using the GigaStor Control Panel page 8 to fine tune your GigaStor 10 Optional If you want to track physical ports individually ensure you enable Track statistics information per physical port See...

Page 8: ...be configured as a local console for on site analysis Using the GigaStor Control Panel This section covers the GigaStor Control Panel its settings and its use when you choose Capture GigaStor Control...

Page 9: ...tatistics section Now you can more easily work with and view reports and statistics for your selected time frame You can filter or select a specific area of interest such as HTTP Press the Analyze but...

Page 10: ...Capture and analysis options What protocols are on your network Are they all standard protocols or do you have some custom or home grown protocols Other general GigaStor Control Panel options The Pack...

Page 11: ...t recent 1000 The maximum allowable IP Pairs is 100 000 the default is 10 000 Capture and Analysis Options Enable intelligent TCP protocol determination Displays only known applications while hiding d...

Page 12: ...ture and Analysis Options section on this tab Auto update GigaStor chart When selected causes the listed actions to have the same effect as clicking the Update Chart Statistics buttons Keep focus on G...

Page 13: ...data Data must be collected with this option enabled for GigaStor reports to present the data correctly using the update reports button By clearing this option you ensure you get all protocol informat...

Page 14: ...IP Stations tab you see your subnets and you can perform statistical analysis based on subnets When you analyze data from captures with index files without any subnets defined there will be no subnet...

Page 15: ...Max Buffer Size an error dialog will be displayed indicating the minimum and maximum buffer size for your Observer or probe buffer Generating NetFlow records from the GigaStor s NetFlow Agent The Gig...

Page 16: ...ch the buffer for the records that interest you Figure 3 shows how the Observer analyzer displays captured NetFlow records and what the NetFlow templates format is for that record See the Cisco docume...

Page 17: ...asily as local networks eliminate the time and expense of traveling to remote sites and speed troubleshooting A probe is a hardware device on your network running Network Instruments probe instance so...

Page 18: ...instance found on all non GigaStor probes Table 2 Active vs passive GigaStor instances and Observer probe GigaStor Active probe instance GigaStor Passive probe instance Observer Probe1 Better suited f...

Page 19: ...probe instance should have as large of a RAM buffer as possible to cushion between the network throughput rate and the array write rate Like a passive probe instance it can also be used to mine data...

Page 20: ...annot invest in dedicated hardware probes Network Instruments software probes provide a low cost monitoring option and are easy to install and configure Software probes support Ethernet Gigabit and wi...

Page 21: ...d party hardware Ethernet Single probe 3rd party hardware Installed software Expert Probe Multi Probe Single Probe Sends entire buffer1 X X Alarms X X X Trending X X X Triggers X X X Wireless X X X En...

Page 22: ...he probe is connected Most switches provide a function that mirrors all packets received or transmitted from either a single port of interest for instance a server or router or multiple ports of inter...

Page 23: ...alysis are performed by distributed agents called probes which in turn send the packets or the analysis results e g bandwidth utilization statistics most active stations etc to analyzers for further p...

Page 24: ...ed to connect to a standard NIC which allows them only one side of the full duplex link to transmit data A TAP however is designed to connect to a dual receive capture card By sending data on both sid...

Page 25: ...links that connect servers or server farms to core switches will give you complete visibility into all traffic between servers and their clients Connecting additional half duplex probe appliances to S...

Page 26: ...u open inbound and outbound TCP UDP 25901 through 25905 on your firewalls for its products This table lists more specifically what ports are used by your product Ports Functionality TCP 25901 Observer...

Page 27: ...d security credentials without duplicating data collection or storage You can view the sliding window as a time line chart Depending on what constraint are in effect and your display options determine...

Page 28: ...sult is a partial packet capture Some benefits of partial packet captures include Smaller capture sizes More overall storage space for packet captures Greatly increases the effective storage size of a...

Page 29: ...eral tab to a fixed sampling ratio of 1 100 or whatever you wish Using dynamic sampling allows the GigaStor to make decisions about how sampling for statistics should be accomplished The GigaStor make...

Page 30: ...he SYN SYN ACK ACK to ever index data For more details about indexing in the GigaStor continue reading the rest of this section Every 15 seconds the GigaStor writes indexed statistical data into a Gig...

Page 31: ...which options are enabled and disabled the GigaStor may completely ignore 10 0 0 1 on 8080 from being indexed Exporting GigaStor data for archiving You can export your GigaStor collected data on a sc...

Page 32: ...tely as it is seen by the capture card interface and then passed to the capture buffer This ensures the most accurate timestamp Table 3 GigaStor Analysis Options This option Allow you to do this Analy...

Page 33: ...ter before starting analysis Allows you to view the filter before Observer begins analyzing the packet capture For example you might choose this option if you have already used the filter and the outp...

Page 34: ...ly calculate metrics about the quality of the feed for the endpoints such as MDI by providing the Delay Factor and Media Loss Rate information 4G LTE analysis Analyzes the captured 4G LTE traffic from...

Page 35: ...jump to that time by right clicking the Detail Chart and choosing Go to Specific Time The FIFO sampling cpu gauge on the right side tracks how well GigaStor s disk hardware is keeping up with the cur...

Page 36: ...that is shown on the Detail Graph You can do so with the filters section of the GigaStor Control Panel You can filter data from MAC Stations tab IP Stations tab IP Pairs tab and more One example wher...

Page 37: ...ters from the GigaStor Control Panel 2 After you have a filtered chart click the Analyze button The GigaStor Analysis Options window opens 3 Because you are analyzing data with checked GigaStor entrie...

Page 38: ...or that instance is open and try again 5 Click Update Reports to start combining index data 6 After the process completes the currently open GigaStor Control Panel is showing a real time aggregate of...

Page 39: ...etail Chart and shows you all of the traffic from the address 4 You can further filter the chart and reports by selecting specific traffic types for example HTTP SMTP Telnet and so on 5 Analyze the da...

Page 40: ...ence calls and conference video where multiple endpoints are present And endpoint could be a person holding a handset wearing a headset or a line that is open for hold music or for recording To extrac...

Page 41: ...analyze 4G LTE traffic from your GigaStor You can isolate subscribers by IMSI or IMEI across eNodeB SGW or PWG using various communication paths such as S1 MME S1 U S11 S5 or X2 Prerequisite s You mu...

Page 42: ...each session including subscriber service area cell site network element handset type error codes and session status you will have excellent insight into your LTE network status Long Term Evolution LT...

Page 43: ...s of individual subscriber activities and session irregularities as well as bandwidth utilization for each interface Obtain metrics and visibility for all important interfaces within your LTE environm...

Page 44: ...ersion of Observer is a powerful tool for scanning high volume packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort rule syntax You can ob...

Page 45: ...ick menu lets you examine the rule that triggered the alert if applicable It also lets you jump to web based threat references such asbugtraq for further information about the alert These references m...

Page 46: ...lassification must both be enabled for that rule to be processed For example suppose you want to enable all policy violation rules simply right click on the rule list choose Enable all rules and then...

Page 47: ...essor to the log Maximum active TCP streams tracked If this value is set too high given the size of the buffer being analyzed performance can suffer because of memory consumption If this value is set...

Page 48: ...e characters This preprocessor includes options to circumvent the most common evasion techniques To match patterns against the normalized URIs rather than the unconverted strings captured from the wir...

Page 49: ...ce maintains its own copy called the ARP cache which is updated whenever the device receives an ARP Reply Hackers use cache poisoning to launch man in the middle and denial of service DoS attacks The...

Page 50: ...attacks During the same time frame and unknown to the IPS IDS a brute force attack occurred and was successful against the default Admin account on your VPN concentrator After they were beyond your pe...

Page 51: ...reates a filter 3 Click Update Chart This updates the Detail Chart and shows you all of the traffic from the address 4 You can further filter the chart and reports by selecting specific traffic types...

Page 52: ...or for a financial company as the primary audience but any network administrator interested in microbursts should find the information useful You might have microburst issues if your latency is creepi...

Page 53: ...you when microbursts occur Customize your triggers and actions and choose Microbursts from the Alarms list Using the Microburst Analysis tab is the easiest way to analyze large chunks of time for micr...

Page 54: ...charts the bars may not appear to change If you look closely you will notice that the numbers on the vertical axis change as does the title of the chart To enable microburst analysis and define what o...

Page 55: ...ort on the capture card is considered independently from all others The traffic is never combined between ports to meet a threshold If you have a 4 port 1 Gb capture card you have four independent 1 G...

Page 56: ...0005 000 0005 000 000 Bytes sec in Interval 309 672 12 338 304 61 688 484 617 826 617 826 617 826 617 826 617 826 617 826 Bytes sec in Interval with IFG 319 500 12 500 000 625 000 000 625 000 625 000...

Page 57: ...you want for the Detail Chart GigaStor Outline This tab lets you choose the appearance colors and scale of the Outline Chart The Outline chart is the bottom graph in the upper portion of the GigaStor...

Page 58: ...n pixels Graph Times allows you to set how the X axis will be displayed Clock time will show times using a 24 hour clock i e the current time Relative time will display times from the start of the act...

Page 59: ...markably accurate timing without concern for clock drift gain or loss Trading Multicast analytics Multicast is used in trading firms to deliver information on pricing volume and more Getting this info...

Page 60: ...the trading what the order ID is Observer has full decode support for FIX 4 2 4 4 along with support for all of the most significant FIX commands If you need extended capabilities for monitoring FIX b...

Page 61: ...performs in depth application analysis of each request or type of request by examining important information within the payload This information typically involves massive amounts of data often best...

Page 62: ...k If it is not you may increase or decrease it By increasing the amount of requests the amount of system resources needed to analyze the requests is also increased which means the analysis will take l...

Page 63: ...D array is failing Clean up disks to maintain performance Monitoring the RAID drives through e mail notifications The RAID array is built at the factory and then the drives are removed and packaged se...

Page 64: ...s web server 3 Type the user name and password The default user name is admin There is no default password Click OK to open the browser In the browser you can see the RAID set IDE channels Volume and...

Page 65: ...system level disk fragmentation utility you can automatically delete all of the data files that store probe instance data When disk writes begin again on a clean disk the files are written contiguous...

Page 66: ...Stor RAID array 1 Select the active probe instance and then choose Capture GigaStor Control Panel You cannot clean the array from a passive probe instance 2 Choose Tools Delete All Instance Capture Da...

Page 67: ...for the probe not even the operating system may access it even when Observer is closed By having RAM reserved specifically for the Observer probe you ensure that the probe has the memory necessary to...

Page 68: ...al information is passed to the statistical memory All packets in both the packet capture memory and the statistical queue buffer stay in memory until the buffer is full and the oldest packets are rep...

Page 69: ...layed indicating the minimum and maximum buffer size for your Observer or probe buffer For passive probe instances which are most often used for troubleshooting the default settings should be sufficie...

Page 70: ...Windows operating system Single Probes unlike Multi Probes and Expert Probes cannot use reserved memory because of their design 1 Click the Memory Management tab to display the list of probe instance...

Page 71: ...statistics queue Reserving memory allows Observer to allocate RAM for its exclusive use This ensures that Observer has the necessary memory to store packets for statistical analysis or for capturing l...

Page 72: ...memory 4 Click View to see the different types of networks and how the memory is allocated to the numerous statistics collected by Observer See Tweaking the statistics memory configuration for detail...

Page 73: ...er and the packet capture buffer passes the information to the RAID A few notes about how some buffers are used Packets received by the statistics queue buffer are processed and put in the collected s...

Page 74: ...Gen2 card The Gen2 card is only available in hardware products from Network Instruments There are additional requirements and considerations if you are using a GigaStor A GigaStor may have one of seve...

Page 75: ...he list You must increase the number of stations that may be allocated This increases the memory requirements though If you have 8 500 stations on your network you will need at least 8 500 entries whi...

Page 76: ...speeds The 40 Gb Gen2 card comes only in a two port model as seen in Figure 18 page 76 Figure 18 40 Gb Gen2 card two ports The Gen2 capture card is only available pre installed on probes from Network...

Page 77: ...oid damaging components In addition you should be careful to avoid exposure to laser radiation from optical components by keeping the dust plugs installed until you are ready to install cables Support...

Page 78: ...click Edit Port Type a useful description and click OK This description appears in the GigaStor Control Panel in Observer 9 Hardware acceleration for your virtual adapter is enabled by default General...

Page 79: ...e board s ID or view the Gen2 card s properties 1 On the GigaStor system choose Start All Programs Accessories Windows Explorer Choose My Computer and right click and choose Manage The Computer Manage...

Page 80: ...ically accurate to only within 30 milliseconds Even in the best cases NTP accuracy is only within 10 milliseconds Using the GPS Synchronization System once a second the device calibrates the oscillati...

Page 81: ...re card synchronizes with the GPS System every second Should the GPS System lose power if you have a secondary power supply or UPS it will failover and continue functioning if you do not have a second...

Page 82: ...82 GigaStor pub 25 Apr 2014 Figure 22 10 Gb Gen2 Advanced Properties...

Page 83: ...GPS 83 Chapter 15 GPS...

Page 84: ...ne where the problem is you can focus on that piece of the puzzle and you may be well on your way to solving the problem Second do not trust anyone or anything The only way to really know what your ha...

Page 85: ...g Settings General tab In the Collection Settings section change the sampling divider A probe is not connecting to the analyzer or vice versa If the probe is not connecting it could be one of several...

Page 86: ...onents to verify that the VMONI Protocol Analyzer is listed Then do one of the following If it is not installed skip to step 7 If the VMONI driver is listed remove it Select VMONI Protocol Analyzer an...

Page 87: ...ID that shows up in the VLANs column in VLAN Statistics You are not seeing all VLANs you have on the network Causes To display VLAN Statistics Observer checks each packet for a VLAN tag if no tag is p...

Page 88: ...gainst a Layer 3 Switch that uses VLANs you see only a limited number of MAC addresses which typically have multiple IP Addresses associated with them Causes Layer 3 Switches that have been configured...

Page 89: ...ylight Savings Time is controlled by the operating system When the clock rolls backwards or forwards Observer rolls with it with one exception packet capture decode Packet capture provides nanosecond...

Page 90: ...Console show interfaces gigabitethernet mod_mun port_num 3 To enable port negotiation should you remove the gigabit Observer product from the switch Console config interface gigabitethernet mod_mun po...

Page 91: ...e filtering your captures Although this will provide more space for your captures by definition you are excluding some traffic The traffic you exclude may be just the traffic you need to analyze at so...

Page 92: ...al we recommend that for every eight hard drives in your GigaStor probe that you have one replacement drive Unit Number of recommended spare drives Hours to rebuild array GigaStor 4T 8 drives 1 GigaSt...

Page 93: ...and import them into the other GigaStor probes Import Use this button to import FIX profiles that was created and exported from another Observer analyzer Export Use this button to export a FIX profile...

Page 94: ...should be completed on the GigaStor probe itself by having the software running in Observer analyzer mode rather than Expert Probe See This may require that you use Remote Desktop to access the syste...

Page 95: ...SNMP C Program Files Observer SNMP This contains any custom MIBs compiled MIBs request files and SNMP trending data Back up if you have made SNMP changes or have SNMP trending data Use Options Observ...

Page 96: ...r Restore USB drive having a matching serial number for that GigaStor For example if you have three GigaStor appliances to restore you must use three specific and separate GigaStor Restore USB drives...

Page 97: ...em restore is complete Both the GigaStor probe software and Window operating system are already licensed That information was included on the USB drive You can begin using the probe Type your login cr...

Page 98: ...r your probe Documentation and warranty information Keep this information in a safe accessible location Installing the GigaStor Upgradeable 5U Getting your probe installed is the first step to greater...

Page 99: ...ou are using a switch s SPAN mirror port no TAP is required Simply plug any straight through Ethernet cable into the SPAN mirror port on the switch into the ports on the Gen2 capture card and skip TAP...

Page 100: ...onent 2 U extension 2 8 32 flathead screws 8 10 32 panhead screws 4 1 Measure the length of your cabinet from front mounting post to rear mounting post 2 Remove the long rail component from the applia...

Page 101: ...a weight on a GigaStor while it is in the cabinet There are locking mechanisms along both sides of the appliance that prevent it from inadvertantly sliding out Pull the appliance towards you then pres...

Page 102: ...ion will result in poor read write performance until the RAID array volume is rebuilt Stickers on each drive identify which slot it should be installed in The drive labeled A1 must be installed in the...

Page 103: ...e Confirm that it clicks into place Tug each drive slightly to ensure that it is properly seated It should not move or come out Additionally you may want to visually inspect all of the drives from the...

Page 104: ...ful since most probes are in distant or physically secure locations At this point you have physically installed the hardware and connected all the cables Now you must turn on the probe and configure t...

Page 105: ...k OK Click OK again to close the Local Area Connection Properties dialog Close the Network Connections window 7 Right click the Probe Service Configuration Applet in the system tray and choose Open Pr...

Page 106: ...gardless of whether the probe is powered on If you want to use the Lights out Management features you must set the IP address for the LOM port in the probe s BIOS 1 Ensure the Lights out Management po...

Page 107: ...the media drives and system controls Two keys are provided Contact Network Instruments for additional keys which are available for a small charge Front panel LED Temperature alarms that warn you when...

Page 108: ...built at the factory and the drives are removed before being shipped to you The locations indicate where each drive should be installed Installing a drive in a location other than its preassigned slot...

Page 109: ...2 4 8 and 12 ports Additional Hardware Includes Network TAPs and media kit s Topology Support Gigabit Key Remote Capabilities Web based management Graceful power shutdown startup and reboot Pager and...

Page 110: ...media types Some products require an SFP module These are the supported media types 40 Gb QSFP Transceivers 40GBASE SR4 10 Gb Ethernet SFP Transceivers 10GBASE SR 10GBASE LR 10GBASE ER 1 Gb Ethernet S...

Page 111: ...fer size 15 18 buffer statistics 68 buffer see capture buffer and statistics buffer 68 buffers 18 20 20 20 71 72 bugtraq 45 45 C cable length 80 cables 98 capture buffer 32 bit Windows 68 64 bit Windo...

Page 112: ...abit 20 defining probe as 77 Gigabit copper 98 gigabytes 68 68 GigaStor 73 104 collision test 89 expansion units 98 104 getting started 6 hard drives installing 102 102 102 indexing 29 loss of data 63...

Page 113: ...rotocol 80 network traffic 24 network trending 20 85 Network Trending 94 network visibility 23 NIC 20 missing 86 with packet analyzers 23 NIDS 44 NIMS 20 not connecting 85 NTP 80 O Observer ports used...

Page 114: ...AM limitations 68 RAM needed for busy networks 73 Random Access Memory see also RAM 67 read performance 102 reassembling 45 recommendations 71 recovery 95 registry 94 Remote Desktop 104 reports 12 res...

Page 115: ...84 probe connection 85 slow probe system 85 VLAN Statistics tool 87 87 VLAN visibility 88 troubleshooting SPAN port 81 U UDP 25903 26 90 Update Chart button 10 USB 95 user memory 67 users 20 85 simult...

Reviews:

No comments

Related manuals for GigaStor Portable

Brand: E-line Pages: 164

Stage Piano MP8

Brand: Kawai Pages: 70

Brand: X-laser Pages: 17

Brand: Ansul Pages: 24

Brand: ENDA Pages: 2

Brand: Heinrichs Pages: 31

Brand: JBM Pages: 4

Brand: SIGRIST Pages: 84

Alyza IQ PO4-XYZ

Brand: Xylem Pages: 172

Brand: Hanna Instruments Pages: 11

Brand: Liquid Controls Pages: 16

Brand: Megasat Pages: 25

Brand: Thermocable Pages: 10

Brand: Oceanic Pages: 64

Brand: J-TECH Pages: 3

Brand: SV Pages: 88

Brand: PKP Pages: 7

Brand: GCI Pages: 44

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands