tm user guide - insight.savvius.com · † if you are using savvius insight to forward packet data...

User Guide

TM

Insight_UG.book Page i Friday, July 8, 2016 12:19 PM

Insight_UG.book Page ii Friday, July 8, 2016 12:19 PM

Copyright © 2016, Savvius, Inc. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form, or by any means, electronic or mechanical, including photocopying, for any purpose, without the express written permission of Savvius, Inc.

AiroPeek SE, AiroPeek NX, AiroPeek VX, Compass Live, EtherPeek SE, EtherPeek NX, EtherPeek VX, Gigabit Analyzer Card, GigaPeek NX, iNetTools, NAX, NetDoppler, NetSense, Network Calculator, Omni³, Omni Capture Engine, Omni Desktop Engine, Omni DNX Engine, OmniAdapter, OmniAdapter 10G, OmniAdapter 10G MX, OmniEngine Desktop, OmniEngine Enterprise, OmniEngine Manager, OmniEngine Workgroup, Omni Management Console, Omni PacketGrabber, Omni Virtual Network Service, Omnipeek, Omnipeek Basic, Omnipeek Connect, Omnipeek Enterprise, Omnipeek Enterprise Connect, Omnipeek for Savvius Insight, Omnipeek Personal, Omnipeek Professional, Omnipeek Remote Assistant, Omnipeek Workgroup, Omnipeek Workgroup Pro, Omnipeek Personal, Omnipliance, Omnipliance Core, Omnipliance CX, Omnipliance Edge, Omnipliance MX, Omnipliance Portable, Omnipliance SuperCore, Omnipliance TL, Omnipliance WiFi, OmniStorage, OmniSpectrum, OmniVirtual, OmniWatch, PacketGrabber, Peek DNX, ProConvert, ProtoSpecs, RFGrabber, RMONGrabber, Savvius, Savvius Academy, Savvius Insight, Savvius Vigil, TimeLine, TimeLine Network Recorder, WAN Analyzer Card, WANPeek NX, WatchPoint, WildPackets, WildPackets Academy, WildPackets Compass, and WildPackets OmniAnalysis Platform are trademarks of Savvius, Inc. All other trademarks are the property of their respective holders.

Savvius, Inc. reserves the right to make changes in the product design without reservation and without notification to its users.

Contacting Savvius

Mailing AddressSavvius, Inc. 1340 Treat Blvd., Suite 500 Walnut Creek, CA 94597

Voice/Fax8 AM - 5 PM (PDT) (925) 937-3200 (800) 466-2447 (US only) Fax: (925) 937-3211

[email protected]

Webhttps://www.savvius.com

Self-support portal for Savvius Insighthttps://insight.savvius.com

ResourcesSee https://www.savvius.com/support/resources for white papers, tutorials, technical briefs and more.

ii

mailto:[email protected]

https://www.savvius.com

https://insight.savvius.com

http://www.savvius.com/support/resources

http://www.savvius.com/support/resources

1

Insight_UG.book Page iii Friday, July 8, 2016 12:19 PM

Professional Services

Savvius offers a full spectrum of professional services, available onsite or remote, to help customers make the most of their network infrastructure investment. The Savvius Professional Services team stands ready to partner with you to maximize your network performance and to minimize your network downtime. Savvius technical instructors, network systems engineers, and custom software developers can help you design, build, manage, and secure a better network for your business.

See http://www.savvius.com/services for course catalog, current public course scheduling, web-delivered courses, OnDemand courses, and consulting services.

Savvius Academy (800) 466-2447 [email protected]

Developer Community

To join the Savvius Developer Network and gain access to product plug-ins, plug-in wizards, and API documentation, please visit http://mypeek.savvius.com.

Compliances

CEThis product has passed the CE test for environmental specifications. Test conditions for passing included the equipment being operated within an industrial enclosure. In order to protect the product from being damaged by ESD (Electrostatic Discharge) and EMI leakage, we strongly recommend the use of CE-compliant industrial enclosure products.

FCC Class BThis equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a residential environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a commercial area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

VCCIThis is a Class B product based on the standard of the Voluntary Control Council for Interference from Information Technology Equipment (VCCI). If this is used near a radio or television receiver in a domestic environment, it may cause radio interference. Install and use the equipment according to the instruction manual.

About Savvius, Inc.

Savvius, Inc., a leader in packet-level network analytics and security forensics, enables network and security professionals to identify, understand, and respond to challenges in network performance and security. Savvius, formerly WildPackets, has sold products in more than 60 countries and all industrial sectors. Customers include Apple, Boeing, Cisco, Deutsche Telecom, Fidelity, Microsoft, Nationwide, and a high percentage of the Fortune 1000. Savvius is a Cisco Solution Partner. For more information, visit https://www.savvius.com.

20160708_IN_20a

iii

http://www.savvius.com/services

mailto:[email protected]

https://www.savvius.com

http://mypeek.savvius.com

http://mypeek.savvius.com

Insight_UG.book Page iv Friday, July 8, 2016 12:19 PM

iv

1

Contents

Insight_UG.book Page v Friday, July 8, 2016 12:19 PM

About Savvius Insight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Customer use cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Remote office networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Managed Service Providers (MSP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Small businesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

What’s included . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Hardware summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Savvius Insight workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Installing Savvius Insight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Connecting cables to the front and back panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Front panel features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Back panel features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Starting / shutting down Savvius Insight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Initial configuration using the configuration utility . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Upgrading Savvius Insight software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Savvius Insight actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Connecting to Savvius Insight through the serial port. . . . . . . . . . . . . . . . . . . . . . . . 17Using Savvius Insight for long-term reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Savvius Insight dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Logging into the Savvius Insight dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Remote server IP address and port in configuration utility . . . . . . . . . . . . . . . 21Use ‘BRIDGED’ ports for long-term reporting . . . . . . . . . . . . . . . . . . . . . . . . . 22Importing Savvius Insight dashboards to the remote server . . . . . . . . . . . . . . 22

Using Savvius Insight and Splunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Splunk server IP address in configuration utility . . . . . . . . . . . . . . . . . . . . . . . . 23Use ‘BRIDGED’ ports for Splunk server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Using Savvius Insight and Omnipeek for Savvius Insight . . . . . . . . . . . . . . . . . . . . . 24Main program window and Start page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25How to start a capture on Savvius Insight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Capture window views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Limit capture-to-disk to preserve SSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Solving problems using Omnipeek for Savvius Insight . . . . . . . . . . . . . . . . . . . . . . . 34Where do I start?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Who’s using my network, and how? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36How is my network performing?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38How do I get a single view of who’s talking to whom?. . . . . . . . . . . . . . . . . . . . 41

v

Contents

Insight_UG.book Page vi Friday, July 8, 2016 12:19 PM

How do I save a file to share with someone else? . . . . . . . . . . . . . . . . . . . . . . . . 43Self-support portal for Savvius Insight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Technical specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

vi

Insight_UG.book Page 1 Friday, July 8, 2016 12:19 PM

Savvius Insight

About Savvius InsightSavvius Insight™ is a compact, quad-core, six-port, mini network appliance that has no fan or other moving parts, and fits easily into a wiring closet. It includes bridge ports for monitoring the location’s Internet connection, and three additional ports for monitoring internal networks. Savvius Insight provides built-in long-term reporting and web-based dashboards for analyzing and displaying network statistics over long periods. Savvius Insight can also be used for packet level network and application troubleshooting by connecting directly to it with Savvius Omnipeek. By installing Savvius Insight in each remote office, network administrators can easily and affordably gain insight into the performance and security of the network and applications at all locations under management. Savvius Insight makes enterprise-class network analytics available in areas that have been under-served until now.

Customer use cases

Remote office networksIn large corporate networks, Savvius Insight complements larger Savvius monitoring appliances in areas of the network with lower utilization, where you often don't have good visibility. In these situations, help desk team members can use Savvius Insight for 24x7 monitoring of the health of remote networks with powerful, customizable, and easy to use web-based dashboards. When problems are identified that require packet level troubleshooting, protocol analysts in the TAC team can use Savvius Omnipeek network analysis software to connect directly to the devices and perform packet capture and packet-level analysis. Savvius Insight can also be used to perform multi-segment analysis with larger Savvius appliances.

1

Savvius Insight User Guide


Managed Service Providers (MSP)Savvius Insight is also perfect for managed IT service providers. Managed Service Providers manage networks and IT infrastructure for clients, typically with 5-50 employees per client. Savvius Insight lets managed service providers decrease Mean Time To Resolution (MTTR) for customers and increase their awareness of when problems are brewing, while at the same time reducing costs. To accomplish this, managed service providers install Savvius Insight at each customer location. Managed service providers can log into each of the systems at any time to see the current status of the client's networks. Managed service providers can also define alarms and alerts on key performance indicators (KPIs) and have notifications sent each time an alert is triggered. If a problem is detected or an alert is received, the IT service provider can connect quickly to see what the problem is.

Small businessesSavvius Insight is well suited for small offices that outsource IT management, like accountants, insurance agents, and medical professionals. They have one shared IT manager who spends too much time going from office to office to address typical networking problems, like a slow network or users having trouble connecting. The IT manager needs remote visibility into each office, as well as historical data for comparisons when issues arise. With Savvius Insight installed at each office, the IT manager can track all offices from a single location, using Insight's built-in long-term network monitoring capabilities, and Savvius Omnipeek for Savvius Insight for network troubleshooting. By reviewing collected data, the IT manager can determine the source of most problems in near real-time, and perform quick daily audits to assure overall reliability and user satisfaction in each office.

This Savvius Insight User Guide explains how to install and begin using Savvius Insight. For additional information on using Savvius Insight, visit https://insight.savvius.com.

What’s includedYour standard Savvius Insight package includes:

• Savvius Insight appliance

• Savvius Capture Engine software pre-installed in Savvius Insight

• Savvius Insight Quick Start Guide

• AC power adapter and cord

• Rubber feet (4)

• Serial console cable (RJ45 to DB-9)

2 What’s included




Hardware summary

Here is a summary of the hardware for the Savvius Insight:

• Quad-core 1700MHZ Intel Atom processor

• 128GB SSD

• 8GB RAM

• Two USB 2.0 ports

• Serial port (with RJ45 physical connection)

• Management port

• Three Ethernet ports

• Two bridge ports

• External power adapter

Savvius Insight workflowSavvius Insight is simple and easy to use! Here are the steps to get you started:

1. Install Savvius Insight. See Installing Savvius Insight on page 4.

2. Connect cables to the front and back panels of Savvius Insight. See Connecting cables to the front and back panels on page 5.

3. Power on Savvius Insight. See Starting / shutting down Savvius Insight on page 8.

4. Configure the initial settings for Savvius Insight. See Initial configuration using the configuration utility on page 8.

• If you are using Savvius Insight to collect data for the built-in local reporting server, make sure Local is selected as the reporting option in the configuration utility. For more information on using Savvius Insight with a local reporting server, see Using Savvius Insight for long-term reporting on page 18.

• If you are using Savvius Insight to forward packet data to a remote Elasticsearch server, make sure Remote Elasticsearch is selected and configured as the reporting option in the configuration utility. For more information on using Savvius Insight with a remote Elasticsearch server, see Using Savvius Insight for long-term reporting on page 18.

• If you are using Savvius Insight to forward packet data to a Splunk server, make sure Remote Splunk is selected and configured as the reporting option in the configuration utility. For more information on using Savvius Insight with Splunk, see

Hardware summary 3



Using Savvius Insight and Splunk on page 23.

5. If you are using Omnipeek for Savvius Insight software to start packet captures, and to analyze the packet files that are captured and saved on Savvius Insight, install the optional Omnipeek for Savvius Insight software on a Windows computer. For more information on using Omnipeek for Savvius Insight, see Using Savvius Insight and Omnipeek for Savvius Insight on page 24.

Installing Savvius InsightTo install Savvius Insight:

1. Determine the location of where to install Savvius Insight. Here are some guidelines for determining the location:

• The most common installation location is to install Savvius Insight somewhere between your cable modem (Internet connection) and the LAN. One of the bridge ports on Savvius Insight is connected to the cable modem, while the other bridge port is connected to the LAN.

• You will need to initially configure Savvius Insight via the ‘0 MGMT’ port using another computer. Make sure you have easy access to Savvius Insight so that you can connect the computer to the ‘0 MGMT’ port on Savvius Insight.

• It is also possible to connect Savvius Insight with a single Ethernet cable to a port on a router configured as a SPAN port, or to a TAP. Make sure you have easy access to these connections.

2. Place Savvius Insight on a flat surface.

CAUTION! Do not place anything on top of or directly next to Savvius Insight. Any obstructions to the heat sink located on top of Savvius Insight can cause the unit to overheat.

3. Attach the rubber feet to the bottom of Savvius Insight.

4. Attach the power adapter by screwing in the connector on the adapter to the power-in socket on the back panel.

5. Plug the other end of the power adapter to an AC outlet.

4 Installing Savvius Insight



Connecting cables to the front and back panelsConnecting cables to the front and back panels, as well as the LED states on Savvius Insight are described below.

Front panel features

• Serial Port: The serial port lets you connect to another computer terminal for advanced diagnostics or recovery access using the RJ-45 to DB-9 serial console cable included with Savvius Insight. The RJ-45 connector on the console cable is connected to the serial port on Savvius Insight, and the DB-9 (male) connector on the console cable is connected to the DB-9 (female) serial port on the computer terminal. See Connecting to Savvius Insight through the serial port on page 17.

Note Many computers do not have a DB-9 serial port. Make sure the computer terminal you are using has one. If necessary, you can obtain and install a USB to COM adapter on the computer terminal.

• SSD/Status/Power LEDs:

• SSD: If the LED blinks, it indicates data access activities; otherwise, it remains off.

• Status: When Savvius Insight is first powered on, the LED momentarily blinks green, and then remains off.

SSD/Status/Power LEDs

0 MGMT Port 4–5 BRIDGED Ports

USB 2.0 Ports

1 Port 2 Port 3 Port

Serial Port

Port LEDs

Connecting cables to the front and back panels 5



• Power: If the LED is on it indicates that the system is powered on. If it is off, it indicates that the system is powered off.

• USB 2.0 Ports: The USB ports are reserved for future expansion.

• ‘0 MGMT’ port: This Ethernet port is the management port that lets you initially configure Savvius Insight (see Initial configuration using the configuration utility on page 8). Once Savvius Insight is configured, the port can then be used for device management. Connect a standard Ethernet cable from your network to the ‘0 MGMT’ port.

• ‘1 – 3’ ports: These Ethernet ports are used for capturing packets from your network. Connect a standard Ethernet cable from your network to the desired port on Savvius Insight.

• ‘4 – 5 BRIDGED’ ports: These Ethernet ports are configured as a bridge and are used when you want to insert Savvius Insight in-line between two network devices. This configuration allows the capture of traffic flowing between the two network nodes without requiring a tap. In this implementation, packets enter Savvius Insight through one of the bridge ports, and then exit Savvius Insight through the remaining bridge port. Essentially, any traffic that gets to one bridge port is copied to the other bridge port. In cases where power is turned off or is lost to Savvius Insight, the two bridge ports are connected as if they are a wire (‘fail to wire’), so Internet connectivity is not lost. To establish the bridge, connect standard Ethernet cables so that Savvius Insight is between your cable modem (Internet connection) and the LAN. One of the bridge ports on Savvius Insight is connected to the cable modem, while the other bridge port is connected to the LAN. Both bridge ports must be connected in this fashion in order to properly establish the bridge.

CAUTION! Do not connect each of the bridge ports to the same IP routed network; otherwise, a routing loop is created, and can cause the network to be inoperable.

Note If you are using Savvius Insight to forward data to the local built-in server, or to a remote Elasticsearch or Splunk server, captures are automatically started on the bridge ports, and the data is forwarded to the server configured in the configuration utility. See Initial configuration using the configuration utility on page 8.

• Port LEDs: The two LEDs on the bottom of ports 0–5 light to indicate activity. A green and yellow LED light to indicate a connection has been established. A flashing yellow LED indicates data access activities.

6 Connecting cables to the front and back panels



Back panel features

• Reset Button: Insert a paper clip, and press and hold the reset button for three seconds to reset Savvius Insight to its factory settings. You will lose all saved settings and data on Savvius Insight when it is reset to its factory settings. Once Savvius Insight has reset, you will need to run the configuration utility again as described in Initial configuration using the configuration utility on page 8.

Note You can also perform a factory reset from the Actions dialog. See Savvius Insight actions on page 16.

• Power-on button with LED: Press to power-on or power-off Savvius Insight. When in Standby mode, the LED lights red; in Power-on mode, the LED lights green; when Off, the LED does not light.

Note You can also power off Savvius Insight from the Actions dialog. See Savvius Insight actions on page 16.

• Power-in Socket: Connects to the screw-on connector on the power adapter included with Savvius Insight.

Note Make sure the screw-on connector on the power adapter is connected to the Power-in Socket on Savvius Insight before the power adapter is plugged into an AC power source.

Reset Button Power-on Button with LED

Power-in Socket

Back panel features 7



Starting / shutting down Savvius InsightTo start Savvius Insight, do the following:

• Press the power-on button on the back panel of Savvius Insight.

To shutdown Savvius Insight, do one of the following:

• Press the power-on button briefly on the back panel of Savvius Insight.

• Click the actions link at the top of the configuration utility to display the Actions dialog, and then select the Powering Off option.

CAUTION! When shutting down Savvius Insight, pressing the power-on button briefly performs a clean shutdown of Savvius Insight. Holding the button down for several seconds results in Savvius Insight doing an immediate shutdown, causing data loss. This operation is only to be used if Savvius Insight becomes unresponsive.

Initial configuration using the configuration utilityThe configuration utility on Savvius Insight lets you configure device, network, time settings, and reporting options.

Important! Savvius Insight comes from the factory initially configured to an IP address of 192.168.1.21. To initially run the configuration utility, you must use an Ethernet cable connected directly between the ‘0 MGMT’ management port on Savvius Insight and your PC or laptop, and then use a browser window on the PC or laptop to open the configuration utility. The PC or laptop must be configured to be on the same IP subnet as Savvius Insight (see the Savvius Insight web page if you need instructions for configuring your computer to be on the same subnet as the appliance). Once you are using the configuration utility, you can configure Savvius Insight to a new IP address that is directly accessible via the network.

To initially configure Savvius Insight using the configuration utility:

1. Use a PC or laptop and configure it for an IP address compatible with the 192.168.1.0/24 network. This allows the PC or laptop to communicate with Savvius Insight, which has a default address of 192.168.1.21. (See the Savvius Insight web page if you need instructions for configuring your computer to be on the same subnet as Savvius Insight.)

2. Connect an Ethernet cable from the PC or laptop to the ‘0 MGMT’ port on Savvius Insight.

8 Starting / shutting down Savvius Insight



3. From a browser window on the PC or laptop, enter the default IP address for Savvius Insight of 192.168.1.21 in the URL box. The Savvius Insight Login screen appears.

• Username: Enter the default username for Savvius Insight. The default is root.

• Password: Enter the password for Savvius Insight. The default is savvius

4. Since you are logging into Savvius Insight for the first time, you are prompted to change the default password before continuing.

Initial configuration using the configuration utility 9



• Current Password: Enter the current password for Savvius Insight. The default is savvius.

• New Password: Enter the new password for Savvius Insight.

• Confirm Password: Enter the new password again for Savvius Insight.

Note The Password that you enter here is used for both Savvius Insight and the Splunk forwarder that forwards data to the Splunk server. Make sure to note the Password that you configure. You can also change the Savvius Insight password at any time by clicking Change Password from the configuration utility.

5. Click Submit. The Savvius Insight Configuration Utility appears.

6. Configure Savvius Insight settings:

Important! Once you configure and apply the settings below, the default address for Savvius Insight of 192.168.1.21 is no longer used. To access the configuration utility again, you must enter the IP address of Savvius Insight as configured below, as well as the new password entered above.

10 Initial configuration using the configuration utility



Settings

• Savvius Insight Portal: Click the insight.savvius.com link to access documentation and support resources for Savvius Insight owners. It contains links to download Omnipeek for Savvius Insight network analysis software for Windows and the Savvius for Splunk app.

• Device Name: Enter a name for Savvius Insight. A unique device name allows for easy identification of data sources.

• IP Assignment: This setting lets you specify whether Savvius Insight uses DHCP or static settings. If DHCP is selected, then Savvius Insight is configured by the DHCP server. If Static is selected, then Address, Netmask, Gateway, and DNS settings can be configured for Savvius Insight.

Important! Savvius Insight can be configured to obtain an IP address automatically from a DHCP server; however, we strongly recommend the use of a static IP address for Savvius Insight. If DHCP is used, and if the address should change on a new DHCP lease, then the user must look up the new IP address assigned to Savvius Insight from the DHCP server. To help you look up the IP address, the MAC Address of Savvius Insight is displayed if you select DHCP.





Note If DHCP is selected, you have approximately two minutes to connect Savvius Insight to your network in order for the DHCP server to assign an IP address. Please make sure Savvius Insight is connected to your network within the two minute time period from the time you click Apply. If you reboot Savvius Insight, the two minute clock is also reset.

• Address: This setting lets you specify the IP address that you are assigning to Savvius Insight.

• Netmask: A Netmask, combined with the IP address, defines the network associated with Savvius Insight.

• Gateway: Also known as ‘Default Gateway.’ When Savvius Insight does not have an IP route for the destination, the IP packet is sent to this address as it does not know how to direct it locally. Only a single default gateway can be defined.

• DNS: This is the domain name server. A Domain Name Server translates domain names (e.g., www.savvius.com) into an IP address. Enter the address of the DNS server, and click Add Server. Multiple DNS name servers can be defined. You can also edit or delete any defined DNS servers.

Time Settings

• Timezone: The Timezone setting lets you specify the physical location of Savvius Insight. Select from the list the location closest to your Savvius Insight.

• NTP Server: The Network Time Protocol (NTP) is used to synchronize the clocks of computers over a network. To synchronize the Savvius Insight clock, you can specify the IP address of an NTP server located on either the local network or Internet. Enter the address of the NTP server, and click Add Server. Multiple NTP servers can be defined. You can also edit or delete any defined NTP servers.




Reporting Options

• None: Select this option if you are not automatically collecting statistics for one of the three reporting options below.

• Local: Select this option to configure the built-in local reporting server on Savvius Insight as the reporting option that Savvius Insight automatically forwards its network statistics to once the configuration settings are applied. See also Using Savvius Insight for long-term reporting on page 18:

• Maximum Space: Enter the maximum amount of disk space (in Gigabytes) allocated on the reporting server before older data written on the hard disk is deleted to make room for newer data. Older data is deleted until the total disk spaced used on the reporting server is below the configured amount.

Note When configuring Maximum Space, keep in mind to leave enough disk space available for other Savvius Insight functions, including capture-to-disk captures.

• Dashboard Login: Displays the username used to log into the local reporting server from a web browser. The default dashboard login username is insight. This username is different from the login username configured above for the configuration utility.




• Dashboard Password: Enter a password used to log into the local reporting server from a web browser. The default dashboard password is savvius. This password is different from the login password configured above for the configuration utility.

• Remote Elasticsearch: Select this option to configure a remote Elasticsearch server as the reporting option that Savvius Insight automatically forwards its network statistics to once the configuration settings are applied. See also Using Savvius Insight for long-term reporting on page 18:

• Server: Enter the IP address of the remote Elasticsearch server.

• Port: Enter the port used to communicate to the Elasticsearch server.

Note If Remote Elasticsearch is selected as the reporting option in the configuration utility, in order to view the Savvius Insight dashboards, you will first need to log into the remote Elasticsearch server and import the Savvius Insight dashboards file to the server. See Importing Savvius Insight dashboards to the remote server on page 22.

• Remote Splunk: Select this option to configure a remote Splunk server as the reporting option that Savvius Insight automatically forwards its network statistics to once the configuration settings are applied. See also Using Savvius Insight and Splunk on page 23:

• Server: Enter the IP address of the Splunk server.

• Port: Enter the port used to communicate to the Splunk server.

7. Click Apply to save and apply the configuration settings to Savvius Insight.

Note You will lose connection to Savvius Insight if you configured a new static Address in Settings above.

8. Disconnect the cable from the computer/laptop to the ‘0 MGMT’ port on Savvius Insight.

9. Connect the ‘0 MGMT’ to a router port on your network. You should now be able to reach the management port IP address from the network.

10. Restore your PC or laptop’s former network settings and reconnect it to your network.




Upgrading Savvius Insight softwareWhen a Savvius Insight software update becomes available, the configuration utility alerts you of the update, and displays a screen similar to the screen below. You will need to download a ZIP file containing the two upgrade files, and then install those files, as described below.

To upgrade the Savvius Insight software:

1. Start the Savvius Insight Configuration Utility from your web browser.

2. When software updates are available, click ‘here’ to download a ZIP file that contains the Image and Checksum files required to update the software.

3. Click ‘upgrade’ to install the Image and Checksum files from where the ZIP file is saved on your hard disk. The Upload Image screen appears.

‘here’ ‘upgrade’

Upgrading Savvius Insight software 15



4. Click Choose File to navigate to the ZIP file, and then click Upload.

5. Allow the upload to complete. Wait up to five minutes for Savvius Insight to reboot. You will lose connection to the configuration utility once Savvius Insight reboots.

Savvius Insight actionsThe actions link at the top of the configuration utility displays the Actions dialog that includes options for powering off, rebooting, and resetting Savvius Insight to its factory defaults.

actions

16 Savvius Insight actions



• Power Off: Select this option to turn off Savvius Insight.

• Reboot: Select this option to reboot Savvius Insight.

• Factory Reset: Select this option to reset Savvius Insight to its factory settings. You will lose all saved settings and data on Savvius Insight when it is reset to its factory settings. Once Savvius Insight has reset, you will need to run the configuration utility again as described in Initial configuration using the configuration utility on page 8.

Note You can also perform a factory reset using the Reset button, as described in Initial configuration using the configuration utility on page 8.

Connecting to Savvius Insight through the serial portUsing the included serial cable connected to the serial port on Savvius Insight, a PC/laptop, and a terminal program of your choice, you can log into Savvius Insight and access the command prompt (root@Insight). This is especially useful for advanced diagnostics or recovery access.

To connect to Savvius Insight through the serial port:

1. Connect the serial console cable included with Savvius Insight from the serial port (DB-9) on your laptop to the serial port (RJ-45) on the back panel of Savvius Insight.

2. Using any serial terminal program (e.g., HyperTerminal or Putty), establish a connection to Savvius Insight. Make sure the appropriate terminal settings match the default settings below for Savvius Insight:

• Terminal Type: [VT100+]

Connecting to Savvius Insight through the serial port 17



• Bits per second: [115200]

• Data Bits: [8]

• Parity: [None]

• Stop Bits: [1]

• Flow Control: [None]

• VT-UTF8 Combo Key Support: [Enabled]

• Recorder Mode: [Disabled]

• Resolution 100x31: [Enabled]

3. Once a connection to Savvius Insight has been established, the Insight login prompt appears.

4. Log into Savvius Insight by entering the username and password you configured earlier using the configuration utility. If you did not configure a username and password earlier, the default is:

username: root

password: savvius

5. The Insight command prompt (root@Insight) appears once you are logged in.

Using Savvius Insight for long-term reportingWhen you connect Savvius Insight to your network it immediately begins collecting network statistics for long-term reporting and trending. Searching for and analyzing data is extremely easy using the built-in dashboards. Customize these dashboards to analyze your data intelligently, perform mathematical transformations, and slice and dice your data as you see fit.

18 Using Savvius Insight for long-term reporting



Because ELK is the technology behind the integrated long-term reporting capability included with Savvius Insight, it can be configured to send its data directly to a remote ELK server (such as the Remote Elasticsearch server). This allows for longer term reporting and centralized aggregation of data from multiple Savvius Insight appliances to monitor all of your remote networks that have Savvius Insight on them.

Savvius Insight dashboards

The Savvius Insight dashboards provide the user interface to view the long term reporting of your network and the applications running on them. They are built on the ELK platform, which is an open source software stack consisting of Elasticsearch, Logstash, and Kibana (ELK). Kibana is the user interface displayed when viewing the Savvius Insight dashboards. For more detailed information about ELK, please refer to the documentation on the Elasticsearch website, and the many forums discussing it.

Savvius Insight dashboards 19



Each of the Savvius Insight dashboards display different information about the network; however, they all have the common controls listed below:

• Menu bar: The menu bar at the top consists of the Discover, Visualize, Dashboards and Setting menus.

• Discover lets you look at the raw event data, and create searches.

• Visualize lets you create visualizations (or panels).

• Dashboard lets you create, manage, and navigate through the Savvius Insight dashboards.

• Settings lets you perform a variety of administration tasks.

• Filter bar: The filter bar is used to filter the content of the panels in the dashboard. The type of filter to use is dependent on the data in the panels. The filter bar is a powerful feature in Savvius Insight. To learn more about using the Filter bar, refer to the documentation on the Elasticsearch website.

Filter Bar

Dashboards Bar

Menu Bar

DescriptionsDashboard




• Dashboards bar: The Dashboards bar contains links to all of the dashboards that ship with Savvius Insight. If new dashboards are created they will not be added to this bar automatically, but they can be added manually. You can view descriptions of each available Savvius Insight dashboards by clicking Descriptions from the Dashboards bar.

Logging into the Savvius Insight dashboards

You can display the login to the Savvius Insight dashboards as described below, depending on which reporting option is selected in the configuration utility:

If Local is the selected reporting option, do one of the following:

• Enter the following in the URL bar of browser window: https://<IP Address>:8443 where <IP Address> is the IP address of Savvius Insight, and 8443 is the port used by Savvius Insight.

• Click View the Reporting dashboard below the Local option in the configuration utility. This is only available when the Local option has already been selected and applied from the configuration utility.

If Remote Elasticsearch is the selected reporting option, do the following:

• Enter the following in the URL bar of browser window: https://<IP Address>:<Port> where <IP Address> is the IP address of the remote Elasticsearch server, and <Port> is the port used by the server.

Remote server IP address and port in configuration utility

To forward data from Savvius Insight to a remote Elasticsearch server, you must configure both the IP address of the server and the port used by the Elasticsearch server in the Savvius Insight configuration utility. Once the settings in the configuration utility are applied, data automatically begins to flow from Savvius Insight to the remote Elasticsearch server via the ‘MGMT’ ports on Savvius Insight. See Initial configuration using the configuration utility on page 8.

Logging into the Savvius Insight dashboards 21



Use ‘BRIDGED’ ports for long-term reporting

When Local or Remote Elasticsearch is selected as the reporting option in the configuration utility, Savvius Insight automatically starts two captures on its ‘BRIDGED’ ports. Make sure the ‘BRIDGED’ ports on Savvius Insight are properly cabled. See Front panel features on page 5.

Note Do not delete either of the two captures. If either capture is deleted, you must recreate the captures by selecting None as the reporting option in the configuration utility, applying this selection, and then reselecting and applying either Local or Remote Elasticsearch as the reporting option. See Initial configuration using the configuration utility on page 8.

Importing Savvius Insight dashboards to the remote server

If Remote Elasticsearch is selected as the reporting option in the configuration utility, in order to view the Savvius Insight dashboards, you will first need to log into the remote Elasticsearch server and import the Savvius Insight dashboards file to the server.

To import the Savvius Insight dashboards:

1. Open a web browser and go to the Savvius Insight Portal on the web (https://insight.savvius.com) and download the dashboards.json file. You must be a registered user to download this file.

2. Log into the Savvius Insight dashboards on the remote Elasticsearch server. See Logging into the Savvius Insight dashboards on page 21.

3. On the Settings menu, select Objects.

4. Click Import.

5. Navigate to the dashboards.json file that was downloaded from the Savvius Insight Portal, and click Open.

6. If prompted to delete any existing dashboards, searches, and visualizations, delete only those that are no longer needed.




Using Savvius Insight and SplunkSplunk is a powerful platform that lets you look closely at the data coming from Savvius Insight. Savvius Insight includes a Splunk Forwarder that can be enabled to send data to a remote Splunk Server. To view the Savvius Insight data in the Splunk Server, Savvius has developed dashboards for Splunk that can be downloaded from splunkbase.com. The dashboards are completely web-based and can be customized and extended in many ways.

Splunk server IP address in configuration utility

To forward data from Savvius Insight to Splunk, you must configure both the IP address of the Splunk server and the port used by the Splunk server in the Savvius Insight configuration utility. Once the settings in the configuration utility are applied, data automatically begins to flow from Savvius Insight to the Splunk Server via the ‘MGMT’ ports on Savvius Insight. See Initial configuration using the configuration utility on page 8.

Use ‘BRIDGED’ ports for Splunk server

When an IP address is configured for a Splunk server in the configuration utility, Savvius Insight automatically starts two captures on its ‘BRIDGED’ ports. Make sure the ‘BRIDGED’ ports on Savvius Insight are properly cabled. See Front panel features on page 5.

Note Do not delete either of the two captures. If either capture is deleted, you must recreate the captures by selecting None as the reporting option in the configuration utility, applying this selection, and then reselecting and applying Remote Splunk as the reporting option. See Initial configuration using the configuration utility on page 8.

Using Savvius Insight and Splunk 23



Using Savvius Insight and Omnipeek for Savvius InsightA version of Omnipeek software called ‘Omnipeek for Savvius Insight’ is available for download for users of Savvius Insight. You can use Omnipeek for Savvius Insight software to start packet captures, and to analyze the packet files that are captured and saved on Savvius Insight. Omnipeek for Savvius Insight software is installed on a Windows computer located on the same network as Savvius Insight. You can register your Savvius Insight and download the Omnipeek for Savvius Insight software by visiting https://insight.savvius.com/omnipeek.

Note If you have Omnipeek software (version 9.2 and above) already installed on a computer, you can use that version of Omnipeek to start captures, and to analyze packet files captured and saved on Savvius Insight.

Here are some of the strategic ways to get started with Omnipeek for Savvius Insight software:

• Start a capture: Starting a capture lets you capture and analyze data in real-time, and record data for post-capture analysis from one or more Savvius Insight appliances installed on the network. You can view a capture in real-time, or save it to disk (capture-to-disk) for later analysis. See How to start a capture on Savvius Insight on page 26.

Note We recommend limiting instances of capture-to-disk captures on Savvius Insight in order to extend the storage life of the SSD.

• View the Compass dashboard and other dashboards: The Compass dashboard is an interactive forensics dashboard that displays network utilization over time including protocol, node, flow, VLAN, and application statistics. You can view these statistics from a single supported capture file, or from multiple capture files (*.pkt, *.apc, *.pcap [Libpcap format only], *.wcap [Libpcap format only], *.cap [Libpcap format only], *.wpz, and *.pcapng) aggregated within the Compass workspace. Additionally, other dashboards such as the Timeline, Network, and Applications dashboards, are also available to display graphical data about your network summarized into several easy-to-read displays.

• View the Experts: The Expert views provide expert analysis of response time, throughput, and network applications in a flow-centered view of captured traffic. Expert views also provide a detailed view of every transaction, noting any events encountered in each individual conversation or flow. You can drill down to select the packets associated with a particular event or with any conversation in Expert views.

• View the Packets: Packets, the units of data carried on the network, are the basis for all higher level network analysis. When troubleshooting network problems, it is important to be able to drill down into the packets themselves by looking at their individual decodes as well as use the packets captured into the buffer as the foundation for expert and statistical

24 Using Savvius Insight and Omnipeek for Savvius Insight

https://insight.savvius.com/omnipeek



analysis. The Packets view of a capture window is where you can view information about the individual packets transmitted on your network.

To learn about the above features and more, view the Omnipeek User Guide and online help.

Main program window and Start page

To start Omnipeek for Savvius Insight:

• On the Start menu, click Omnipeek for Savvius Insight.

The main program window and Start Page appears. The parts of the main program window are described below.

• Toolbar: Provides buttons for frequently-used tasks in Omnipeek. To display different toolbars or to customize toolbar options, on the View menu, click Toolbars.

• Start Page: Provides buttons for opening saved capture files and viewing the Capture Engines window. Additionally, the Start Page provides links to useful resources, both local and online.

Toolbar

Status Bar

Start Page

Main program window and Start page 25



• Status Bar: Shows brief context-sensitive messages on the left and the current monitor adapter on the right. To toggle the display of the status bar, on the View menu, click Status Bar.

How to start a capture on Savvius Insight

Savvius Insight captures allow you to capture and analyze network data in real-time, and optionally record data for post-capture analysis. You can start captures from each of the Ethernet ports, and from the bridge ports on Savvius Insight. Use of the Ethernet ports will require the use of a network tap. Bridge port captures should be configured as described in Front panel features on page 5.

To start a capture on Savvius Insight:

1. In Omnipeek for Savvius Insight, do one of the following to open the Capture Engines window:

• On the Start Page, click View Capture Engines

• On the View menu, click Capture Engines

The Capture Engines window appears.

Insert Engine




2. From the Capture Engines window, click Insert Engine. The Insert Engine dialog appears.

3. Complete the dialog:

• Host: Enter the IP address of the Savvius Insight that you want to connect to.

• Port: Enter the TCP/IP Port used for communications. The default port for the Savvius WP Omni protocol is 6367.

• Authentication: Select Third Party to connect to Savvius Insight.

• Domain: Type the Domain for login to Savvius Insight. If Savvius Insight is not a member of any Domain, leave this field blank.

• Username: Type the Username for login to Savvius Insight.

• Password: Type the Password for login to Savvius Insight.

4. Click Connect. When the connection is established, the Home tab for Savvius Insight appears.

How to start a capture on Savvius Insight 27



5. From the Home tab, click New Capture and select the type of capture window that you would like to create:

• New Capture…: This option lets you create a new Savvius Insight capture based on the capture settings that you define.

• New “Forensics Capture”: This option lets you create a new Savvius Insight capture based on a forensic capture template configured for post-capture forensic analysis.

• New “Monitoring Capture”: This option lets you create a new Savvius Insight capture based on a monitoring capture template configured to view higher level expert and statistical data in a continuous real-time capture.

• New “Reporting Capture”: This option lets you create a new Savvius Insight reporting capture based on a capture template configured to forward data to one of the Savvius Insight reporting options.

• New “Reporting Capture - Expert Events”: This option lets you recreate a Savvius Insight reporting capture based on a capture template optimized for Expert analysis and configured to forward data to one of the Savvius Insight reporting options. This




is typically used along with the “Reporting Capture - Analysis” to create a high-performance capture for exporting data to one of the reporting options. Use this only to recreate the default reporting capture that was pre-configured on the device.

• New “Reporting Capture - Analysis”: This option lets you recreate a Savvius Insight reporting capture based on a capture template optimized for analysis and configured to forward data to one of the Savvius Insight reporting options. This is typically used along with the “Reporting Capture - Expert Events” to create a high-performance capture for exporting data to one of the reporting options. Use this only to recreate the default reporting capture that was pre-configured on the device.

• Edit Capture Templates: This option opens the Capture Templates dialog and allows you to create new capture templates, or edit existing ones.

Note You can also select the above options from the Insert drop-down list available from the Captures tab, and from the New Capture options available from the Adapters tab.

6. Configure the General options. Click Help on the dialog to help you configure the options.

7. Choose a Savvius Insight capture adapter in Adapter options. Each adapter corresponds to the Ethernet ports on Savvius Insight.

How to start a capture on Savvius Insight 29



8. Click OK. A new Savvius Insight capture window appears.




Capture window views

The navigation pane of every capture window presents the views that display information about the capture data. A Savvius Insight capture window can have the views listed below. Here is an example of a capture-to-disk capture window from a Savvius Insight appliance.

Capture window views 31



• Dashboards: These dashboards display graphical data about your network summarized into several easy-to-read displays.

• Timeline: This dashboard provides an overview of the top talkers, top protocols, and network utilization for the Capture Engine.

• Network: This dashboard provides an overview of network statistics for the capture.

• Applications: This dashboard displays key statistics for applications in the capture window.

• Compass: This dashboard lets you view network utilization, and top statistics from a single supported capture file, or from multiple capture files.

• Capture: These views display information about packets captured into the capture buffer.

• Packets: This view lists all of the packets placed in the buffer of a capture window (or capture file). The Decode and Hex panes show the contents of the selected packet decoded or in hexadecimal and ASCII.

Capture Window Views




• Log: This view collects messages generated by events relating to the particular capture window. These events include the results of notifications generated by the triggers or analysis modules selected for the capture window.

• Filters: This view lets you enable, disable, add, edit, and delete filters used for capturing packets into the capture window buffer.

• Alarms: This view lets you query a specified monitor statistics function once per second, testing for user-specified problem and resolution conditions. On matching any of these tests, the alarm function sends a notification of user-specified severity.

• Expert: These views provide expert analysis of delay, throughput, and a wide variety of network events in a conversation-centered view of traffic in a capture window.

• Clients/Servers: This view makes it easy to track events and to see them in the context of peer-to-peer or client-server traffic patterns.

• Flows: This view displays each flow independently in a flat view. This simplified view allows you to compare flows to one another, regardless of the node pair to which they belong.

• Application: This view allows you to categorize each flow by application. This view allows you to see who is using each application on your network and how each application is performing.

• Web: These views let you display web page requests and responses, allowing you to track client/server activity within a capture. The same web data is presented in four formats.

• Servers: This view lets you focus on which servers are being used.

• Clients: This view lets you focus on which clients are using which servers.

• Pages: This view displays a list of web pages with each individual request nested underneath.

• Requests: This view displays a flat list of individual HTTP requests.

• Visuals: These views graphically display network traffic and statistics.

• Peer Map: This view lets you visualize network traffic by displaying nodes and the traffic between the nodes. The lines indicate traffic between two nodes. The relative thickness of the lines indicate the volume of traffic occurring.

• Graphs: This view displays graphs of individual items from the other statistics views in real time. The data from these graphs can also be saved as tab-delimited or comma-delimited text, or as XML \ HTML. On a Capture Engine, this view must be enabled in the Graphs options of the Capture Options dialog.

• Statistics: These views display various statistical data about your network.

Capture window views 33



• Nodes: This view displays real-time data organized by network node. You can choose to display the nodes in a nested hierarchical view (logical addresses nested beneath their physical address), or in a variety of flat tabular views. Right-click the column header to add or remove various columns.

• Protocols: This view displays network traffic volume as a percentage of total bytes, broken down by protocol and subprotocol. You can choose to display the protocols in either a nested Clients/Servers view or a Flows view.

• Summary: This views lets you monitor key network statistics in real time and save those statistics for later comparison. Summary statistics are also extremely valuable in comparing the performance of two different networks or network segments.

• Applications: This views lets you view basic statistics about applications for a capture window.

• Countries: This views lets you view a geographical breakdown of traffic based on IP address for a capture window.

Limit capture-to-disk to preserve SSD

Savvius Insight uses an SSD with a duty cycle that is not rated for continuous capture-to-disk. We recommend limiting instances of capture-to-disk captures on Savvius Insight in order to extend the storage life of the SSD. Problems associated with continuous capture-to-disk use are not covered by warranty.

Solving problems using Omnipeek for Savvius InsightOmnipeek for Savvius Insight can be used in many ways to solve problems on your network. This section describes five common network analysis tasks you can easily perform with Omnipeek for Savvius Insight.

Note The examples below are based on a capture-to-disk capture file saved from a Savvius Insight appliance.

Where do I start?

The Compass dashboard provides an intuitive yet detailed summary of all network activity. Use this dashboard as your “compass” to find which areas need more detailed analysis.

34 Solving problems using Omnipeek for Savvius Insight



To use the Compass dashboard:

1. Click Compass in the navigation pane of the capture window to display the Compass dashboard.

2. In the example above, let’s learn more about the spike in network activity (graphing average Mbits).

3. Put your cursor just to the left of the spike, drag across the spike, and then let go. The entire Compass dashboard, the graph and the detailed panels below, all update automatically to reflect the time frame you selected around the spike.

Where do I start? 35



4. Note the Protocols, Flows, and Nodes statistics chart windows below the graph. You can pin or unpin statistics chart windows for Channels, WLAN, VLAN, Data Rates, and Applications by clicking the desired tab or pin/unpin icon (push-pin) in the upper right of the statistics chart window.

5. You now have a complete view of your network traffic for just the spike in activity. Use each of the statistics chart windows to quickly see what caused the spike and determine if more detailed analysis is needed.

Who’s using my network, and how?

1. Click Nodes in the navigation pane of the capture window to display the Nodes view. The Nodes view provides a list of all nodes that have been active on the network since the capture started.




2. The total number of nodes is listed in the upper left-hand corner. Use the adjacent pull-down menu to choose the type of node data to display. “IP” is the most common view.

3. Click a column header to sort the data by that parameter. If you need to quickly see your top talkers, sort on the “Total Bytes” or “Total Bytes %” columns. Your top talkers will rise to the top of the list.

4. To see exactly what your top talkers are doing on the network, simply double-click the node to create new tab that shows the overall application or protocol usage for that node. The view can be toggled between application and protocol using the drop down box in the title bar.

Total Nodes View Type Column Header

Who’s using my network, and how? 37



5. You now know who is using your network, and how.

How is my network performing?

Omnipeek for Savvius Insight performs detailed network analysis (“Expert” analysis) in the background to find common and even not so common network problems. A list of these potential problems can be found in the Expert views.

To use the Expert views to perform network analysis:

1. Click Applications in the Expert views of the navigation pane of the capture window. The Applications view displays Expert analysis categorized by application.




2. Be sure the “Event Summary” tab is selected in the bottom window. The “Event Summary” tab shows all of the potential issues that have been identified during this capture.

How is my network performing? 39



3. To quickly find exactly what application and what user has been effected by a non-responsive server, just click on that event. The application data in the upper window will be automatically expanded to show exactly which application, server, and client has been effected. In this case all three instances correspond to the same communication between 10.4.2.16 and server 159.180.64.109 over HTTP.




4. If you want to tune the settings for this analysis function, just right click the event in the Event Summary, choose EventFinder Settings, and adjust the parameters in the dialog box that appears. You can also see a summary of the Event and change the Event severity.

5. With Expert events, Omnipeek for Savvius Insight watches your network for you. You can set up alerts based on Event severity so you never miss a problem.

How do I get a single view of who’s talking to whom?

Omnipeek for Savvius Insight includes a feature called the Peer Map that provides a visual representation of who is talking to whom on the network.

To use the Peer Map:

1. Click Peer Map in the navigation pane of the capture window to display the Peer Map view.

How do I get a single view of who’s talking to whom? 41



2. The Peer Map represents each network node with a dot.

a. The size of the dot scales to the relative traffic for that node.

b. The lines emanating from each node represent each of its connections to other net-work nodes.

c. The thickness of the line scales to the traffic between those two nodes in relation to all other nodes.

d. The color of the line depicts the underlying protocols in use – multiple colors means multiple protocols in use between the network nodes.

3. To better isolate a node, simply drag it away from the others to get a clearer view. Any node repositioning will be retained the next time you open the packet file.

4. The panel on the right allows you to customize the view in the Peer Map. Key customization elements include:

a. Number of nodes




b. Type of nodes

c. Protocols in use

5. For example, if you want to isolate a particular protocol to quickly find only those conversations, click to disable all protocols in the “Protocols” panel, and then click the check box next to the protocol you wish to isolate—in this case, HTTPS.

6. In just a few clicks we have quickly identified the one conversation using HTTPS that connects to Savvius Insight.

How do I save a file to share with someone else?

There may be times when you want to share a packet file with someone else to get their opinion on a network issue. This is very easy to do with Omnipeek for Savvius Insight.

To create a packet file:

1. On the File menu, click Save All Packets …. This will create a file that includes all of the packets that are associated with the open capture window.

How do I save a file to share with someone else? 43



2. Omnipeek for Savvius Insight provides a wide range of formats for saving packets, depending on the intended use of the saved file. Some examples include:

a. Omnipeek format (.pkt, .wpz) – use this format if you are sharing files with another Omnipeek user.

b. Packet List (comma or tab delimited) – use this format is you want to export packet information into another program. The most common usage is to import data into Microsoft Excel for further analysis of graphing.

c. Libpcap or PcapNG – use one of these formats if you are sharing files with a Wireshark user.

Self-support portal for Savvius InsightSupport for Savvius Insight is available only at the Savvius Insight Web portal located at https://insight.savvius.com.

In the portal you will be able to:

• Register your Savvius Insight

44 Self-support portal for Savvius Insight




• View the Frequently Asked Questions

• Obtain configuration instructions for common use cases

• Share your Savvius Insight experiences and issues with other users in an interactive forum

• Learn new Tips and Tricks about Savvius Insight hardware and software

An RMA (Return Material Authorization) number must be obtained from Savvius in order to return hardware for any reason. Your Savvius Insight must also be registered to obtain warranty service.

Technical specificationsThe technical specifications for Savvius Insight are listed below:

Basic system configuration

• Pre-loaded, tested, and fully integrated with Savvius Capture Engine software

• 8GB RAM

• 128GB HD/SSD SATA

• Quad-core 1700MHZ Intel Atom processor

Performance

• Network analysis up to 100Mbps

• Up to four simultaneous captures

Ethernet

• Six built-in 10/100/1000 Gigabit Ethernet ports

• RJ-45 Interface

I/O

• One reset button

• One RJ45 serial port

• Two type A USB ports

Technical specifications 45



Certification

• EMC CE Class B

• FCC Class B

• VCCI

• RoHS

Environmental

• Operating temperature: 0° to 40° C (32° to 104° F)

• Storage temperature: -20° to 70° C (-4° to 158° F)

• Relative humidity: 5% to 90% (non condensing)

Power and system input requirements

• 36W external AC/DC power adapter

• AC input voltage: 100-240 VAC

• Rated input current: 100 (10A) - 240V (4A)

• Rated input frequency: 50-60 Hz

Dimensions and weight

• 44 h x 177 w x 145.5 d

• 2.6 lbs

Supported operating system

• Linux

Savvius Insight Warranty

• Available with one year warranty

46 Technical specifications

tm user guide - insight.savvius.com · † if you are using savvius insight to forward packet data...

Documents