Suspected NAT or VPN issues | 89
Protocol Distribution, Size Distribution Statistics, Top Talkers –MAC (by hardware Address) will now show data by
Port.
Suspected NAT or VPN issues
If you use network address translation (NAT) in your environment, you must make some configuration changes
in Observer. Using the TCP/IP port information in
Ports used by Network Instruments products (page 26)
should be able to set up the NAT properly.
If the probe is outside the network where Observer is running, you must forward port 25901 from the probe’s
address to the system running Observer.
When redirecting the probe, you must specify the NAT outside IP address instead of the address that Observer
puts in automatically. By default, Observer tries to use its local IP address, which the probe will not be able to
find. Select “Redirect to a specified IP address” in the Redirecting Probe or Probe Instance dialog and type the
VPN client’s IP address.
Running Observer passively affects NetFlow
When analyzing a link using a TAP, which is common, Observer runs “passively.” Passive operation guarantees
that analysis will not affect the link; however, it does have some implications when running NetFlow. Because
there is no link over which the system can transmit packets or frames, the following features are unavailable:
Traffic Generation
Collision Test
Replay Packet Capture
Daylight Savings Time
Observer is not coded with a specific date in mind. Daylight Savings Time is controlled by the operating system.
When the clock rolls backwards or forwards Observer rolls with it, with one exception: packet capture/decode.
Packet capture provides nanosecond time resolution, which none of the rest of the product does. Because of
this, packet capture does not rely on the system clock to provide time stamps. It relies on the processor time
ticks. When Observer opens it requests the system time and the number of processor time ticks and uses those.
This allows Observer to know what date and time it is when a packet is seen.
Because the Observer only asks the operating system for the system time when Observer is started, packet
capture does not know that the time has jumped forward or backward. To get this to happen you need restart
Observer after the time change. It is that simple.
Configuring Cisco 6xxx switches using a SPAN port to a full-duplex Gigabit
Probe
When using a full-duplex Gigabit Probe to capture directly from a SPAN/mirror port, use a straight-through cable
from the Gigabit port on the switch to either port A or B on the Gigabit card in the probe. Do not use the Y-cable
or TAP (the TAP and Y-cable should only be used inline).
To use the Observer analyzer with the Cisco 6xxx switch, you must disable auto negotiation. With auto
negotiation enabled, the switch and probe may create a link when first starting the probe, but if the cable is
unplugged or if a configuration change to the SPAN/mirror port is applied, you will lose connectivity to the
switch. To turn auto negotiation off on the switch, follow the directions based on the OS you are using on your
switch.