Gebruiksaanwijzing /service van het product GigaStor 114ff van de fabrikant Network Instruments
Ga naar pagina of 146
1 rev. 1 GIGAST OR ™.
.
3 rev. 1 GigaS to r U ser Guide.
4 rev. 1 Trademark Notices ©2008 Netwo rk Instru ments,® L LC. All rig hts reserv ed. Network Instruments, Observer® Gen2,TM and all associated logo s are trademarks or registered trademarks of Network Instruments, LLC.
5 rev. 1 Limited Warranty—Software Network Instruments, LLC (“DEVELOPER”) warrants that for a pe riod of sixty (60 ) days from the date of shipment from DEVELOPER: (i) the media on which the SOF.
6 rev. 1 Ownership and Confidential ity END-USER ag rees that Networ k Instrument s, LLC owns all relevant copyr ights, tr ade secrets and al l intellectua l property related to the SOFTWARE. End User License Agreement (EULA) PLEASE READ THIS SOFTWARE LICENSE AGREEMENT CARE FULLY BEFORE DOWNLOADING OR USING THE SOFTWARE.
7 rev. 1 Technical Support Network Instrume nts provid es techn ical sup port by ph one (d epending on where you are l ocated): US & countries outside Eu rope at (952) 358-380 0 UK and Euro pe at .
8 rev. 1.
9 rev. 1 Co n t e n t s Chapter 1: About the GigaStor GigaStor ve rsions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Chapter 2: Installing Your GigaStor Unpacking and inspectin g the parts .
10 rev. 1 Tapping a WAN co nnection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 T1/E1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 rev. 1 Chapter 7: Observer on the GigaStor Using the Observer co nsole loc ally on th e GigaStor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0 8 Chapter 8: Probe Instances What is a p robe inst ance? . . . . . . .
12 rev. 1.
Chapter 1 About the GigaStor 13 rev. 1 C h a p t e r 1 A b out the GigaSt or.
GigaStor versions Chapter 1 About the GigaStor 14 rev. 1 GigaStor v ersions The GigaStor is an e nterprise-strength network prob e appliance . The GigaStor combines a multi-teraby te , high-performance Redundant Array of Independent Disks (RAID) with a dedicated, high-speed network cap ture card in a mo dular , easy-to-deplo y appliance .
GigaStor versions Chapter 1 About the GigaStor 15 rev. 1 possible to us e the same probe to monitor different ty pes of links as needed. For example , you can easily convert the capture c ard from optical to copper , allowi ng you to connect the GigaS tor to different test access points (T APs) or switch port analyzer (SP AN) or mirror interfaces .
GigaStor versions Chapter 1 About the GigaStor 16 rev. 1.
Chapter 2 Installing Your Giga Stor 17 rev. 1 C h a p t e r 2 Installing Y our GigaSt or.
Unpacking and inspecting the parts Chapter 2 Installing Your GigaStor 18 rev. 1 The gener al steps to in stall your GigaStor a re: F “Unpacking and inspecting the parts” on page 18 F “Installing.
Installing the GigaStor and connecting the cable s Chapter 2 Installing Your Giga Stor 19 rev. 1 Installing the GigaSt or and connec ting the cables 1 Install the GigaStor and any expans ion units in to your rack using the supplied r ails . Instructio ns for installing the r ail kits ar e provided in the r a il kit box.
Setting the GigaStor’s IP address Chapter 2 Installing Your GigaStor 20 rev. 1 4 Ensure that each drive’s power/activit y light is lit. If a drive’s light is not lit, it is likely that the dr ive is not seated properly . T urn off the GigaStor and reseat the driv es .
Setting the GigaStor’s IP address Chapter 2 Installing Your Giga Stor 21 rev. 1 F igure 3 Probe Ser vice Configuration Applet 10 The Probe Administration wi ndow opens . Click the P robe Options tab (Figure 4). Fi g u re 4 P ro b e O pt i o n s 11 Change the name of the probe to something meaningful to yo u.
Connecting Ob server to the Gi gaStor Chapter 2 Installing Your GigaStor 22 rev. 1 C onnec ting Obser ver to the GigaStor This section assumes you ha ve already installed Observer on your desktop or laptop . If not, install th e software . Y ou can d ownload fr om the Network Instrument s website .
Connecting Observer to the GigaStor Chapter 2 Installing Your Giga Stor 23 rev. 1 F igure 6 Edit Remote P robe Entr y 4 T ype the IP address that you assi gned to the GigaStor in step 7 in “Setting the GigaStor’s IP addres s” on page 19 and click OK.
Connecting Ob server to the Gi gaStor Chapter 2 Installing Your GigaStor 24 rev. 1 Fi g u re 8 P ro b e I n s t a n ce R e d i re c ti o n 6 Select the probe instance and clic k Redirect Selected Instance .
Connecting Observer to the GigaStor Chapter 2 Installing Your Giga Stor 25 rev. 1 1 Click Probe Admini stration (see Figure 7). The Probe Administr ation Login wind ow opens . F igure 10 Remote P robe A dministration 2 Ensure “Login using a user account configured for this Probe” is selected and click OK.
Connecting Ob server to the Gi gaStor Chapter 2 Installing Your GigaStor 26 rev. 1 By default all of the installed memory on th e GigaStor is dedicated for one probe instance . Y ou must first release the memory so that you can assign the freed memory to other probe instances .
Connecting Observer to the GigaStor Chapter 2 Installing Your Giga Stor 27 rev. 1 Fi g u re 13 G ig a S t o r I n s t a n ce s 7 Click New Instance . Figure 14 appears . F igure 14 Edit Pr obe I nstance: Name 8 Y ou are configuring a Gi gaStor probe to capture data and write it to the hard drive .
Connecting Ob server to the Gi gaStor Chapter 2 Installing Your GigaStor 28 rev. 1 Figure 1 5 Ed it Prob e I nst ance : Con fig ure M em or y 9 F rom the RA M that you released ea rlier , assign some of it to this probe instance and click Next.
Connecting Observer to the GigaStor Chapter 2 Installing Your Giga Stor 29 rev. 1 11 Repeat step 7 through st ep 10 unti l you have created all of your probe instances . Any unus ed memory should be reallocated to the packet capture buffer of the act ive probe instance or to the operating system.
Connecting Ob server to the Gi gaStor Chapter 2 Installing Your GigaStor 30 rev. 1 F igure 18 G igaStor Setting s Schedule tab 3 In the Sched ule GigaStor Captu re section, selec t Always . For more information about a packet cap ture vs . GigaStor capture , see “P acket Capture or GigaS tor Capture” o n page 53.
Configuring Observer for your Gigabit device Chapter 2 Installing Your Giga Stor 31 rev. 1 C onfiguring Obser v er for y our Gigabit devic e Depending o n your probe and your network, you may need to mak e some changes from th e factory defaults .
Configuring Observer for your Gi gabit device Chapter 2 Installing Your GigaStor 32 rev. 1 F igure 19 Gigabit tab C onfiguring T erms of Ser vice and Quality of Ser vic e settings The T oS/QoS settings are co nfigu red for each probe . 1 Select the gigabit prob e and right-click.
Configuring Observer for your WAN device Chapter 2 Installing Your Giga Stor 33 rev. 1 F igure 20 T oS/Q oS tab C onfiguring Obser v er for y our W AN devic e There are a number of se tup options and statistical displays u nique to W AN Observ er , which are d escribe d in the following sub sections .
Configuring Observer for your WAN device Chapter 2 Installing Your GigaStor 34 rev. 1 Digital DS3/E3/HSSI Probe Settings T o access the probe settings , select the probe , right-click and choose Probe or Device S ettings . Th en click the DS3/E3/HSSI ta b (Figure 21).
Configuring Observer for your WAN device Chapter 2 Installing Your Giga Stor 35 rev. 1 Digital T1/E1 Pr obe S ettings T o access the probe settings , select the probe , right-c lick and choose Probe or Device Settings . Then click the T1/E1 tab (Figure 22).
Configuring Observer for your WAN device Chapter 2 Installing Your GigaStor 36 rev. 1 Ser ial T1 /E1 P robe Setti ngs T able 3 describes fi elds fo r a serial T1/E1 connection. Table 3 Serial T1 /E1 probe settings Setting Explanation WAN/Frame Relay Type Choose T1 or E1 t o match the type of link you are analyzing.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your Giga Stor 37 rev. 1 T apping an Ethernet or F ibre Channel c onnec tion This section describes how to connect the cables for t.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your GigaStor 38 rev. 1 F igure 23 Gen2 car d por t assignments 6 Use the supplied Ethernet cable to connect the ne twork interfa ce card in the GigaStor to the network. N OTE : S TRAIGH T - THROUGH C ABLE If you are using a switch ’s SP AN/ mirror port, no n TA P i s required.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your Giga Stor 39 rev. 1 F igure 24 GigaSto r with an optical n TA P TX RX Gigabit Switch (DCE) Server (DTE) 10/100/1000 NIC for TC.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your GigaStor 40 rev. 1 Gigabit c opper The Gigabit copper kit includes: Q Copper n TA P Q 1, 2, or 4 standard Ethernet cables Q 2,.
Tapping an Ethernet or Fibre Channel connection Chapter 2 Installing Your Giga Stor 41 rev. 1 6 Use the supplied Ethernet cable to connect the ne twork interfa ce card in the GigaSto r to the network. N OTE : P ASS - THR OUGH C ABLE If you are using a switch ’ s SP AN/mirror port, no n TA P i s required.
Tapping a WAN connection Chapter 2 Installing Your GigaStor 42 rev. 1 T apping a W AN connec tion This section describes how to connect the cables for these environments: Q “T1/E1” on page 42 Q “DS3/E3” on page 46 T1/E1 See “Digital” on page 42 or “Serial” on page 44 de pending on y our needs .
Tapping a WAN connection Chapter 2 Installing Your Giga Stor 43 rev. 1 Now that you ha ve physically conn ected the cables fo r the GigaStor, you must now configu re its softw are .
Tapping a WAN connection Chapter 2 Installing Your GigaStor 44 rev. 1 Serial The serial T1/E1 kit includes: Q One se rial T1/E 1 W AN T AP Q One serial Y cable Q One serial T1 W AN cable 1 If you have a GigaSt o r Expand able , see “Con necting the GigaStor Expandable to th e expansion unit s” on page 52 for deta ils about connecting them.
Tapping a WAN connection Chapter 2 Installing Your Giga Stor 45 rev. 1 F igure 28 W AN Seria l T1/E1 T AP Router (DCE) CSU/DSU (DTE) 10/100/1000 NIC for TCP/IP GigaStor or GigaStor Expandable Serial T.
Tapping a WAN connection Chapter 2 Installing Your GigaStor 46 rev. 1 DS3/E3 See “Digital” on page 46 or “Seria l/HSSI” on page 48 depend ing on your needs .
Tapping a WAN connection Chapter 2 Installing Your Giga Stor 47 rev. 1 Fi g u re 29 D S3 / E 3 T A P POWER DTE E3 LOF LOS IN OUT DCE LOF LOS IN OUT OUT (TX) IN (RX) RX RX DS3 Line (DCE) CSU/DSU (DTE) .
Tapping a WAN connection Chapter 2 Installing Your GigaStor 48 rev. 1 Serial/HSSI The serial DS3 kit includes: Q One seri al DS3/E3 T A P Q One HSSI Y -cable Q One HSSI cable Q One Ethernet cable 1 If.
Tapping a WAN connection Chapter 2 Installing Your Giga Stor 49 rev. 1 F igure 30 W AN HSSI Router (DCE) CSU/DSU (DTE) 10/100/1000 NIC for TCP/IP GigaStor or GigaStor Expandable HSSI TAP Observer Cons.
Installin g the driv es in your GigaStor Chapter 2 Installing Your GigaStor 50 rev. 1 Installing the driv es in y our GigaStor C AUTI ON H ANDLING THE D RIVE S Be especially careful when handling and installing the hard drives . P roper handli ng is paramount to the longevity of the unit.
Installing the drives in your GigaStor Chapter 2 Installing Your Giga Stor 51 rev. 1 Figure 31 shows how the dr ive numbers correspond to slot locations .
Installin g the driv es in your GigaStor Chapter 2 Installing Your GigaStor 52 rev. 1 C onnec ting the GigaStor Expand able to the expansion units After you have installed the drives Use the supplied cables to connect the expansion units to the GigaStor Expandable .
Chapter 3 Packet Capture or GigaStor Capture 53 rev. 1 C h a p t e r 3 P ack et Captur e or GigaSt or Captur e.
Capturing Packets with the GigaStor Chapter 3 Packet Capture o r GigaStor Capture 54 rev. 1 C apturing Pa ckets with the GigaS tor A GigaStor can accumulate terabytes of stored network tr affic . T o manage the sheer volume of da ta, the GigaStor includes an alternative , spec ialized capture and analysis control pan el.
Packet capture buffer and statistics buffer Chapter 3 Packet Capture or GigaStor Capture 55 rev. 1 However , if you are pushing the li mits of the system on which the probe is installed by creating many probe instances , you may be able to a void some performance problems by fine-tuning the memory allocation for each probe instance .
Packet capture buffer and statistics buffer Chapter 3 Packet Capture o r GigaStor Capture 56 rev. 1.
Chapter 4 GigaStor Control Panel 57 rev. 1 C h a p t e r 4 GigaS tor C o n trol P anel.
Chapter 4 GigaStor Control Panel 58 rev. 1 Once the GigaS tor is up and running on the n etwork, you can run Expert Observer or Observer Su ite to connect to the GigaStor running as a probe to begin a.
Display Contr ols Chapter 4 GigaStor Control Panel 59 rev. 1 etc ., by clicking on the ap propri ate tab and selecting the items you want to see on the time li ne chart. Displa y C ontrols Charts and statistical tables are refreshed on ly when you click the Update Chart or Update Statistics b utton.
Right-click menus Chapter 4 GigaStor Control Panel 60 rev. 1 Right- click menus As with other Observer disp lays , th e charts and tables of the GigaStor control pan el offer many right-cl ick shortcuts .
Analyze button Chapter 4 GigaStor Control Panel 61 rev. 1 Analy ze but ton F igure 36 Giga Stor Contr ol P anel Analyze button When you click the Analyze button to view the results , you are prompted to select how to filter the packet captu re for display (Figure 37).
Analyze button Chapter 4 GigaStor Control Panel 62 rev. 1 F igure 37 Gig aStor Analysis Options wind ow T able 4 describes what the fields in the various sections control.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 63 rev. 1 C onfiguring the GigaS tor through the C ontrol P anel Ju st as with the standard Observer pac ket capture interface , you c an set the colors of the capture graph and schedule captures to be automatically launched (o r to run all the time).
Configuring the GigaStor through the Control Pane l Chapter 4 GigaStor Control Panel 64 rev. 1 GigaStor Options tab This tab lets you c onfigure many op tions for the GigaStor. Follow the instructions in “C onfiguring the GigaS tor through the Contro l P anel” on page 63 to open the G igaStor Options tab (Figure 39).
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 65 rev. 1 Table 5 GigaStor Options tab Field Description Capture Buffer size Allows you to se t the amount of Windows memory that Observer will dedicate to th e capture buffe r cache for this instance.
Configuring the GigaStor through the Control Pane l Chapter 4 GigaStor Control Panel 66 rev. 1 Start/Stop Packet Capture marker frames When checked, saved pa cket capt ure buffers will include markers that timest amp when packet capt ures were started and stopped.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 67 rev. 1 GigaStor Char t tab This tab lets you c hoose the app earance , colors , and scale of the GigaStor Control P anel’s time line ch art.
Configuring the GigaStor through the Control Pane l Chapter 4 GigaStor Control Panel 68 rev. 1 F igure 41 GigaStor Outline.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 69 rev. 1 C apture Graph tab Click Settings and the tab for the ty pe of graph or chart for which you want to set the display properties .
Configuring the GigaStor through the Control Pane l Chapter 4 GigaStor Control Panel 70 rev. 1 GigaStor Schedule tab This tab lets you sch edule GigaSto r pa cket captures to occur at preset times and days of the week.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 71 rev. 1 Q Choose D aily at specified times or By day -of-week at specified times to automatical ly schedule packet captures during the s pecified time inte rv als (which you can add by clicking the Add bu tton at th e bottom of the dialog; see below).
Configuring the GigaStor through the Control Pane l Chapter 4 GigaStor Control Panel 72 rev. 1 F igure 44 Statistics Lists tab Subnet Y ou can specify subnet properties for the GigaStor. Follow the instructions in “C onfiguring the GigaS tor through the Contro l P anel” on page 63 to open the Su bnet tab (Figure 4 5).
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 73 rev. 1 F igure 45 GigaSt or Subnet tab Figure 46 shows how the su bnet settings show up in the GigaStor Control P anel.
Configuring the GigaStor through the Control Pane l Chapter 4 GigaStor Control Panel 74 rev. 1 F igure 46 Subne t and IP Stations.
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 75 rev. 1 Giga Stor r eports There are several default reports a vailable for you. 1 F ollo w the instructions in “Confi guring the GigaS tor through the Control P anel” on pag e 63 to open the GigaStor Reports tab (Figure 47).
Configuring the GigaStor through the Control Pane l Chapter 4 GigaStor Control Panel 76 rev. 1 F igure 48 R epor t Setup 3 Use the arrow butto ns to position graphs and tables on your report . 4 Double-click a section of the report to modify its caption, detail, and number format (Figure 48).
Configuring the GigaStor through the Control Panel Chapter 4 GigaStor Control Panel 77 rev. 1 Expor t Y ou can export your GigaS tor-collected data on a sc heduled basis . Use the Export tab to configure when an d to where your data is saved or to manually exp ort your data.
Configuring the GigaStor through the Control Pane l Chapter 4 GigaStor Control Panel 78 rev. 1.
Chapter 5 Using Observer with a WAN Probe 79 rev. 1 C h a p t e r 5 U sing Obser v er with a W AN Probe.
Discover Network Names Chapter 5 Using Observer with a WAN Probe 80 rev. 1 In general, the W AN analysis works much like Ethernet analysis . One difference is that, when appropriate , Observer identifies W AN link s by their Data Link Connection Identi fier (DLCI) r ather than by MAC address as is done with standard pr otocol analysis .
Discover Network Name s Chapter 5 Using Observer with a WAN Probe 81 rev. 1 T o set the CIR for a DLCI or group of DLCIs 1 Choose T ools → Discover Netw ork Names . The Discover Network Names p ane opens . 2 In the pane , click the edit DLCI CIR button on the Discover Network Names mode window (Figure 51).
WAN Bandwidth Utilization Chapter 5 Using Observer with a WAN Probe 82 rev. 1 5 Click OK when you are done . For encapsulations th at do not use DLCI (such as X.
WAN Vital Signs by DLCI Chapter 5 Using Observer with a WAN Probe 83 rev. 1 W AN V ital Signs by DL CI In Observer , the Network Vi tal Sign s display is replaced by the W AN V ital Signs by DLCI mode . This mode provides a summary of the errors occurring o n a W AN link (E1/T1/D S3/E3).
WAN Load by D LCI Chapter 5 Using Observer with a WAN Probe 84 rev. 1 WA N L o a d b y D LC I In a W A N installation, Observer’ s N etwork Activity Display is called W AN Load by DLCI. This mode show s critical W AN transfer r ate and congestion statistics in a n umber of formats .
WAN Load by DLCI Chapter 5 Using Observer with a WAN Probe 85 rev. 1 Fi g ur e 55 WAN L o a d b y D LCI The W AN Load by DLCI mode can be viewed as a dial, graph, or list display . Except f or list view , there are no setu p options for W AN Load by DLCI mod e .
WAN Top Talkers Chapter 5 Using Observer with a WAN Probe 86 rev. 1 F igure 57 W AN Load by DL CI Graph View The W AN Load display in graph view shows these same statistics (transfer r ate , CRC error rate , and FECN/BEC N frame r ates) as superimposed spike meters .
WAN Filtering Chapter 5 Using Observer with a WAN Probe 87 rev. 1 second, etc .) that apply to W AN is a subset of th ose a vailable for standard network analysis . F or encap sulations that do not use DLCI (such as X.25), the co rr ect address value is show n even though it is still labeled DLCI.
Triggers and Alarms Chapter 5 Using Observer with a WAN Probe 88 rev. 1 Fi g u re 59 A c ti v e Fi l t e r s T riggers and Alarms W AN Observ er adds W AN-relate d criteria to the standard T riggers and Alarms mode . 1 Click the A larm Settings button loc at ed in the lower left corner of Observer’ s main window .
Trigge rs and Alar ms Chapter 5 Using Observer with a WAN Probe 89 rev. 1 F igure 61 P robe Alarm Settings 4 Select the alarms you w ant set. 5 Click the T riggers tab to set the cr iteria by which the alarms will be triggered.
Triggers and Alarms Chapter 5 Using Observer with a WAN Probe 90 rev. 1 Most W A N alarms can be set on the DT E or DCE side or b oth. The Committed Informatio n Rate display ed is that which yo u set in Discover Network Names mode . See “Setting the Committed Information Rate (CIR) for a DLCI” on page 80.
Chapter 6 Forensic An alysis us ing Snort 91 rev. 1 C h a p t e r 6 F orensic A naly sis using Snor t.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort 92 rev. 1 F orens ic Analysis , exclusive to the G igaStor version of Observer , is a powerful tool for s canning hig h-volume pa cket captur es for intru sion signatures and other traf fic patterns that can be specified using the familiar Snort ru le syntax.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic An alysis us ing Snort 93 rev. 1 that of native Snort. When you import a set of Snort rul es that includes configuration settings , Obse rver imports rules classifications , but uses its ow n defaults fo r the preprocessor set tings .
Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort 94 rev. 1 F igure 64 Gig aStor Analysis Opti ons - Forensic Analy sis section If you already have a forensic analys is profile , you choo se the profile from the Profile list (Figure 64) an d click OK.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic An alysis us ing Snort 95 rev. 1 F igure 66 GigaStor Analysis Options 3 Select the profile that y ou want or click Edit. 4 Click the Se ttings Profile Edit bu tt on to view and define the fields as you need.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort 96 rev. 1 If this is the first time forensic an alysis has been run, you must import some rules . 5 Click the Import Sn ort Files button to displ ay a file selection dialog .
Starting Forensic Analysis using Snort rules Chapter 6 Forensic An alysis us ing Snort 97 rev. 1 Fi g u re 69 R ul e s t a b 9 Select the boxes n ext to the rule s you want to enable . The right- click menu has options to enabl e/disable all rules , and to show the actual Snort rule that w as im ported.
Starting Forensic Analysis using Snort rules Chapter 6 Forensic Analysis using Snort 98 rev. 1 10 Click OK to close the Forensic Analysis Profile dialog . Click OK again to close the Forensic Settings dialog . Click OK to close the GigaStor Analysis Options dialog .
Starting Forensic Analysis using Snort rules Chapter 6 Forensic An alysis us ing Snort 99 rev. 1 results , you may want to adju st preprocess or settings t o eliminate these conditions . In truders often attempt to exceed the limitations of forensi c analysis to hide malic ious content.
Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort 100 rev. 1 right-click menu. Y ou can also jump to the Deco de display of the packet that triggered the alert. F orensic Analy sis Profile field descriptions This sectio n describes in detail the fields on the Settings and Rules tab .
Forensic Analysis Profile field descriptions Chapter 6 Forensic An alysis us ing Snort 101 rev. 1 Table 8 Forensic Analys is Profile Settings tab Field Description Settings Profile Settings Profiles provide a mechanism to save and load different preprocessor settings, and share them with other Observer consoles.
Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort 102 rev. 1 TCP Stream Reassembly (Continued) Q Log preprocessor events—Checking this box causes forensic analysis to display all activity generated by the TCP stream assembl y preprocessor to the log.
Forensic Analysis Profile field descriptions Chapter 6 Forensic An alysis us ing Snort 103 rev. 1 TCP Stream Reassembly (Continued) Q Reassembly error action—Discard and fl ush writes the reassembl ed stream for analysis, exclud ing the packet that caus ed the error.
Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort 104 rev. 1 HTTP URI Normalization (Continued) Q Normalize percent-U encodings—Con vert Micro soft-style %u-encoded characters to standard format. The se cond check box allows you to ena ble logging when such encoding is encountered during preprocessing.
Forensic Analysis Profile field descriptions Chapter 6 Forensic An alysis us ing Snort 105 rev. 1 ARP Inspection Ethernet uses Address R esolution Prot ocol (ARP) to map IP addresses to a particular machine (MAC) addresses.
Forensic Analysis Profile field descriptions Chapter 6 Forensic Analysis using Snort 106 rev. 1 Rules tab The web site www .snort.org provides S nort rule documentati on, and downloadable rule sets . There are three sets of rules av ailable at www .snort.
Chapter 7 Observer on the GigaStor 107 rev. 1 C h a p t e r 7 Obser v er on the G igaStor.
Using the Observer console locally on the GigaStor Chapter 7 Observer on the GigaStor 108 rev. 1 U sing the Obser ver c onsole locally on the GigaStor Depending on how you want or n eed to use Observe.
Using the Observer console locally on the GigaStor Chapter 7 Observer on the GigaStor 109 rev. 1 F igure 74 Probe Options 3 In the Service Settings section, cl ear the “Run Probe as a Windows Service” option a nd click OK. Thi s uninstalls the Network Instrumen ts Expert Probe serv ice from Windows .
Using the Observer console locally on the GigaStor Chapter 7 Observer on the GigaStor 110 rev. 1 5 Choose Options → Swit ch between Observ er and Expert Probe Interface . The Choose Program Interface window opens . 6 Choose Observer and click OK. Y ou must close Observe r and restart it to swi tch into the con sole interface .
Chapter 8 Probe Instances 111 rev. 1 C h a p t e r 8 Pr obe Instanc es.
What is a pr obe instance? Chapter 8 Probe Instances 112 rev. 1 Wha t is a probe instanc e? T IP ! F or instructions on settin g up a probe instance , see “Probe administration” on page 24. Observer uses probes to capture ne twork data. In some cases you may want or need more than one prob e in a specific location.
What is a probe instance? Chapter 8 Probe Instances 113 rev. 1 instances to the Gen2 adapter if at al l possible . A copy of all packets are sent from the ad apter to every passive probe instance attached to it. I f you have several passive probe instances attached to th e Gen2 adapter , the Gen2’ s performance is significantly affected.
What is a pr obe instance? Chapter 8 Probe Instances 114 rev. 1 N OTE : By default there is one active probe instance for GigaStor. It binds to the networ k adapter an d its ports .
Chapter 9 G en2 Capture Card 115 rev. 1 C h a p t e r 9 Gen2 Captur e C ard.
Swapping the Gen2 card’s SFP or XFP interfaces Chapter 9 Gen2 Capture Card 116 rev. 1 The Gen2 card is designed a nd manufactured by Network Instrume nts and i s optimi zed for the GigaStor. The Gen2 card comes in two , four , or eight port model s .
Configuring virtual adapters o n the Gen2 card Chapter 9 G en2 Capture Card 117 rev. 1 Q P orts 1-4 are monitoring a colle ction of trunked l inks Q The remaining ports are each connected to the SP AN.
Configuring virtual adap ters on the Gen2 card Chapter 9 Gen2 Capture Card 118 rev. 1 F igure 78 Assign P or t to Virtual Adapter: Default view 3 Select the ports to remove and cl ick Remov e . This places them in the A v ailable P orts list. 4 Change the name of the adapter to something mean ingful to y ou and click OK (Figure 79).
Configuring virtual adapters o n the Gen2 card Chapter 9 G en2 Capture Card 119 rev. 1 F igure 80 Edit Port Description 9 Repeat step 5 through st ep 8 until you have created all of your virtual adapters and given descript io ns to your port s . The adapters appear in the list of adapters presented when y ou create a probe instance .
Viewing the Gen2 card’s properties and finding the board’s ID Chapter 9 Gen2 Capture Card 120 rev. 1 10 Right-click the GigaStor probe and choose Administer Selected Probe from the menu. Log in to the probe . 11 Click the GigaStor Instance s tab along the bottom.
Viewing the Gen2 card’s properties and finding the board’s ID Chapter 9 G en2 Capture Card 121 rev. 1 2 In the tree on the left, select Device Ma nager .
Viewing the Gen2 card’s properties and finding the board’s ID Chapter 9 Gen2 Capture Card 122 rev. 1 This tab shows all active physical ports on the Gen2 card and the board’s ID . The “Interr upt enabled” and “DMA enabled” lights are light green when Observer is running and dark green when Observer is not running .
Appendix A TCP/IP ports, NAT, and VPN 123 rev. 1 A p p e n d i x A T CP/IP por ts , NA T , and VPN.
TCP/IP ports Appendix A TCP/IP ports, NAT, and VPN 124 rev. 1 This section discusses the TCP/ IP ports , NA T , and V PN . T CP/IP por ts Observer and all Network Ins truments probes use ports 25901 and 25903 to communicate . Th ese ports are register ed ports to Netw ork Instruments .
VPN Appendix A TCP/IP ports, NAT, and VPN 125 rev. 1 F igure 86 NA T If the Observer is outside the network where the probe is ru nning, you must forw ard port 25903 from the Observer’ s address . Y ou must use the NA T outside IP address as th e probe’s IP address when trying to redirect and/or administer the probe f rom Observer.
VPN Appendix A TCP/IP ports, NAT, and VPN 126 rev. 1.
Appendix B GigaStor, GigaStor Expandable, and Expansion Unit C ases 127 rev. 1 A p p e n d i x B GigaSt or, GigaStor Expandable , and Expansion Unit C ases.
GigaStor Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 128 rev. 1 GigaS tor Figure 87 shows the front of the GigaStor. F igure 87 GigaStor 13 9 5 1 14 10 6 2 15 11 7 3 16 12 8 4 1.
GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit C ases 129 rev. 1 GigaStor Expandable C ontroller unit F igure 88 G igaStor Expandable controller P owe r Button Reset .
GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 130 rev. 1 Figure 89 shows the back of the GigaStor Expandable .
GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit C ases 131 rev. 1 Figure 91 shows the back of the e xpansion un it. F igure 91 Expansion unit r ear view Table 12 Expan.
GigaStor Expandable Appendix B GigaStor, GigaStor Expandable, and Expansion Unit Cases 132 rev. 1.
Appendix C GigaStor Portable 133 rev. 1 A p p e n d i x C GigaStor P or table.
Appendix C GigaStor Portable 134 rev. 1 The portable GigaStor offers full-d uplex packet captu re and analysis at wire speed. Depending on which version y ou ordered, th e system includes everything y.
Appendix C GigaStor Portable 135 rev. 1 F igure 92 P o rt able Analysis Platform System T our Y our GigaStor includes a number of components . T ake a moment after unpacking the system to ensu re that you received all the parts .
Running Observer passively Appendix C GigaStor Portable 136 rev. 1 F igure 93 P or table GigaStor Gigabit and Fibre C hannel systems ha ve an appropriate copper or optical n T AP installed in the drive bay on the right sid e of the system. W AN system T APs are shi pped separat ely .
Using the portable GigaStor as a probe Appendix C GigaStor Portable 137 rev. 1 Dynamic Host C ontrol Protocol (DHCP). For most applicati ons of Observer , you should assi gn an address to the analyzer rather than depending on the DHCP assignment.
Using the portable GigaStor as a probe Appendix C GigaStor Portable 138 rev. 1.
Numerics – D Index 139 rev. 1 Legend: ff=Figure, t=Table Inde x Numerics 10 Gigabit Ethernet 14, 37, 116 Gen2 card 37 GigaStor Portable 134 tapping 19 10/100/1000 37 25901 124 25903 124 A alarms WAN.
E–G Index 140 rev. 1 Legend: ff=Figure, t=Table T1/E1 42 WAN alarms 90 WAN statistics 80, 82–83 DCE BECN under CIR 84 DCE FECN under CIR 84 DCE Kbits/s Avg 84 DCE KBits /s Max 84 denial of service.
H–I Index 141 rev. 1 Legend: ff=Figure, t=Table daughter b oard 38 DMA enabled 122 Fibre Channel 37 filter ports 66 Gigabit 37 Gigabit copper 40 Interrupt enabled 122 mirror port 38 passive probe in.
L–P Index 142 rev. 1 Legend: ff=Figure, t=Table L LAPB 34–35 load preprocess settings 101 preprocessor 113 M MAC address 105 DLCI instead of 80 excluding 65 statistics 71 Top Talkers 86 MAC addres.
Q–V Index 143 rev. 1 Legend: ff=Figure, t=Table Probe Properties T1/E1 Tab 35 Probe Service Configuration Applet 21ff, 108ff Q QLogic 19 Quality of Service 32 R RAID 14, 113–114, 128, 131 RAM see .
W–X Index 144 rev. 1 Legend: ff=Figure, t=Table virtual adapter 114ff probe instances 119–120 Virtual Adapters tab 119ff VPN 125 W WAN alarms 80, 88 analysis 80 analyzing 33 bandwidth 80 CIR 80 co.
145 rev. 1.
146 rev. 1 ww w .networkinstruments.c om © 2008 Network Instruments, LL C. All rights r eser ved. Network Instruments , Obser ver , and all associated logos ar e regist ered trademarks of Network Instruments , LL C.
Een belangrijk punt na aankoop van elk apparaat Network Instruments GigaStor 114ff (of zelfs voordat je het koopt) is om de handleiding te lezen. Dit moeten wij doen vanwege een paar simpele redenen:
Als u nog geen Network Instruments GigaStor 114ff heb gekocht dan nu is een goed moment om kennis te maken met de basisgegevens van het product. Eerst kijk dan naar de eerste pagina\'s van de handleiding, die je hierboven vindt. Je moet daar de belangrijkste technische gegevens Network Instruments GigaStor 114ff vinden. Op dit manier kan je controleren of het apparaat aan jouw behoeften voldoet. Op de volgende pagina's van de handleiding Network Instruments GigaStor 114ff leer je over alle kenmerken van het product en krijg je informatie over de werking. De informatie die je over Network Instruments GigaStor 114ff krijgt, zal je zeker helpen om een besluit over de aankoop te nemen.
In een situatie waarin je al een beziter van Network Instruments GigaStor 114ff bent, maar toch heb je de instructies niet gelezen, moet je het doen voor de hierboven beschreven redenen. Je zult dan weten of je goed de alle beschikbare functies heb gebruikt, en of je fouten heb gemaakt die het leven van de Network Instruments GigaStor 114ff kunnen verkorten.
Maar de belangrijkste taak van de handleiding is om de gebruiker bij het oplossen van problemen te helpen met Network Instruments GigaStor 114ff . Bijna altijd, zal je daar het vinden Troubleshooting met de meest voorkomende storingen en defecten #MANUAl# samen met de instructies over hun opplosinge. Zelfs als je zelf niet kan om het probleem op te lossen, zal de instructie je de weg wijzen naar verdere andere procedure, bijv. door contact met de klantenservice of het dichtstbijzijnde servicecentrum.