ExtraHop Web UI Users Guide

Version 4.1.4

 

About This Guide

The ExtraHop Web UI Users Guide provides a product overview and detailed information about the functional areas of the Web UI for the ExtraHop® platform. For related documentation, refer to the following links.

Audience

This guide is intended for ExtraHop users who are looking for a general introduction to the Web UI component of the ExtraHop platform.

Feedback

We are working hard to improve our product, and with your feedback we can better meet your needs. As a valued ExtraHop customer, we appreciate all feedback you can provide. Please email feedback to the following addresses:

Common Acronyms

The following common computing and networking protocol acronyms are used in this guide.

Acronym Full Name
AAA Authentication, authorization, and accounting
AMF Action Message Format
CIFS Common Internet File System
CLI Command Line Interface
DB Database
DNS Domain Name System
ERSPAN Encapsulated Remote Switched Port Analyzer
FIX Financial Information Exchange
FTP File Transfer Protocol
HTTP Hyper Text Transfer Protocol
IBMMQ IBM Message Oriented Middleware
ICA Independent Computing Architecture
IP Internet Protocol
IRL Index record log
iSCSI Internet Small Computer System Interface
L2 Layer 2
L3 Layer 3
L7 Layer 7
LDAP Lightweight Directory Access Protocol
NFS Network File System
RADIUS Remote Authentication Dial-In User Service
RPC Remote Procedure Call
RPCAP Remote Packet Capture
SMPP Short Message Peer-to-Peer Protocol
SMTP Simple Message Transport Protocol
SPAN Switched Port Analyzer
SSL Secure Socket Layer
TCP Transmission Control Protocol
UI User Interface
VLAN Virtual Local Area Network

ExtraHop System Overview

ExtraHop Networks is the leader in the operational intelligence market, delivering innovative solutions to ensure that business-critical transactions do not fail. The ExtraHop platform provides real-time analysis of applications to improve customer experience and quality of service while reducing IT costs.

Combining the capabilities of network performance managers with the superior application-level visibility of user experience monitors, the highly scalable ExtraHop platform provides the following benefits:

  • End-to-end visibility across networks, applications, databases, and storage arrays
  • Simultaneous real-time analysis of all transactions
  • Trend-based alerting and proactive early warning for potential problems

ExtraHop System Architecture

The ExtraHop system leverages recent gains in processing power and storage capacity to perform full-stream reassembly and full content analysis, processing tens of thousands of transactions simultaneously and in real time.

The ExtraHop system processes traffic at network speed both in terms of throughput and transactions per second. This level of analysis is delivered by a proprietary network micro-kernel and real-time dynamic datastore. The ExtraHop system also includes a rich web UI that provides workflows designed to facilitate the troubleshooting process.

Alerting Engine

The ExtraHop system also includes a built-in alerting engine that supports both simple threshold-based alerts and sophisticated trend-based alerts. Trend-based alerts use historical context to learn normal behavior and send notifications when anomalies are detected. Alerts can be configured for most metrics that the ExtraHop system records, including web server errors, database errors, payload length, and slow transactions. Trend-based alerts for web server and database errors are applied automatically to all discovered web servers and databases with no configuration.

Lightweight Deployment

You can deploy the ExtraHop system as a physical or virtual appliance. Using a network tap, SPAN port, VACL capture, packet forwarding (RPCAP), or ERSPAN technology, the ExtraHop system analyzes a copy of the production network traffic in real time, extracting the valuable performance information. Rather than sample a portion of network traffic, the ExtraHop system processes every packet at wire speed.

With the ExtraHop system’s full-stream reassembly approach, traffic flows are reconstructed to analyze the payload from L2 to L7. The ExtraHop system is designed for production enterprise environments, supporting real-world traffic patterns such as IP fragments, out-of-order segments, and microbursts. When packet loss occurs on the monitoring link, the ExtraHop system synchronizes and recovers.

ExtraHop Modules

The ExtraHop system provides metrics through the following types of modules:

Module Type Protocols
L2-L3 Metrics
  • Multicast
  • IP
  • IPv6
  • ICMP
  • ICMPv6
L4 Metrics
  • TCP
  • UDP
Naming DNS
Directory Services LDAP
Web
  • HTTP/HTTPS
  • AMF
  • SSL
Middleware
  • MS-RPC
  • Memcache
  • IBMMQ
Database
  • IBM DB2
  • IBM Informix
  • Microsoft SQL Server
  • MongoDB
  • MySQL
  • Oracle
  • PostgreSQL
  • Sybase ASE
  • Sybase IQ
Storage
  • iSCSI
  • CIFS
  • NFS
File Transfer FTP
Mail SMTP
Citrix VDI
  • ICA
  • CGP
Industry-Specific Protocols
  • HL7
  • FIX
  • SMPP
  • RADIUS
  • Diameter
Decryption Any protocol encrypted over end-to-end SSL channel, can be decrypted using the SSL decryption module.

For more information about ExtraHop modules, visit extrahop.com/products/modules.

Browser Compatibility

The following tested browsers are compatible with the ExtraHop platform:

Browser Features Supported
Internet Explorer 10 and 11 All features
Chrome 35 and 36 All features
Firefox 29 and 30 All features
Safari 7 All features

The ExtraHop Web UI is a web application that uses the features of an Internet browser. This section describes the general layout and focuses on navigating to the primary pages. It also describes the page-level toolbar controls as well as the controls for setting and selecting time intervals and for on logging on and off. For information on navigating the Summary page, refer to Summary.

The following figure shows the main components of the ExtraHop Web UI.

For page-level navigation, the navigation bar contains buttons for the primary pages:

  • Summary: Provides a customizable dashboard page with links for adding and removing graphical widgets.
  • Alerts: Provides a list of all triggered alerts and includes configuration features to set up alert definitions.
  • Apps: Provides a list of all applications on the network.
  • Networks: Shows the network capture details and provides access to network and device-level metrics.
  • Devices: Shows the devices on the network and provides searching and filtering controls to locate and view metrics on specific devices.
  • Groups: Lists device groups based on types of network traffic and provides controls to fine-tune or define custom device groups.

The retractable page-navigation panel on each primary page uses a tree control to provide direct access to the sub-pages. For example, on the Networks page, the sub-pages appear in a tree control below the root node. The module nodes are expandable and can be clicked to show (or hide) the sub-pages for each associated network module.

The navigation bar also contains buttons to access the following functions:

  • Settings: Lets you create and modify alerts, triggers, custom pages, and other settings.
  • User account: Lets you log out, change your password, and create API keys.
  • Forum: Opens the ExtraHop Support Forum in a new window.
  • Help: Opens the online help in a new window.

If you navigated to the ExtraHop Web UI from an ExtraHop Central Manager (ECM), the navigation bar also contains a button to return to the ECM Nodes page of the Admin UI.

Time Interval

The Time Interval drop-down list provides options to specify a time period for the collection and presentation of network data. You can set a global time interval for metrics across all functional areas or a targeted time interval for the widgets in a particular region on the Summary dashboard.

When you configure a widget, it inherits the time interval of the region in which it is placed. You must set the time interval after you click Exit Layout Mode. Time intervals set in Layout mode revert back to the original time interval when you exit.

The Time Interval drop-down list includes the following options:

  • Last 30 minutes: Displays the last 30 minutes of data collected by the ExtraHop appliance with a 30-second resolution.
  • Last 6 hours: Displays the last six hours of data collected by the ExtraHop appliance with a five-minute resolution.
  • Last 24 hours: Displays the last 24 hours of data collected by the ExtraHop appliance with a 60-minute resolution.
  • Last 7 days: Displays the last seven days of data collected by the ExtraHop appliance with a 60-minute resolution.
  • Time window: Displays the data collected by the ExtraHop appliance within a fixed window of time. Refer to Defining a Time Window.
  • Date range: Displays the data collected by the ExtraHop appliance within a fixed historic date range. Refer to Defining a Date Range.

The ExtraHop system can store a combined total of up to five user-defined time windows and date ranges. They are saved across login sessions and remain in memory until the oldest of the five is replaced with a newly defined date range or time window.

To set a global time interval, click the Time Interval drop-down list at the top of one of the module pages and select an option. Navigation from one functional area to another does not affect the selected time interval.

To set a targeted time interval for a particular region on the Summary dashboard, click the upper right corner of the region and select an option; then click Save.

To view previous time intervals that were set for that region, click History.

Defining a Time Window

If you are troubleshooting an issue that occurred recently, you can use the Time window option to specify the number of minutes, hours, or days from the present time to gather data. When a time window is defined, the UI displays network activity data that occurred from the specified number of minutes, hours, or days to the present.

To define a global time window:

  1. Click the Time Interval drop-down list and select Time window.
  2. In the Time Window dialog box, click the drop-down list and select Minutes, Hours, or Days.
  3. In the Last field, type the number of units of time for which you want to gather data.

To define a targeted time window for a specific metric:

  1. Go to the Summary dashboard.
  2. Select the dashboard containing the metric.
  3. Click the time interval in the upper right corner of the region.
  4. Select the Last radio button and type the number of units of time for which you want to gather data.
  5. Click the drop-down list and select Minutes, Hours, Days, Weeks, or Months.

Defining a Date Range

If you are troubleshooting an issue that occurred during a specific time, you can use the Date range option to define a fixed date range. When a fixed date range is defined, the UI displays network activity data that occurred within the date range.

To define a global date range:

  1. Click the Time Interval drop-down list, and select Date range. The Date Range dialog box opens, displaying two separate calendars (and time fields) to define the date range.

  2. On the From calendar, click the day to specify the start date for the range.
    Note: Use the back and forward arrows, and , to change the month displayed on the calendar. By default, the calendar opens to the current month and day.
  3. To set a value in the Time field:
    1. Select hours and enter the value (between 00 and 23) that you want to use as the starting hour.
    2. Select minutes and enter the value (between 00 and 59) that you want to use as the starting minute.
    3. Select seconds and enter the value (between 00 and 59) that you want to use as the starting second.
  4. On the Until calendar, repeat steps 2 and 3 to set the date and time values for the end of the range.
  5. Click OK to save the range. The defined date range takes effect immediately and appears in the Time Interval drop-down list.

To define a targeted date range for a specific metric:

  1. Go to the Summary dashboard.
  2. Select the dashboard containing the metric.
  3. Click the time interval in the upper right corner of the region.
  4. Select the Custom time range radio button and select the starting and ending dates and times.

Using a Delta Comparison

You can compare a metric on the Summary dashboard to the same metric from a different time period.

To perform a delta comparison:

  1. In the navigation panel, click Summary.
  2. Locate the region containing the metrics you want to compare.
  3. Click the currently selected time interval in the upper right corner of the region.

  4. Click the Compare button.

  5. In the Delta Comparison window, select the time interval to use in the comparison or enter your own custom ending time.

  6. Click Save.

    On the Summary dashboard, a new chart is overlaid onto the previous chart displaying the metrics for the new time interval.

Zooming in on a Fixed Time Period

You can use the time scales on charts to define and set a fixed time period in the Time Interval drop-down list. You can pinpoint a short time interval to view specific metrics like packet or byte counts per second based on the activity shown in the chart.

To set a fixed time period from a line chart:

  1. In the navigation bar, click a functional area that shows application, network, or device charts.
  2. Select an application, network, or device to view.
  3. In the page navigation panel, expand the tree control and click the sub-page that you want to view.
  4. To zoom in on a short time interval, drag across the chart to select a specific region.
  5. When you release the mouse button, the graph is redrawn, showing only the selected region.

    The scales on the chart’s axes update to reflect the range of values in the selected time interval. In addition, the value in the Time Interval drop-down list adjusts to reflect the fixed time range selected in the graph. The new fixed time interval becomes the global time interval for all functional areas.

Toolbar

Each functional area page includes a toolbar with links relevant to the elements on the current page. The following example is a toolbar on a device page.

The toolbar includes a wide range of links and controls that enable operations on the page content. Pages that display metrics, such as the Networks, Devices, and Groups pages, include some or all of the following items:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Activity Map: Generates an activity map to visualize all or logical parts of network and application activity.
  • Add to Report: Adds device information to a selected report.
  • PDF: Generates a PDF of the current interface page.
  • Pin to Summary: Adds the metric to the Summary dashboard page.

For information about creating these items, refer to Settings.

User Account

The ExtraHop Web UI requires a user name and a password to access the interface. Before logging in for the first time, contact your ExtraHop system administrator to obtain your log-in credentials.

To log in to the ExtraHop Web UI:

  1. In your browser, navigate to the ExtraHop Web UI at https://[IP address]/extrahop, where [IP address] is the IP address displayed on the LCD at the front of the ExtraHop appliance.
  2. On the Login page, in the Username field, enter your ExtraHop system user name.
  3. In the Password field, enter your ExtraHop system password.
  4. Click Log In.
Note: After deploying the ExtraHop system, to log in to the system for the first time, the default user name is admin and the password is admin. You can modify the default admin credentials using the ExtraHop web administration utility.
Note: The default password for Amazon Web Services (AWS) users is the string of numbers after the -i in the instance ID.

To change your ExtraHop system password:

  1. Click Change Password in either of the following locations:
    • Login page
    • Your user name on the navigation bar

  2. If the User field is present, type your ExtraHop system user name.
  3. In the Old password field, type your current ExtraHop system password.
  4. In the New password field, type a new password.
  5. In the Confirm password field, retype the new password.
  6. Click Save.

The new password takes effect immediately.

To view your unique user API keys in the ExtraHop Admin UI, click your user name on the navigation bar, and then click API Keys. The page redirects users with administrator privileges to the ExtraHop Admin UI where you can view and create API keys.

To end your current ExtraHop Web UI session, click your user name on the navigation bar, and then click Logout. The ExtraHop Web UI ends the current session and redirects the browser to the Login page.

Metric Display

Some pages that display metrics also allow you to do the following:

  • Export Data: Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.
  • Sort Metrics: Click the gear icon on the right side of the section to sort the metrics.
    • Sort by Key: Sorts the metrics in that section by the name of the metric.
    • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.
  • Toggle Chart Views: Click the Linear or Log radio button to view the chart with a linear vertical axis or a logarithmic vertical axis.

Drill-Down Functionality

The ExtraHop system's drill-down functionality allows you to trace warning and error information presented at the summary level back to the root causes at the network or device level. For example, an examination of metrics on the Summary page lets you quickly identify the types of traffic in the network capture. You can drill down to examine spikes in network traffic and to view unexpected patterns and distributions of protocols.

For information on customizing the Summary page, refer to Summary.

To drill down to find the top talkers for each protocol:

  1. In the navigation bar, click Summary.
  2. In the dashboard dock, select a dashboard with metrics that you want to view.
  3. To drill down to the network-level metrics, double-click a widget.
    OR
    Click the Go button on a widget.
    OR
    Click the Configuration button next to the Go button.

    When you double-click a widget, the ExtraHop Web UI redirects to its associated object. If there are multiple associated objects, a menu opens.

    When you click the Configuration button, a menu opens. Select the object with the detailed metrics you want to view. In this example, select Go to network..., and then select an option from the second drop-down list.

    In this example, these options drill down to the L7 Protocols page in the Networks functional area to show application traffic associated with the network capture.

  4. Click the protocol that is causing a spike in network traffic to see the list of associated devices.

    The Protocols table at the bottom of the page shows the list of applications associated with the SSL protocol. From this list of devices, you can see which device is causing the spike in network traffic.

  5. In the Device column of the table, click the name of the device that is causing the spike in network traffic.

    When you click the device name, the ExtraHop Web UI redirects you to the Devices functional area and opens the SSL metrics page for the specific device.

You can also drill down into metrics on individual ExtraHop Web UI pages. The following example explores top-talking protocols at the network level. To drill down to find the top talkers for each protocol:

  1. In the navigation bar, click Networks.
  2. On the All Networks page, select a network and click L7 Protocols.
  3. Mouse over the graphs to view any metrics that appear outside the normal range.
  4. Click the legend on the graph to drill down to the network-level metrics. In this example, click SSL:443.

    The Protocols table at the bottom of the page shows the list of applications associated with the SSL protocol. From this list of devices, you can see which device is causing the spike in network traffic.

  5. In the Device column of the table, click the name of the device that is causing the spike in network traffic.

    When you click the device name, the ExtraHop Web UI redirects you to the Devices functional area and opens the SSL metrics page for the specific device.

Hot Keys

Global Hot Keys

The following global hot keys redirect to top-level pages in the ExtraHop Web UI and allow you to perform actions on them.

Key Action
? Show/hide this help menu
G then S Go to Summary
G then A Go to Alerts
G then P Go to Applications
G then N Go to Networks
G then D Go to Devices
G then G Go to Device Groups
O then M Open Metric Explorer
G then E Go to Settings
G then T Go to Trigger Editor
G then H Open Help
O then Q View system information
Ctrl+S Save widget configuration

Summary Page Hot Keys

The following hot keys allow you to perform actions on the Summary page.

Key Action
O then L Toggle edit layout mode
O then P Show dashboard properties
C then D Copy current dashboard
D then D Delete current dashboard
O then S Toggle descriptions
Ctrl+Shift+F Toggle presentation mode
N then D Create new dashboard
N then F Create new folder
O then D Toggle dock edit mode

Summary

The Summary page contains default and customizable dashboards that show information of interest to a particular user. Dashboards are stored separately for each client browser that accesses the ExtraHop system. You can share dashboards with other users or keep them for personal use.

Dashboards are configured primarily with widgets, which link to the full data pages that they represent. For more information on configuring and working with dashboards, refer to Dashboards.

The Configuration button in the upper right corner contains menu commands for configuring dashboards, specifying the display, and viewing metrics.

The Summary page contains a set of hot keys to perform common actions. For more information, refer to Hot Keys.

To drill down into metrics of interest from the Summary page, click the Go button on a widget or click the Configuration button next to the Go button. For more information, refer to Drill-Down Functionality. You can also double-click a widget to navigate to the application, device, or capture page containing the chart.

You can add flex grids and custom pages to the dashboard dock on the Summary page through the Settings section. For more information, refer to Flex Grids and Pages.

Summary Page Activities
Edit the Layout

Click the orange Configuration button in the upper right corner of the screen, and select Edit Layout to edit a custom dashboard. After making changes, click Exit Layout Mode.

Note: If an error message appears, another user may be making changes. It is best practice for each ExtraHop user to have his or her own account.
Change the Dashboard Properties

Click the orange Configuration button, and select Dashboard Properties to configure a new or existing custom dashboard. For more information, refer to Dashboards.

Copy a Dashboard

Click the orange Configuration button and select Copy. Select Keep sources if you want an exact copy of the current dashboard's metrics. Select Modify sources if you want the same regions as the current dashboard, but with different metric sources. The ExtraHop Web UI creates a copy of the dashboard.

Delete a Dashboard

Click the orange Configuration button, and select Delete to delete a custom dashboard. Click the Delete Dashboard button in the Are you sure? dialog box.

Show or Hide Descriptions

Click the orange Configuration button and select Show Descriptions to display metric totals and descriptions when hovering the mouse over a graph. Select Hide Descriptions to hide them.

You can also view descriptions in charts that display traffic from individual ports. Descriptions are provided for protocols that the ExtraHop system parses. The ExtraHop system parses the protocols listed in ExtraHop Modules.

View in Presentation Mode

Click the orange Configuration button and select Presentation Mode to enter a full-screen display of the metrics on the currently selected dashboard. Move your mouse to the left side of the screen to view the dashboard dock in presentation mode. Click the Exit Presentation Mode button to return to the previous display.

To open a dashboard in presentation mode directly, add /presentation to the URL. For example:

https://<extrahop_ip>/extrahop/#/Summary/dashboard/437/presentation

View in Widget Slideshow

Click the orange Configuration button, select Widget Slideshow, and select a time increment to view a slideshow of widgets within the current window. Click the X in the upper right corner of the screen to return to the previous display.

Configure a Widget in the Metric Explorer

You can use the Metric Explorer to configure widgets to add to a dashboard. As you configure a widget, you can refer to a complete list of built-in and custom metrics.

To configure a widget:

  1. On the Summary page, click the orange Configuration button in the upper right corner and select Metric Explorer.
  2. (Optional) Click Unconfigured Widget in the upper left corner and enter a title.

  3. Click the Add metric source button and enter all or part of a protocol or metric of interest. Click the Type drop-down list and select a category to further refine your search. The search field uses JavaScript regular expressions.

  4. Select a metric from the list.
  5. Select a specific metric from the list, or search for one in the field below.

    A preview chart appears on the right.

  6. Click Add Metric to search for a specific metric.
  7. (Optional) Click Drilldown to search for detailed metrics such as by host or by URI.

  8. In the search field, enter all or part of the search string. The search field uses JavaScript regular expressions.

  9. (Optional) Continue to add metric sources and metrics to display on the chart.
  10. In the upper left corner, click Options to change the units, show the metric as a rate, change the suffix notation, or change the labels.

  11. In the upper right corner, select the time interval to display the metric. For more information, refer to Time Interval.
  12. Select a chart type at the bottom to change the appearance of the chart.

  13. When you are ready to add your widget, click Add to Dashboard. Select a dashboard from the list.
    OR
    If no dashboards are configured, click New Dashboard.

  14. Configure the dashboard properties. For more information, refer to Dashboards.
  15. Save the dashboard and click Exit Layout Mode in the upper right corner to view the dashboard on the Summary page.
Select a Chart Type

Chart types include the following:

  • Area displays the metrics in an area chart showing the count over time.
  • Bar shows the count of the metrics as horizontal bars.
  • Column displays the count of the metrics in columnar form over time.
  • Candlestick uses a dataset or sampleset metric (for example, HTTP server processing time). Viewing options include Summary and Percentile. Drill-downs for Client IP, URI, and Server IP are also available.

  • Line plots the metric count over time.
  • Line and Column lets you display two or more metrics. To add a new metric below the chart, select the Display as Columns checkbox for the metric.

  • List displays the metrics in a list.
  • Single Value is configured to display one metric only. Set up additional widgets side by side to create multiple tiles.

  • Status displays status widgets. For more information refer to the next topic.
View Status Widgets

Status widgets, or service availability widgets in ExtraHop version 3.x, are based on alerts. The service status is displayed in a bar graph with red, orange, yellow, or green bars based on the severity and type of configured alerts.

A user-defined, detailed alert can be associated with a device, device group, or application widget. When you configure an alert for a specific metric, any alert of the same metric type will appear on the widget. For example, if you configure an alert to fire on HTTP responses, but you configured alerts for HTTP errors and response times as well, all three metrics will appear on the widget. When an alert fires, the bar on the widget associated with that alert is colored based on the severity level set in the alert. If multiple alerts fire on the same location, the color of the bar reflects the most severe alert. For more information about how to set the severity level, refer to Notifications.

To display the service status, click the gear icon and select Show Availability.

To display a list of alerts that comprise the data on the widget, click Show Related Alerts.

Copy Widgets

To copy a widget to another dashboard, right-click any table, chart, or tile on the widget, select Copy to, and select the dashboard to place the widget. The widget appears in the next available slot on the target dashboard.

Print Widgets

To print a widget:

  1. Right-click any table, chart, or tile on the widget and select Print. The print preview appears in a new window.
  2. Click the Theme drop-down list and select a theme.
  3. Click Print Widget.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Dashboards

The dashboard dock in the ExtraHop UI allows you to view and create dashboards. You can create shared team dashboards as well as user-specific dashboards according to functional tier. The dashboard dock contains the following types of dashboards:

  • My Dashboards: Custom, user-defined dashboards viewable only to the user who created them.
  • Built-In Dashboards: System dashboards defined by ExtraHop.
  • Shared Dashboards: Custom, user-defined dashboards that the creator has shared with other users.

The built-in activity dashboard contains an overview of network traffic and a group of charts for active protocols. The ECM activity dashboard contains a list of nodes ordered by device count. The ECM active protocol charts measure activity for the top seven nodes for each licensed protocol.

Note: (Upgrade only) Pinned custom pages, flex grids, and Summary page dashboards with up to 50 widgets created in version 3.10 and earlier will migrate to version 4.0 as pinned dashboards. The system migrates all widget types except the geomap list widget.

To create a custom dashboard under My Dashboards:

  1. At the bottom of the dashboard dock, click New Dashboard.
  2. Click the Configuration button in the top right corner and select New Dashboard.
  3. In the Dashboard Properties pop-up window, enter the following:
    • Title: A name for the dashboard.
    • Author: Your name.
    • Description: A brief description of the dashboard.

  4. If you want to change the five-character unique identifier in the permalink, click the link and enter a meaningful name.
    Note: The name can have up to 100 characters using letters, numbers, and the following symbols: ._-+)[]. The name cannot contain spaces.
  5. If you want other users to see the dashboard, select Allow others to view this dashboard.
  6. For Theme, select a radio button to specify a style for the dashboard.
  7. Click Save.
  8. Click the orange Configuration button in the upper right corner of the screen and select Edit Layout.
  9. Drag at least one region onto the dashboard.
  10. Click Region in the upper left corner of the region, enter a new name in the Title field, and click Save.
    OR
    Click the Region Configuration button in the right corner of the blue title bar and select Rename.

    Now you can begin adding widgets to the empty region.

You can expand the region lengthwise to include a maximum of 20 charts that are of minimum height. You can expand the region crosswise to include a maximum of six charts that are of minimum width.

Dashboard Activities
Add Widgets

To create a widget and add it to the Summary dashboard from the Summary page:

  1. In the dashboard dock, select the dashboard where you want to place the widget.
  2. In the upper right corner of the screen, click the Configuration button and select Edit Layout.

  3. Click the Region icon and drag it onto the dashboard. You can resize the region by dragging the lower right corner.

  4. Click a widget icon and drag it onto the region. You can resize the widget by dragging the lower right corner.
  5. Click the Configuration button on the top right corner of the widget and select Edit. Do one of the following depending on the widget type.
    • Widget: This widget is user-defined. For information about editing and configuring custom widgets, refer to the Configure a Widget in the Metric Explorer section of Summary
    • Alert History: This widget shows the alert history information about the objects in the list. Click Add metric source to customize the alert history.

    • Activity Groups: This widget shows a list of all activity during the selected time interval and cannot be configured.

    • Text Box: This widget provides a space for user-defined text and images. Click the Parsed in Markdown link above the Editor text box for examples of how you can change the display.

      You can add images by linking or converting them. Linked images must be on the network and accessible to the ExtraHop system.

  6. Click Save. The widget appears in the region.
    Note: If an error message appears, another user may be making changes. It is best practice for each ExtraHop user to have his or her own account.
  7. Click the Exit Layout Mode button in the upper right corner of the dashboard to return to the Summary screen.
Remove Widgets

Some widgets on the dashboard might be useful only to solve a specific problem. After the problem is resolved, you can remove these widgets from the dashboard.

To remove widgets from the Summary dashboard:

  1. Click the Configuration button in the upper right corner of the dashboard and select Edit Layout.
  2. Click the Configuration button in the upper right corner of the widget and select Remove.

  3. Click Delete Widget.

  4. Click the Exit Layout Mode button in the upper right corner of the dashboard to return to the Summary screen.
Remove Regions

To remove a region and all of its widgets from the Summary dashboard:

  1. Click the orange Configuration button in the upper right corner of the dashboard and select Edit Layout.
  2. Click the Region Configuration button in the upper right corner of the region and select Remove.
  3. Click Delete Region.
  4. Click the Exit Layout Mode button in the upper right corner of the dashboard to return to the Summary screen.
Modify Sources in Regions

To modify a region's metric sources:

  1. Click the orange Configuration button in the upper right corner of the dashboard and select Edit Layout.
  2. Click the Region Configuration button in the upper right corner of the region and select Modify Sources.
  3. In the Modify Sources window, select the object that you want to change from the list on the right and choose a new metric source. You can also change the title of the region by clicking the region name on the right.
  4. Click Save Region.
  5. Click the Exit Layout Mode button in the upper right corner of the dashboard to return to the Summary screen.
Add Dashboards

The ExtraHop Web UI provides a page-level toolbar icon on metrics pages that creates a dashboard from the current interface page and adds it automatically to the Summary page. the Pin to Summary tool provides a quick way to add a dashboard while you are in a troubleshooting workflow.

To add a widget to the Summary page from a metrics page:

  1. Browse to the metrics page that contains the data you want to add to the dashboard.
  2. Click Pin to Summary.
  3. Click OK to confirm.

The ExtraHop system creates a new dashboard to display the page and adds it to My Dashboards.

Organize Dashboards

To organize your dashboards in folders:

  1. At the bottom of the dashboard dock, click the configuration button to the right of New Dashboard.

  2. Select New Folder.
  3. Enter a name for the folder and click Save.
  4. Add dashboards to the empty folder by entering Edit mode. In Edit mode, you can organize, edit, and create new dashboards.
    1. Click the configuration button to the right of New Dashboard and select Edit Dock.
    2. Drag and drop any of the dashboards you created into the new folder.

    3. Click the right-most button in the panel to save and exit Layout mode.

Alert History

The Alert History page contains a list of triggered alerts for a specified time interval. This page provides an overview of the most recent application, device, and network alerts that have fired during the capture period.

To use the Alert History page, you must first create alerts. Click the Configure Alerts button, and the Alerts page opens in the System Settings pop-up window. For more information about configuring alerts, refer to Alert Configuration.

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

The Alert History table provides the following information about the alerts:

  • Source Type: The type of object that triggered the alert, either an application or a device.
  • Source: The name of the application or device that is the source of the alert.
  • Node: The ECM node on which the alert exists.
  • Alert: The name of the alert.
  • Most Recent: The time of the most recently fired alert.

To view alerts:

  1. On the navigation bar, click Alerts.

  2. Click the Time Interval drop-down list and select a time interval to view all fired alerts in that period.

  3. To sort the table by the Source Type, Source, Alert, or Most Recent column, click the column heading, and then click the arrow in the right corner of the column to sort the entries in ascending or descending order.

To view alerts on the ECM:

  1. On the navigation bar, click Alerts.

  2. Click the Time Interval drop-down list and select a time interval to view all fired alerts in that period.

  3. To sort the table by the Source Type, Source, Node, Alert, or Most Recent column, click the column heading, and then click the arrow in the right corner of the column to sort the entries in ascending or descending order.

To view Source column details:

  1. Sort the Source column to find the alert instance that you want to view.
  2. Click the name in the Source column. The ExtraHop Web UI redirects to the type of metrics that triggered the alert.
  3. Click the Alert History sub-page for the device, network, or application to show all the alerts that fired during that time interval. Click the name of the alert in the list to see the alert details and the value that triggered it.

To view Alert column details:

  1. Sort the Alert column to find the alert that you want to view.
  2. Click the name in the Alert column.

    The Alert Details pop-up window displays information about the alert.

    • Name: The name of the alert.
    • Expression: The metric, time interval, operator, and sensitivity that were defined when the alert was created.
    • Value: The value of the metric at the time the alert fired. This is used for comparison against the alert expression.
    • Description: The optional user-defined description of the alert.

    For trend alerts, the Trend Alert Details pop-up window includes the following:

    • Name: The name of the alert.
    • Alert Conditions: The type of alert, time interval, operator, and/or percentage of the trend that were defined when the alert was created.
    • View at Time of Alert: The alert graph from when the alert was fired.
    • View Current State: The alert graph of the current trend state of the alert.

    When you click the View at Time of Alert and View Current State buttons, the UI redirects to the Alert History page of the object on which the alert fired. For more information, refer to the following:

Toolbar and Metric Display
Configure Alerts

To configure alerts, refer to Alert Configuration.

PDF

Click the PDF button to generate a PDF of the current interface page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Applications

ExtraHop provides a set of default applications based on all traffic. You can modify the default application template to suit the needs of your organization, and you can add your own applications. You can define custom applications using Application Inspection Triggers. For more information, refer to Triggers.

The All Applications page includes a table that lists all devices discovered on your networks. The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information. The counter at the bottom of the table identifies the number of applications currently displayed in the table. The table can show up to 100 applications per page.

The All Applications page contains the following information:

  • Name: Specifies the name of the application.
  • Capture: Specifies the capture point for which the application was defined.
  • Description: Provides a space for an optional, user-defined description.

Activities for the All Applications Page

To view applications metrics:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click an application in the list to view the application details.

    Note: If there are no user-defined applications, the browser directs you to the default All Activity overview page.
  3. The application's Overview page appears.

  4. Click the name of the application in the left panel to manage the application's assignments.

More All Applications Page Activities

Assign Alerts

To assign an alert to an application:

  1. On the All Applications page, select the checkbox next to the application(s) to which you want to assign the alert(s).
  2. Click the Assign Alerts button.
  3. In the Assign Alerts dialog box, select the alerts that you want to assign to the application(s).

  4. In the Filter text box, provide an optional filter string to filter the list of alerts by name.
  5. Click OK.
Remove Alerts

To remove an alert assignment:

  1. Go to the Settings page and click the Alerts icon.
  2. Click the name of the alert that you want to remove, click the Assignments tab, and then click the delete icon to the left of the name of the application.

Assign Pages

To assign custom pages to an application:

  1. On the Application page, select the checkbox next to the application(s) to which you want to assign the custom page(s).
  2. Click the Assign Page button.
  3. In the Assign Pages dialog box, select the custom pages that you want to assign to the application.

  4. In the Filter text box, provide an optional filter string to filter the list of pages by name.
  5. Click OK.
Remove Pages

To remove pages from the application:

  1. On the Application page, click the Pages tab to see the pages assigned to this application.
  2. Click the delete icon to the left of the page that you want to delete.

Assign to Flex Grid

To assign the application to a flexible grid:

  1. On the All Applications page, select the checkbox next to the application(s) that you want to assign to a flex grid.
  2. Click the Assign to Flex Grid button.
  3. In the Assign to Flex Grids dialog box, select the flex grids on which you want the application(s) to appear.

  4. In the Filter text box, provide an optional filter string to filter the list of pages by name.
  5. Click OK.
Remove from Flex Grid

To remove an application from a flex grid:

  1. On the Application page, click the Flex Grids tab to see the flex grids associated with the application.
  2. Click the delete icon to the left of the flex grid that you want to delete.

Define Applications

Applications do not always adhere to device boundaries. Some applications use multiple devices, and some devices host multiple applications. You can use Application Inspection Triggers to define application boundaries based on criteria other than a list of devices (for example, URIs or database table names). Defining an application allows you to report on an application based on the subset of network traffic that comprises it, regardless of the devices associated with it. For information about using triggers to define applications, refer to Triggers.

More Application Page Activities

Edit the Name

To edit the application name:

  1. On the Application page, click the edit icon to the right of the Name field.
  2. In the text area, enter a new name for the application.
  3. Click OK.
Add a Description

To add an optional description for the network capture:

  1. On the Application page, click the edit icon to the right of the Description field.
  2. In the text area, enter a description for the application.
  3. Click OK.
Assign an Alert

To assign an alert:

  1. Go to the Application page and click the Alerts tab.
  2. Click the + icon next to Alerts and select the checkbox next to the alert(s) you want to associate with the application.
  3. Click OK.
Remove an Alert

To remove an alert:

  1. Go to the Application page and click the Alerts tab.
  2. Click the delete icon to the left of the alert that you want to delete.
Assign a Page

To assign a custom page:

  1. Go to the Application page and click the Pages tab.
  2. Click the + icon next to Pages and select the checkbox next to the page(s) you want to associate with the application.
  3. Click OK.
Remove a Page

To remove a custom page:

  1. Go to the Application page and click the Pages tab.
  2. Click the delete icon to the left of the page to remove it from the list.
Assign to Flex Grid

To assign the application to a flex grid:

  1. Go to the Application page and click the Flex Grids tab.
  2. Click the + icon next to Flex Grids and select the checkbox next to the grid(s) where you want the application to appear.
  3. Click OK.
Remove from Flex Grid

To remove an application from a flex grid:

  1. Go to the Application page and click the Flex Grids tab.
  2. Click the delete icon to the left of the flex grid to remove the application from it.
Assign a Geomap

To assign a geomap:

  1. Go to the Application page and click the Geomaps tab.
  2. Click the + icon next to Geomaps and select the checkbox next to the geomap(s) you want to associate with the application.
  3. Click OK.
Remove a Geomap

To remove a geomap:

  1. Go to the Application page and click the Geomaps tab.
  2. Click the delete icon to the left of the geomap that you want to delete.
View All Assignments

Click the All tab to view all assignments to the application.

Toolbar and Metric Display

Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Overview

The Applications Overview sub-page includes interactive charts that provide an overview of a selected application.

To view the Overview sub-page:

  1. In the navigation bar, click Apps.
  2. Click an application in the list.
  3. On the page navigation panel, click Overview.

Each chart shows an overview of activity for all active protocols. You can also view details for only certain protocols as well as a summary of a specific time or date.

To show overall details for only certain protocols, select those protocols in the chart legend.

To show a summary of activity for a specific time or date, mouse over the time period of interest.

  • For statistical charts, a pop-up dialog showing a five-number summary appears, including the minimum, lower quartile, median, upper quartile, and maximum values.
  • For area charts, a pop-up dialog showing total count and time appears.

Note: Because area charts are stacked, the total count represented by the number on the left side of the chart is a sum of the count for each individual protocol.

To show a particular region of the chart, click and drag across that region.

To show only a specific protocol in the chart, mouse over the protocol in the chart legend.

To view details for a specific protocol, click it in the chart. The protocol's application page appears.

For more information about working with the charts, refer to Drill-Down Functionality. For information about a specific protocol, refer to that protocol's application topic.

Transactions: Shows the total number of transactions (requests and their responses) for the active protocols excluding SSL and ICA, which are not transactional protocols.

Errors: Shows the total number of errors for the active protocols excluding SSL and ICA.

Processing Time: Shows the total server processing time for the active protocols.

L2 Bytes: Shows the total count of request bytes and response bytes transferred for the active protocols.

Packets: Shows the total count of request packets and response packets transferred for the active protocols.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Custom Page

If a custom page has been assigned to an application, the name of the custom page appears in the left panel.

To view a custom page for an application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the name of the custom page to view the page.
Toolbar and Metric Display
Edit Page

Click the Edit Page button to perform one of the following actions.

Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Alert History

The Alert History sub-page provides an alert summary for application-level alerts. The ExtraHop system can be configured to generate both threshold and trend-based alerts for any metric in the system. Alerts can be configured to send email notifications or SNMP traps as proactive early warnings for potential performance problems.

The application Alert History page displays all alerts, including alerts that have been acknowledged previously, and the corresponding time for each alert for the current application. The Alert History page also includes additional information about trend alerts that have fired.

To use the Alert History page, you must first create alerts. For more information, refer to Alert Configuration.

To check the application alert history:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the Alert History node to view the alert history details.
  4. Find a specific alert in the table.
    • To sort the table by time, click the Time column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.
    • To sort the table by alert entry, click the Alerts column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.
  5. Click the alert to view more information.

For threshold-based alerts, the Alert Information pop-up window includes the following:

  • Name: The name of the alert.
  • Expression: The metric, time interval, operator, and sensitivity that were defined when the alert was created.
  • Value: The value of the metric at the time the alert fired. This is used for comparison against the alert expression.
  • Description: The optional user-defined description of the alert.

For trend alerts, the Trend Alert Details pop-up window includes the following:

  • Name: The name of the alert.
  • Alert Conditions: The type of alert, time interval, operator, and/or percentage of the trend that were defined when the alert was created.
  • View at Time of Alert: The alert graph from when the alert was fired.
  • View Current State: The alert graph of the current trend state of the alert.

To view trend alerts:

  1. On the Alert History page, click the Current Trend State tab to view a list of trend-based alerts assigned to the application.
  2. Find a specific trend in the table.

    (ECM Only) Click the Show drop-down list and select one of the following options:

    • All Alerts: Displays alerts created on the ECM and the node.
    • ECM Alerts: Displays alerts created on the ECM only.
    • Local Alerts: Displays alerts created on the node only.

    To sort the table by trend, click the Trend column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

    To sort the table by metric, click the Stat column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

  3. Click the trend name to view more information about the trend alert.
  4. Click the Alert Graphs tab to view the trend alert over time and whether or not it has fired.
    • Alert Condition Nominal: Indicates the metrics being gathered have not reached an alert state.

    • Alert Firing: Indicates the metrics being gathered have met the alert criteria.

  5. Click the Alert Rules tab to view the rules of the trend alert and whether or not it has fired.
    • Alert Condition Nominal: Displays the alert rules in green.

    • Alert Firing: Displays the alert rules in red.

  6. Click Back to Trend Alerts to return to the Current Trend State table.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Geomaps

The Geomaps sub-page lists the geomaps associated with the application. Geomaps display worldwide activity based on the metrics defined in that geomap. For more information about geomap settings, refer to Geomaps.

To view a list of geomaps:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Application functional area, click the Geomaps node to view the geomap details.

To sort the table alphabetically by geomap, click the Geomap column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

To sort the table alphabetically by metric, click the Metric column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

For more information about the geomap interface, refer to Geomap Interface.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

L4

The L4 sub-page provides TCP information about an application.

To view L4 information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the L4 node to view the L4 details.

The L4 application toolbar includes the following controls:

  • Clients: The chart shows the total round-trip time. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, and the round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total round-trip time. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, and the round-trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Connections: Displays the TCP connection metrics for the selected time interval.

  • Accepted: Specifies the number of connections accepted by the current device. Click to display the peer devices from which the connections originated and the associated round-trip time.
  • Connected: Specifies the number of connections initiated by the current device. Click to display the peer devices to which the connections were established and the associated round-trip time.
  • Closed: Specifies the number of connections closed to or from the current device. Closed connections are explicitly shut down by at least one of the endpoints. Click to display the peer devices for which the connections were closed.
  • Aborted: Specifies the number of connections aborted by the current device. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the peer devices to which the current device aborted the connections.
  • Expired: Specifies the number of connections to or from the current device no longer tracked due to inactivity. Click to display the peer devices with which the connections were associated.
  • Established: Number of connections currently open to or from the current application. Click to display the server IP addresses, hosts, and devices with which connections have been established.
  • Established Max: Maximum number of established connections observed at any point within the selected time interval.

Request Metrics: Displays the request metrics for the selected time interval.

  • L2 Bytes: Displays request bytes for the application within the selected time interval.
  • Packets: Displays request packets for the application within the selected time interval.
  • RTOs: Displays request RTOs for the application as a function of time within the selected time interval. Request RTOs are transmitted out of the client and into the server.
  • Nagle Delays: Indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
  • Rcv Wnd Throttles: Number of times the advertised receive window limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the current device to resolve this problem.
  • Zero Window: Number of zero window advertisements sent by the current device. A zero window indicates that the connection has stalled and the current device is unable to keep up with the rate of data sent. In some cases, the read socket buffer size can be increased on the current device to resolve this problem. On the BIG-IP Application Delivery Controller, the proxy_buffer_high setting in the TCP profile should be increased.

Response Metrics: Displays the response metrics for the specified time interval.

  • L2 Bytes: Displays response bytes for the application within the selected time interval.
  • Packets: Displays response packets for the application within the selected time interval.
  • RTOs: Displays response RTOs for the application as a function of time within the selected time interval. Response RTOs are transmitted out of the server and into the client.
  • Nagle Delays: Indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
  • Rcv Wnd Throttles: Number of times the advertised receive window limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the current device to resolve this problem.
  • Zero Window: Number of zero window advertisements sent by the current device. A zero window indicates that the connection has stalled and the current device is unable to keep up with the rate of data sent. In some cases, the read socket buffer size can be increased on the current device to resolve this problem. On the BIG-IP Application Delivery Controller, the proxy_buffer_high setting in the TCP profile should be increased.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Web

The Web sub-page provides HTTP information about an application.

To view web information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the Web node to view the web details.

The Web application toolbar includes the following controls:

  • Errors: The chart shows the number of HTTP errors (5xx level responses). Mouse over the points to view a summary of a specific time or date. The table lists HTTP URIs in error and the number of times an error occurred.

  • URIs: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists HTTP URIs, number of responses, total time (ms), and processing time (ms) associated with each URI. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Referers: The chart shows the number of HTTP referer URIs identified. Mouse over the points to view a summary of a specific time or date. The table lists the HTTP referer URIs and the count associated with each referer.

  • Clients: The chart shows the total number of client responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses by each client, and total processing time. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of server responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By URI: Displays application metrics by URI.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with HTTP requests.
  • Response L2 Bytes: The number of L2 bytes associated with HTTP responses.
  • Request Packets: The number of packets associated with HTTP requests.
  • Response Packets: The number of packets associated with HTTP responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending HTTP requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending HTTP responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by HTTP clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving HTTP requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

HTTP Metrics: Contains the following metrics:

  • Requests: The number of HTTP requests.
  • Requests Aborted: The number of HTTP requests that began transmission but were not sent completely.
  • Responses: The number of HTTP responses.
  • Responses Aborted: The number of HTTP responses that began transmission but were not sent completely.
  • Response Errors: The number of HTTP response errors.

Status Codes: The status code section displays the HTTP status codes for the selected time interval. Click the number next to each status code to display a list of URIs associated with each status code.

Methods: Displays the HTTP request methods for the selected time interval. The HTTP request methods include GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, and OPTIONS, as well as dynamic method names. Click to display additional per-URI, per-client IP, or per-server IP details.

  • GET: Requests data from the specified resource.
  • HEAD: Retrieves meta-information written in the response headers. Response body information is not transmitted.
  • POST: Submits data to be processed (from an HTML form) to the identified resource.
  • PUT: Uploads a representation of the specified resource.
  • DELETE: Deletes the specified resource.
  • TRACE: Echoes back the received request, so that a client can see what (if any) changes or additions have been made by intermediate servers.
  • CONNECT: Converts the request connection to a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.
  • OPTIONS: Returns the HTTP methods that the server supports for specified URL.

Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • ReqXfer: The time between the ExtraHop system processing the first packet and last packet of HTTP requests. A high value may indicate a large request or network delay.
  • Process: The time between the ExtraHop system processing the last packet of HTTP requests and the first packet of their corresponding responses.
  • RspXfer: The time between the ExtraHop system processing the first packet and last packet of HTTP responses. A high value may indicate a large response or network delay.
  • RTT: The time between when an HTTP client or server sent a packet requiring immediate acknowledgment and when the acknowledgment was received.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

SSL

The SSL sub-page provides SSL information about an application.

To view SSL information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the SSL node to view the SSL details.

The SSL application toolbar includes the following controls:

  • Certificates: The chart shows the total number of certificates assigned compared with the request and response bytes. Mouse over points to view a summary of a specific time or date.

  • Clients: The chart shows round-trip time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of launches by each client, and round trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows round-trip time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of launches by each server, and round trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Certificate: Displays application metrics by certificate.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with SSL requests.
  • Response L2 Bytes: The number of L2 bytes associated with SSL responses.
  • Request Packets: The number of packets associated with SSL requests.
  • Response Packets: The number of packets associated with SSL responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending SSL requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending SSL responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by SSL clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving SSL requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

Session Metrics: Contains the following metrics:

  • Connected: The number of times an SSL handshake was successfully completed.
  • Resumed: The number of times an SSL session was resumed successfully by reusing a session ID or session ticket.
  • Decrypted: The number of SSL sessions decrypted.
  • Aborted: The number of SSL sessions that did not proceed past the SSL handshake.
  • Compressed: The number of SSL sessions using compression.
  • SSLv2 Compatible Hello: The number of SSL sessions for which the private key was available, enabling their decryption.

Sessions by Version: The number of times a session used a particular SSL version:

  • SSLv3
  • TLSv1
  • TLSv1.1
  • TLSv1.2

Cipher Suites: Displays the number of times various cryptographic ciphersuites for SSL data transfer have been negotiated by the application.

For example, TLS_RSA_WITH_AES_256_CBC_SHA indicates:

  • TLS (Transport Layer Security) is used as the cryptographic encapsulation transport
  • RSA (the Rivest-Shamir-Adelman Public Key method RSA) is used for the asymmetric cryptographic session setup
  • AES (Advanced Encryption Standard, formerly Rijndael) block cipher is used in 256-bit blocks
  • CBC (Cipher Block Chaining) is used between subsequent AES-256 blocks
  • SHA (Secure Hash Algorithm) is used in the HMAC (Hash Message Authentication Code) to ensure SSL record integrity

For each cipher suite, click the counter to break it down by group members in the table below.

Alerts: Displays the breakdown of alert types sent or received by the current application during the SSL connection. This section displays unencrypted alerts gathered during the SSL handshake and any alerts that were decrypted by the ExtraHop system. Alert messages can be exchanged during other stages of the SSL connection. The handshake metrics display the number of times alerts were exchanged during the SSL handshake. The Warning-Close Notify metric displays the number of times various alert types were sent or received by the application.

SSL Metrics: The SSL Metrics line chart displays the rate of new and resumed SSL connections as a function of time over the selected time interval. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

Database

The Database sub-page provides database information about an application.

To view database information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Application functional area, click the Database node to view the database details.

Toolbar controls

The Database application toolbar includes the following controls:

  • Errors: The chart shows the total count for DB errors. Mouse over the points to view a summary of a specific time or date. The table lists DB error messages and the number of occurrences.
  • Methods: The chart shows responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists methods, number of responses, total time, and processing time (ms) associated with each method. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Users: The chart shows the number of responses and errors for all users. Mouse over the chart to view a summary of a specific time or date. The table displays the list of users, and the number of responses and errors associated with each user.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Method: Displays application metrics by method.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics

Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with database requests.
  • Response L2 Bytes: The number of L2 bytes associated with database responses.
  • Request Packets: The number of packets associated with database requests.
  • Response Packets: The number of packets associated with database responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending database requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending database responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by database clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving database requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

DB Metrics

Contains the following metrics:

  • Requests: The number of database requests.
  • Responses: The number of database responses.
  • Response Errors: The number of database response errors.

Transaction Metrics

Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • ReqXfer: Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
  • RTT: TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

LDAP

The LDAP sub-page provides LDAP information about an application.

To view LDAP information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Application functional area, click the LDAP node to view the LDAP details.

The LDAP application toolbar includes the following controls:

  • Errors: The chart shows the number of LDAP errors. Mouse over the chart to view a summary of a specific time or date. The table lists LDAP error messages and the number of times each occurred.
  • DNs: The chart shows the number of DN messages transferred. The table displays the list of DN messages and the count associated with each DN message.
  • Users: The chart shows the number of requests from all users. Mouse over the chart to view a summary of a specific time or date. The table lists users and the request count associated with each user.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with LDAP requests.
  • Response L2 Bytes: The number of L2 bytes associated with LDAP responses.
  • Request Packets: The number of packets associated with LDAP requests.
  • Response Packets: The number of packets associated with LDAP responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending LDAP requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending LDAP responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by LDAP clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving LDAP requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

LDAP Metrics: Contains the following metrics:

  • Requests: The number of LDAP requests.
  • Responses:The number of LDAP requests.
  • Errors: The number of LDAP errors for the selected time interval.
  • Plain: The number of plain-text LDAP messages exchanged.
  • SASL:The number of encrypted LDAP messages exchanged.
  • Messages: Displays the LDAP messages for the selected time interval, such as BindRequest, BindResponse, UnbindRequest, SearchRequest, SearchResultDone and others. In the LDAP Server view, click the message counter to display clients that issued these messages. In the LDAP Client view, click the message counter to display servers that returned these messages.
    • BindRequest: LDAP authentication request.
    • BindResponse: LDAP authentication response.
    • SearchRequest: Used to identify entries in the directory server that match a given set of criteria.
    • SearchResultDone: Signifies the completion of a search. Only one “done” will be sent.
    • SearchResultEntry: Results of the search request. May be multiple result entries sent in a result.
    • SearchResultReference: A response from a search that indicates an alternate source for the information.
    • UnbindRequest: Used to destroy the authenticated session. No response is sent to this request.
    • Other: Any other messages recognized in the traffic.
    • ModifyRequest: Request to modify an existing entry in the directory server.
    • ModifyResponse: The response to a modify, contains a code indicating success or failure or other information about the request.
    • AddRequests: Used to create an entry in the directory server.
    • AddResponse: The response to an add, contains a code indicating success or failure or other information about the request.
    • DelRequest: Used to remove directory entries.
    • DelResponse: The response to a delete, contains codes indicating success or failure or other information about the request.
  • Error Codes: Displays the LDAP errors for each LDAP error code within the selected time interval, such as invalidCredentials for LDAP error 49. Click the error counter to display devices that experienced these errors. For detailed error information, click Errors.
    • Total: Specifies the total number of errors in the time period.
    • authMethodNotSupported: Specifies an unrecognized simple authentication security method was used.
    • insufficientAccessRights: Specifies that credentials were required but were not supplied in the request.
    • InvalidCredentials: Specifies that the wrong password was entered.
    • noSuchObject: Specifies that the search did not find any matching entries.
    • operationsError: Specifies an internal server error.
    • sasBindInProgress: Specifies that the server requires the client to send a new bind request, with the same SASL mechanism, to continue the authentication process.
    • protocolError: Specifies that the LDAP version requested by the client is not supported by the server
    • unwillingToPerform: Specifies that the server holding the target entry does not support the given operation.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • ReqXfer: Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
  • RTT: TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

DNS

The DNS sub-page provides DNS information about an application.

To view DNS information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the DNS node to view the DNS details.

The DNS application toolbar includes the following controls:

  • Errors: The chart shows the number of DNS query errors (5xx level responses). Mouse over the points to view a summary of a specific time or date. The table lists hosts and the number of query errors associated with each host.
  • Host Queries: The chart shows the total number of host queries compared to processing time during the selected time interval. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.
  • The table lists DNS hosts, number of host queries, and the processing time.

  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Host Query: Displays application metrics by host query.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with DNS requests.
  • Response L2 Bytes: The number of L2 bytes associated with DNS responses.
  • Request Packets: The number of packets associated with DNS requests.
  • Response Packets: The number of packets associated with DNS responses.

DNS Metrics: Contains the following metrics:

  • Requests: The number of DNS requests.
  • Request Timeouts: The number of DNS request timeouts. A request timeout occurs when there is a repeated request without a response to the first request.
  • Truncated Requests: The number of DNS requests that were sent but were truncated in transit. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
  • Responses: The number of DNS responses.
  • Response Errors: The number of DNS response errors.
  • Truncated Responses: The number of DNS responses that were sent but were truncated in transit. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.

Requests by Opcode: Displays all request opcode types sent or received by the current application. For each field, click to display the devices to or from which these requests were sent or received.

  • Query: Number of DNS QUERY Opcodes sent or received by the current application. DNS Queries are the most-frequently encountered DNS Opcode type.
  • Notify: Number of DNS NOTIFY Opcodes sent or received by the current application. DNS Notify is used as a synchronization method between DNS servers.
  • Update: Number of DNS UPDATE Opcodes sent or received by the current application. DNS Update is used as a synchronization method between DNS servers.
  • Other: Number of other miscellaneous DNS Opcodes sent or received by the current application.

Responses by Response Code: Displays all response codes broken down by request opcode and request record type sent (if server) or received (if client) by the current device. The format of the entry is ERROR/REQUEST_OPCODE:REQUEST_RECORD. For each field, click to display the devices to or from which these requests were sent or received.

The response code bar categories include the following:

  • NOERROR: Successful transaction; no error.
  • FORMERROR: Format Error.
  • SERVFAIL: DNS Server Failed.
  • NXDOMAIN: No such domain.
  • NOTIMPL: No handler implemented for this query type.
  • REFUSED: Query administratively refused.
  • UPDATEERR: Error in handling UPDATE request.
  • TSIGERR: Error in handling TSIG request.
  • OTHER: All other response code types.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Processing Time: Displays the mean processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics. Click and drag across the chart to select a particular region.

Click the graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

ICA

The ICA sub-page provides ICA information about an application.

To view ICA information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the ICA node to view the ICA details.

The ICA application toolbar includes the following controls:

  • Users: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists users, the number of launches by each user, and the login time, load time, network latency, and round-trip time for each user. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Applications: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists applications, the number of launches by each application, and the login time, load time, network latency, and round-trip time for each application. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Clients: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of launches by each client, and the login time, load time, network latency, and round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of launches by each server, and the login time, load time, network latency, and round trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Auth. Domains: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists domains, the number of launches by each domain, and the login time, load time, network latency, and round-trip time for each domain. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By User: Displays application metrics by user.
  • By Application: Displays application metrics by application. When a Citrix flow is opaque to analysis, whether because of lost segments or RC5 encryption, the reported application name is ICA or CGP.

For example, Client Bytes is a top-level metric showing how many client bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Client Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Client L2 Bytes: The number of L2 bytes transmitted by the Citrix ICA client.
  • Server L2 Bytes: The number of L2 bytes transmitted by the Citrix ICA server.
  • Client Packets: The number of packets transmitted by Citrix ICA clients.
  • Server Packets: The number of packets transmitted by the Citrix ICA server.
  • Client RTOs: The number of retransmission timeouts caused by congestion when clients were sending Citrix ICA messages. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Server RTOs: The number of retransmission timeouts caused by congestion when servers were sending Citrix ICA messages. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.

ICA Metrics: Contains the following metrics:

  • Client Messages: The number of Citrix ICA client messages transmitted.
  • Server Messages: The number of Citrix ICA server messages transmitted.
  • Client CGP Messages: The number of CGP messages sent by the Citrix ICA client. The Client Gateway Protocol (CGP) encapsulates Citrix ICA traffic in support of Session Reliability.
  • Server CGP Messages: The number of CGP messages sent by the Citrix ICA server. The Client Gateway Protocol (CGP) encapsulates Citrix ICA traffic in support of Session Reliability.
  • Launches: The number of Citrix ICA sessions that were launched. This count includes encrypted sessions.
  • Aborts: The number of Citrix ICA sessions that were initiated but closed before a Citrix application finished loading.
  • Encrypted: The number of Citrix ICA sessions that used an encryption method other than Basic. Certain metrics are not available for these sessions.

Screen Updates Per Second: Displays the number of screen updates per second as a function of time over the selected time interval.

Load Time (ms): The amount of time from the beginning of the flow until the ExtraHop system detects traffic on one of the following virtual channels: Clipboard, Citrix Windows Multimedia Redirection, Citrix Control Virtual Channel, or Zero Latency Font and Keyboard. Subsequent application data launched over the same session is recorded as a launch but does not factor into the load time. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the load time metrics. Click the chart to display a statistical distribution of load time per application for the selected time interval.

Network Latency (ms): Displays the detected network latency between the ICA client and server as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the network latency metrics. Click the chart to display a statistical distribution of client latency per application for the selected time interval.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Application Launches: Displays the number of ICA launches as a function of time over the selected time interval. The chart is annotated with red data points to indicate aborts. The volume of aborts is denoted by the height of red bars under the chart. Click the red dot to see per-server or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

App Client Bytes: Click the chart to display the total bytes per application transmitted within the selected time interval. Click the legend next to the application name to filter the information by application in the Bytes by Virtual Channels table below.

App Server Bytes: Click the chart to display the total bytes per application transmitted within the selected time interval. Click the legend next to the application name to filter the information by application in the Bytes by Virtual Channels table below.

Bytes by Virtual Channel: Displays the breakdown of ICA throughput by virtual channel. If a specific application is selected in the App Client Bytes and App Server Bytes charts above, virtual channel information is displayed specific to the selected application.

  • Name: Name of the application.
  • Client Bytes: Represents the client byte count for the currently selected application in the above chart.
  • Server Bytes: Represents the server byte count for the currently selected application in the above chart.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Storage - NAS

The Storage - NAS sub-page provides storage information about an application.

To view storage information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the Storage - NAS node to view the storage details.

The NAS application toolbar includes the following controls:

  • Errors: The chart shows the number of Storage - NAS errors. Mouse over the points to view a summary of a specific time or date.

    The table lists Storage - NAS error messages and the number of times each occurred.

  • Files: The chart shows responses compared with access time. Mouse over the points to view a five-number summary of access time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists files, number of responses, and the access time (ms) associated with each file.

  • Users: The chart shows responses compared with request and response bytes. Mouse over the chart to see summaries of a specific date or time. The table lists users and the number of responses, request bytes, response bytes, and access time associated with each user.

  • Clients: The chart shows access time. Mouse over the points to view a five-number summary of access time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, and access time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows access time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, and access time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By File: Displays application metrics by file name.
  • By User: Displays application metrics by user.

For example, Client Bytes is a top-level metric showing how many client bytes were transmitted in and out of the application within the selected time interval. Selecting By Client IP in the drop-down list while mousing over the Client Bytes counter shows which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with NAS requests.
  • Response L2 Bytes: The number of L2 bytes associated with NAS responses.
  • Request Packets: The number of packets associated with NAS requests.
  • Response Packets: The number of packets associated with NAS responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending NAS requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending NAS responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by NAS clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving NAS requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

Storage - NAS Metrics: Contains the following metrics:

  • Responses: The number of NAS responses.
  • Response Errors: The number of NAS response errors.
  • Reads: The number of NAS read operation requests.
  • Writes: The number of NAS write operation requests.
  • FS Info: The number of NAS file system metadata queries.
  • Locks: The number of NAS lock operation requests.

Access Time (ms): The time to access a file on a CIFS or NFS partition. For CIFS, the access time is measured by timing the first READ or WRITE on every flow. For NFS, the access time is measured by timing non-pipelined commands for every READ and WRITE.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Read, Write, and FSInfo Bytes: Displays the total bytes per application transmitted within the selected time interval. Mouse over the graph to see the byte count for each metric at a specific moment in time.

You can click and drag across the chart to zoom in on a particular region. When you zoom in this way, the value in the Time Interval control adjusts automatically to reflect the selected interval. For more information about zooming in, see Zooming in on a Fixed Time Period.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Memcache

The Memcache sub-page provides Memcache information about an application.

To view Memcache information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the Memcache node to view the details.

The Memcache application toolbar includes the following controls:

  • Errors: The chart shows the number of Memcache errors. Mouse over the chart to view a summary of a specific time or date. The table lists Memcache error messages and the number of times each occurred.
  • Hits: The chart shows the total count for Memcache hits (values returned from the server to the client in response to "get" requests). Mouse over the chart to view a summary of a specific time or date. The table lists Memcache keys and the total count associated with each.
  • Misses: The chart shows the total count for Memcache misses ("get" requests for which the specified key was not found). Mouse over the chart to view a summary of a specific time or date. The table lists Memcache keys and the total count associated with each.
  • Clients: The chart shows round-trip time. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, and round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows round-trip time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, and round-trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with Memcache requests.
  • Response L2 Bytes: The number of L2 bytes associated with Memcache responses.
  • Request Packets: The number of packets associated with Memcache requests.
  • Response Packets: The number of packets associated with Memcache responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending Memcache requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending Memcache responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by Memcache clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving Memcache requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

Memcache Metrics: Contains the following metrics:

  • Requests: The number of Memcache requests.
  • No-Replies: The number of Memcache requests for which a response was not necessarily expected, and none was received.
  • Responses: The number of Memcache responses.
  • Hits: The number of items matched and returned in response to Memcache GET requests.
  • Misses: The number of items requested but not received in response to Memcache GET requests. Misses are counted even if the server did not explicitly inform the client of the miss (for example, if the GET was a quiet request).
  • Errors: The number of errors sent by the Memcache server in response to client requests. Some responses other than the default response are not considered errors because they are usually expected to occur during normal operation. For example, the NOT_FOUND status code is not considered an error. In the Memcache text protocol analysis, only ERROR, CLIENT_ERROR, and SERVER_ERROR responses are considered errors.

Methods: Displays the Memcache methods for the selected time interval.

Status Codes: The status code section displays the HTTP status codes for the selected time interval. Click the number next to each status code to display a list of URIs associated with each status code.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Cache Hits and Misses: Displays the number of hits and misses as a function of time over the selected time interval.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

AAA

The AAA sub-page provides AAA information about an application.

To view AAA information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the AAA node to view the AAA details.

The AAA application toolbar includes the following controls:

  • Errors:: The chart shows the number of AAA errors. Mouse over the points to view a summary of a specific time or date. The table lists the AAA error messages and number of occurrences.
  • Clients: The chart shows processing time for all clients. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client as well as total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows processing time for all servers. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each client as well as total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with AAA requests.
  • Response L2 Bytes: The number of L2 bytes associated with AAA responses.
  • Request Packets: The number of packets associated with AAA requests.
  • Response Packets: The number of packets associated with AAA responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending AAA requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending AAA responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by AAA clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving AAA requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

AAA Metrics: Contains the following metrics:

  • Requests: The number of AAA requests.
  • Responses: The number of AAA responses.
  • Errors: The number of AAA errors for the selected time interval.
  • Aborts: The number of aborted AAA sessions.
  • RADIUS Requests: The number of RADIUS requests.
  • Diameter Requests: The number of Diameter requests.
  • Methods: Displays the selected method types for the AAA client or server.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

MongoDB

The MongoDB sub-page provides MongoDB database information about an application.

To view storage information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the MongoDB node to view the protocol details.

The MongoDB application toolbar includes the following controls:

  • Errors: The chart shows the number of MongoDB errors. Mouse over the chart to view a summary of a specific time or date. The table lists MongoDB error messages and the number of times each occurred.
  • Methods: The chart shows the total count compared to the mean time (ms). Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists methods, count, total time, and mean time (ms) associated with each method. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Users: The chart shows the number of responses and errors from all users. Mouse over the chart to view a summary of a specific time or date. The table lists users and the number of responses and errors associated with each user.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Database: Displays application metrics by database.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted from the application within the selected time interval. Selecting By Client IP in the drop-down list while mousing over the Request Bytes counter shows which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with MongoDB requests.
  • Response L2 Bytes: The number of L2 bytes associated with MongoDB responses.
  • Request Packets: The number of packets associated with MongoDB requests.
  • Response Packets: The number of packets associated with MongoDB responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending MongoDB requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending MongoDB responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by MongoDB clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving MongoDB requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

MongoDB Metrics: Contains the following metrics:

  • Requests: The number of MongoDB requests.
  • Responses:The number of MongoDB responses.
  • Errors: The number of errors sent or received within the selected time interval.

Methods: Displays the methods MongoDB uses to authenticate clients. Click the counter to display additional per-client or per-server IP address details. Methods include OP_DELETE, OP_INSERT, OP_QUERY, and OP_UPDATE.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

IBMMQ

The IBMMQ sub-page provides information about the IBM WebSphere MQ protocol in an application.

To view IBMMQ information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the IBMMQ node to view the IBMMQ details.

The IBMMQ application toolbar includes the following controls:

  • Errors: The chart shows the number of IBMMQ errors. Mouse over the chart to view a summary of a specific time or date. The table lists IBMMQ error messages and the number of times each occurred.
  • Warnings: The chart shows the IBMMQ warnings (4xx error messages) transferred. The table lists IBMMQ warning messages and the number of times each occurred.
  • PUT/GET Ratio: The chart shows the total PUT and GET counts for all server IPs. Mouse-over the chart to view a summary of a specific time or date. The table lists server IP addresses, the host and device associated with each server, and PUT and GET count for each server.
  • Clients: The chart shows round-trip time for all clients. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, and round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows round-trip time for all servers. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, and round-trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Queue: Displays application metrics by queue name.
  • By Channel: Displays application metrics by channel.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with IBMMQ requests.
  • Response L2 Bytes: The number of L2 bytes associated with IBMMQ responses.
  • Request Packets: The number of packets associated with IBMMQ requests.
  • Response Packets: The number of packets associated with IBMMQ responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending IBMMQ requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending IBMMQ responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by IBMMQ clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving IBMMQ requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

IBMMQ Metrics: Contains the following metrics:

  • Requests: The number of IBMMQ requests.
  • Responses: The number of IBMMQ responses.
  • Client Messages: The number of IBMMQ client messages sent or received.
  • Server Messages: The number of IBMMQ server messages transferred.
  • Errors: Number of IBMMQ errors for the selected time interval.
  • Warnings: Number of IBMMQ warnings for the selected time interval.
  • Server to Server: The number of IBMMQ server-to-server message types transferred.
  • Client to Server: The number of IBMMQ client-to-server message types transferred.

Methods: Displays the IBMMQ methods for the selected time interval.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

MQGET and MQPUT: Displays the GET and PUT count for the current device over the selected time interval.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Note: When the system detects only server-to-server traffic, the metrics that are gathered for client-to-server transactions only are zero or blank.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

SMTP

The SMTP sub-page provides SMTP information about an application.

To view SMTP information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the SMTP node to view the SMTP details.

The SMTP application toolbar includes the following controls:

  • Senders: The chart shows bytes transferred compared with message size. Mouse over points to view a summary of message size. The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists sender domains (HELO or EHLO command argument), bytes transferred, and mean message sizes.

  • Recipients: The chart shows bytes transferred compared with message size. Mouse over points to view a summary of message size. The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists recipient email addresses (RCPT TO command argument), bytes received, and mean message sizes.

  • Sender Domains: The chart shows bytes transferred. Mouse over the points to view a summary of a specific time or date. The table lists sender domains and the bytes transferred for each.
  • Errors: The chart shows the number of SMTP errors that occurred. Mouse over the points to view a summary of a specific time or date. The table lists SMTP error messages and the number of times each occurred.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with SMTP requests.
  • Response L2 Bytes: The number of L2 bytes associated with SMTP responses.
  • Request Packets: The number of packets associated with SMTP requests.
  • Response Packets: The number of packets associated with SMTP responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending SMTP requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending SMTP responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by SMTP clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving SMTP requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

SMTP Metrics: Contains the following metrics:

  • Requests: The number of SMTP requests.
  • Responses: The number of SMTP responses.
  • Errors: The number of responses by error for the application.
  • Sessions: The number of SMTP sessions.
  • Encrypted Sessions: The number of encrypted SMTP sessions.

Methods: Contains metrics for the following SMTP commands:

  • data: Data. Appends the mail data from this command to the mail data buffer.
  • ehlo: Extended Hello. Identifies the client to the server.
  • helo: Hello. Identifies the client to the server.
  • mail: Mail. Initiates a mail transaction in which the mail data is delivered to one or more mailboxes.
  • quit: Quit. Specifies that the receiver must send an OK reply, and then close the transmission channel.
  • rcpt: Recipient. Identifies an individual recipient of the mail data. Multiple recipients are specified by multiple use of this command.
  • rset: Reset. Specifies that the current mail transaction be aborted.
  • starttls: An extension of SMTP. After the client gives the STARTTLS command, the server responds that it is ready to start TLS, that there was a syntax error, or that TLS is not available.

Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • ReqXfer: Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
  • RTT: TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

FTP

The FTP sub-page provides FTP information about an application.

To view FTP information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the FTP node to view the FTP details.

The FTP application toolbar includes the following controls:

  • Errors: The chart shows the number FTP errors. Mouse over the points to view a summary of a specific time or date. The table lists FTP error messages and the number of times each occurred.
  • Warnings: The chart shows the FTP warnings (4xx error messages) transferred. The table lists the FTP warning messages and the number of times each occurred.
  • Users: The chart shows the number of responses and errors for all users. Mouse over the chart to view a summary of a specific time or date. The table lists users and the number of responses and errors associated with each user.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Certificate: Displays application metrics by certificate.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with FTP requests.
  • Response L2 Bytes: The number of L2 bytes associated with FTP responses.
  • Request Packets: The number of packets associated with FTP requests.
  • Response Packets: The number of packets associated with FTP responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending FTP requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending FTP responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by FTP clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving FTP requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

FTP Metrics: Contains the following metrics:

  • Requests: The number of FTP requests.
  • Responses: The number of FTP responses.
  • Response Warnings: The number of responses with an FTP status code of 4xx.
  • Response Errors: The number of FTP response errors.

Methods: Displays the FTP commands for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Examples of FTP commands:

  • CWD: Allows the user to work with a different directory or dataset for file storage or retrieval without altering his log on or accounting information.
  • DELE: Causes the file specified in the path name to be deleted at the server site.
  • EPSV: Puts connection into extended passive mode.
  • LIST: Gets information for a specific working directory, if explicitly specified, or the current one if none is specified.
  • MDTM: Gets last-modified time of a file.
  • MLSD: Gets the contents of a directory.
  • PASS: Is a Telnet string specifying the user's password. This command must be immediately preceded by the user name command.
  • PASV: Requests the server-DTP to "listen" on a data port (which is not its default data port) and to wait for a connection rather than initiate one on receipt of a transfer command.
  • PORT: Is a HOST-PORT specification for the data port to be used in data connection.
  • PWD: Causes the name of the current working directory to be returned in the reply.
  • QUIT: Terminates a USER, and if file transfer is not in progress, the server closes the control connection. If file transfer is in progress, the connection will remain open for the result response, and the server will then close it.
  • RETR: Causes the server-DTP to transfer a copy of the file, specified in the path name, to the server.
  • SIZE: Gets the size of a file.
  • STOR: Causes the server-DTP to accept the data transferred via the data connection, and to store the data as a file at the server site.
  • SYST: Used to find out the type of operating system at the server.
  • TYPE: Puts the transfer mode into ASCII or Binary mode.

Status Codes: Displays the FTP reply codes for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Examples of FTP reply codes:

  • 1xx: Positive Preliminary reply
  • 2xx: Positive Completion reply
  • 3xx: Positive Intermediate reply
  • 4xx: Transient Negative Completion reply
  • 5xx: Permanent Negative Completion reply
  • 6xx: Protected reply

Examples of specific reply codes:

  • 200: OK
  • 221: Service closing control connection
  • 225: Data connection open
  • 226: Closing data connection
  • 227: Entering passive mode
  • 230: User logged in – proceed
  • 250: Requested file action okay
  • 500: Syntax error, command unrecognized. This may include errors such as command line too long.
  • 501: Syntax error in parameters or arguments
  • 502: Command not implemented
  • 503: Bad sequence of commands
  • 504: Command not implemented for that parameter
  • 530: Not logged in
  • 550: Requested action not taken – file not available
  • 553: Requested action not taken – filename not allowed

The Transaction Metrics graph displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Move the mouse pointer over each component to display a five-number statistical summary.

  • ReqXfer: Specifies the request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Specifies the server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Specifies the response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
  • RTT: Specifies TCP round trip time in milliseconds. Large round-trip time indicates that network latency is high.

On the charts below, you can click and drag across the chart to zoom in on a particular region. When you zoom in this way, the value in the Time Interval control adjusts automatically to reflect the selected interval. For more information about zooming in, see Zooming in on a Fixed Time Period.

The Transactions Per Second graph displays the number of FTP protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

FIX

The FIX sub-page provides FIX information about an application.

To view FIX information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the FIX node to view the FIX details.

The FIX application toolbar includes the following controls:

  • Errors: The chart shows the number of FIX errors. Mouse over the points to view a summary of a specific time or date. The table lists FIX error messages and the number of times each occurred.
  • Senders: The chart shows showing the number of FIX senders. Mouse over the points to view a summary of a specific time or date. The table lists senders and the count associated with each sender.
  • Targets: The chart shows the number of FIX targets. Mouse over the points to view a summary of a specific time or date. The table lists targets and the count associated with each target.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: Displays request bytes for the application as a function of time over the selected time interval.
  • Response L2 Bytes: Displays response bytes for the application as a function of time over the selected time interval.
  • Request Packets: Displays request packets for the application as a function of time over the selected time interval.
  • Response Packets: Displays response packets for the application as a function of time over the selected time interval.
  • Request RTOs: Specifies the number of times the client delayed TCP retransmissions and missed server acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: Specifies the number of times the server delayed TCP retransmissions and missed client acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: Specifies the number of client-side zero window advertisements. A zero window indicates the connection has stalled because the client cannot handle the rate of data the server is sending.
  • Response Zero Window: Specifies the number of server-side zero window advertisements. A zero window indicates the connection has stalled because the server cannot handle the rate of data the client is sending.

FIX Metrics: Contains the following metrics:

  • Requests: Specifies the number of requests for the application.
  • Responses: Specifies the number of responses for the application.
  • Response Errors: Specifies the number of responses by error for the application.

Methods: Methods exchanged by device over the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

VoIP

The VoIP sub-page provides VoIP information about an application.

To view VoIP information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the VoIP node to view the VoIP details.

The VoIP application toolbar includes the following controls:

  • Errors: The chart shows the number of VoIP errors (5xx level responses). Mouse over the points to view a summary of a specific time or date. The table lists hosts and the number of query errors associated with each host.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

SIP Invites: Displays the number of SIP invites as a function of time over the selected time interval.

RTP Messages by Codec: Displays the number of RTP messages by codec as a function of time over the selected time interval. Click the chart to view a table with the total number of messages broken down by codec.

VoIP Throughput: Displays the number of VoIP packets transmitted as a function of time over the selected time interval.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

SIP

The SIP sub-page provides SIP information about an application.

To view SIP information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the VoIP node, and then click SIP to view the details.

The SIP application toolbar includes the following controls:

  • Errors: The chart shows the number of SIP errors. Mouse over the points to view a summary of a specific time or date. The table lists the URIs in error and the number of times an error occurred.
  • Initiators: Displays the list of initiators establishing connections to or from devices in the current device group over the selected time interval.
  • URIs: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists the URIs, number of responses, total time (ms), and processing time (ms) associated with each URI. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Methods: The chart shows the total count compared to the processing time (ms). Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists methods, total time (ms), and processing time (ms) associated with each method. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Clients: The chart shows the total number of client responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses by each client, and total processing time. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of server responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Initiator: Displays application metrics by initiator.
  • By URI: Displays application metrics by URI.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with SIP requests.
  • Response L2 Bytes: The number of L2 bytes associated with SIP responses.
  • Request Packets: The number of packets associated with SIP requests.
  • Response Packets: The number of packets associated with SIP responses.

SIP Metrics: Contains the following metrics:

  • Requests: The number of SIP requests.
  • Responses: The number of SIP responses.
  • Errors: The number of SIP errors for the selected time interval.

Methods: Displays the SIP methods for the selected time interval.

Status Codes: The status code section displays the HTTP status codes for the selected time interval. Click the number next to each status code to display a list of IP addresses associated with each status code.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see device, per-server, or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

Server Processing Time: Displays the median server processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics. Click and drag across the chart to select a particular region.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

RTP

The RTP sub-page provides RTP information about an application.

To view RTP information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the VoIP node, and then click RTP to view the details.

Application Details: Specifies the type of additional application information displayed. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Sender IP: Displays application metrics by the sender IP addresses.
  • By Receiver IP: Displays application metrics by the receiver IP addresses.
  • By Codec: Displays application metrics by codec.

L2-L4 Metrics: Contains the following metrics:

  • L2 Bytes: The number of L2 bytes associated with RTP transactions.
  • Packets: The number of packets associated with RTP transactions.

RTP Metrics: Contains the following metrics:

  • Messages: The number of messages associated with RTP transmissions.
  • Drops: The number of packets associated with RTP transmissions which were lost in transit.
  • Duplicates: The number of duplicate messages associated with RTP transmissions.
  • Out of Order: The number of packets associated with RTP transmissions where the sequence number did not match the sequence number that the ExtraHop system was expecting. The reordering may have been introduced at the point of origin or an intermediary. This may result in decreased call quality.

RTP Messages by Codec: The number of RTP messages broken down by codec.

Throughput: The throughput (in bits per second) over the selected time interval.

Message Metrics: The number of drops, duplicates, and out of order messages associated with RTP transmissions over the selected time interval.

Jitter: An estimate of the statistical variance of the RTP packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

MOS: The mean opinion score calculated for packets associated with RTP transmissions.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

RTCP

The RTCP sub-page provides RTCP information about an application.

To view RTP information for the application:

  1. In the navigation bar, click Apps.
  2. On the All Applications page, click the application you want to view.
  3. In the page navigation panel within the Applications functional area, click the VoIP node, and then click RTCP to view the details.

Application Details: Specifies the type of additional application information displayed. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Sender IP: Displays application metrics by the sender IP addresses.
  • By Receiver IP: Displays application metrics by the receiver IP addresses.
  • By Canonical Name: Displays device metrics by canonical name.

L2-L4 Metrics: Contains the following metrics:

  • L2 Bytes: The number of L2 bytes associated with RTCP transactions.
  • Packets: The number of packets associated with RTCP transactions.

RTCP Messages: Contains the following metrics:

  • Sender Report Messages: The number of packets transmitted by the sender from the beginning of the transmission to the time this sender report packet was generated.
  • Sender Report Drops: The number of packets that were lost by the sender since the beginning of reception.
  • Receiver Report Messages: The number of packets transmitted by the receiver from the beginning of the transmission to the time this receiver report packet was generated.
  • Receiver Report Drops: The number of packets that were lost by the receiver since the beginning of reception.

Message Types: The number of RTCP records broken down by message type.

Packets Lost: The number of packets lost broken down by sender and receiver.

Sender Report Jitter: An estimate of the statistical variance of the RTP packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

Receiver Report Jitter: An estimate of the statistical variance of the RTP packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

The table at the bottom of the page lists the devices associated with this device group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Filter

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Sort Metrics

Click the gear icon on the right side of the section to sort the metrics.

  • Sort by Key: Sorts the metrics in that section by the name of the metric.
  • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.

Networks

This section describes the network capture attributes, network alerts, and network traffic details. The Network page is the entry point into the network capture. The metrics that are collected and displayed here provide a summary of all network activity retrieved in the capture.

Note: When using the Network page as the starting point for data analysis, remember that the information collected on network devices is determined by the port mirror configuration. The device is only aware of the traffic passed to it.

In addition, if your organization uses the ExtraHop Central Manager (ECM) to manage multiple network capture points, the All Networks page displays a table of all capture points for your entire networking environment. You can click a specific network listed in the table to open the detailed Network page with metrics for that network. Otherwise, clicking the Networks button leads directly to the capture point on the local system.

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

The network capture provides the following information about the capture itself as well as the ExtraHop appliance that initiated the capture:

  • Name: The name of the network capture. The name attribute includes an icon that opens a text box to edit the name of the network capture. This text area can be used to provide a more user friendly name for the capture.
  • IP Address: The IP address of the ExtraHop appliance responsible for the network capture.
  • MAC Address: The MAC address of the ExtraHop appliance responsible for the network capture.
  • Description: An optional detailed description of the network. This attribute includes an icon that opens a text box for a user-entered description of the network capture. This text area can be used to provide additional information about this particular network capture.
  • Alerts: A list of alerts assigned to the network. This list includes controls to add or remove network-level alerts from the network capture.
  • Pages: A list of all custom pages assigned to the network. This list includes controls to add or remove network-level custom pages from the network capture.

The Network page is the starting point to review the capture-level metrics collected by the ExtraHop appliance.

To view the capture-level metrics:
  1. In the navigation bar, click Networks.
  2. On the All Networks page, click a capture node in the list to view the capture details.

The network capture details page appears.

More Network Page Activities
Edit the Name

To edit the network capture name:

  1. On the Network page, click the edit icon to the right of the Name field.

  2. In the Name text box, enter a new name for the network capture.

  3. Click OK.

Add a Description

To add an optional description for the network capture:

  1. On the Network page, click the edit icon to the right of the Description field.
  2. In the Description text box, enter a description for the network capture.
  3. Click OK.
Assign Alerts

To assign alerts to the list of active network alerts:

  1. On the Network page, click the add icon to the left of the Alerts field.

  2. In the Assign Alerts dialog box, select the network-level alerts that you want to show in the network capture.

  3. In the Filter text box, enter an optional filter string to filter the list of alerts by name.
  4. Click OK.
Remove Alerts

To remove alerts from the list of active network alerts:

  1. Go to the Network page and click the Alerts tab.
  2. Click the delete icon to the left of the alert that you want to delete.

To remove an alert assignment:

  1. On the navigation bar, click Settings and then click the Alerts icon.
  2. Click the name of the alert that you want to remove, click the Assignments tab, and then click the delete icon to the left of the name of the network.

Assign Custom Pages

To assign custom pages to a network:

  1. On the Network page, click the Pages tab to see the pages assigned to this capture point.
  2. Click the add icon to the left of the Pages field to assign previously defined pages that you want to show in the network capture.
  3. In the Assign Pages dialog box, select the network-level custom pages that you want to show in the network capture.

  4. In the Filter text box, enter an optional filter string to filter the list of pages by name.
  5. Click OK.
Remove Custom Pages

To remove pages from the list of active network custom pages:

  1. On the Network page, click the Pages tab to see the pages assigned to this capture point.
  2. Click the delete icon to the left of the page that you want to remove from the list.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Custom Page

If a custom page has been assigned to a network, the name of the custom page appears in the left panel.

To view a custom page for a network:

  1. In the navigation bar, click Apps.

  2. In the page navigation panel within the Networks functional area, click the name of the custom page.

Toolbar and Metric Display
Edit Page

Click the Edit Page button to perform one of the following actions.

Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Alert History

The Alert History sub-page provides an alert summary for network-level alerts. The ExtraHop system can be configured to generate both threshold and trend-based alerts for any metric in the system. Alerts can be configured to send email notifications or SNMP traps as proactive early warnings for potential performance problems.

The network capture Alert History page displays all alerts, including alerts that have been acknowledged previously, and the corresponding time for each alert for the current network capture. The Alert History page also includes additional information about trend alerts that have fired.

To use the Alert History page, you must first create alerts. For more information, refer to Alert Configuration.

To check the network capture alert history:

  1. In the navigation bar, click Networks.

  2. In page navigation panel within the Networks functional area, click the Alert History node to view the alert history details.

  3. Find a specific alert in the table.

    To sort the table by time, click the Time column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

    To sort the table by alert entry, click the Alerts column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

  4. Click the alert to view more information. The Alert Details pop-up window includes the following:

    • Name: The name of the alert.
    • Expression: The metric, time interval, operator, and sensitivity that were defined when the alert was created.
    • Value: The value of the metric at the time the alert fired. This is used for comparison against the alert expression.
    • Description: The optional user-defined description of the alert.

    For trend alerts, the Trend Alert Details pop-up window includes the following:

    • Name: The name of the alert.
    • Alert Conditions: The type of alert, time interval, operator, and/or percentage of the trend that were defined when the alert was created.
    • View at Time of Alert: The alert graph from when the alert was fired.
    • View Current State: The alert graph of the current trend state of the alert.

To view trend alerts:

  1. On the Alert History page, click the Current Trend State tab to view a list of trend-based alerts assigned to the network.

  2. Find a specific trend in the table.

    (ECM Only) Click the Show drop-down list and select one of the following options:

    • All Alerts: Displays alerts created on the ECM and the node.
    • ECM Alerts: Displays alerts created on the ECM only.
    • Local Alerts: Displays alerts created on the node only.

      To sort the table by trend, click the Trend column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

      To sort the table by metric, click the Stat column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

  3. Click the trend name to view more information about the trend alert.

  4. Click the Alert Graphs tab to view the trend alert over time and whether or not it has fired.

    • Alert Condition Nominal: Indicates the metrics being gathered have not reached an alert state.

    • Alert Firing: Indicates the metrics being gathered have met the alert criteria.

  5. Click the Alert Rules tab to view the rules of the trend alert and whether or not it has fired.

    • Alert Condition Nominal: Displays the alert rules in green.

    • Alert Firing: Displays the alert rules in red.

  6. Click Back to Trend Alerts to return to the Current Trend State table.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

VLANs

The VLANs sub-page displays metrics for top VLANs in packets and bytes. the VLANs table lists the following information for each device in the network capture:

  • Packets In/Out
  • Bytes In/Out

The toolbar for the VLANs page provides tools to add the metrics to the Summary dashboard, add the data on the current page to an existing report, and generate a PDF document from the data on the current page.

To view the VLANs page:

  1. In the navigation bar, click Networks.

  2. Under the Capture node, click VLANs.

Top VLANs (Packets)

The Top VLANs (Packets) area chart displays how VLANs contribute to the total packet count for the network.

Click a VLAN in the legend to view an isolated graph of its activity over time.

The table below lists the devices sending or receiving the traffic on the VLAN.

Top VLANs (Bytes)

The Top VLANs (Bytes) area chart displays how VLANs contribute to the total byte count for the network.

Click a VLAN in the legend to view an isolated graph of its activity over time.

The table at the bottom of the page lists the devices sending or receiving the traffic on the VLAN. You can filter the list of devices and manage the assignments for a device or group of devices.

Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Filter

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Details

Click a VLAN listed in the table to list the devices sending or receiving the traffic for that VLAN. The VLAN groups appear in a table with the following headings:

  • Group: Provides a link to a list of devices in the corresponding VLAN group.

  • Packets: Represents the total packet count for the currently selected VLAN group.

  • Bytes: Represents the total byte count for the currently selected VLAN group.

When you click a VLAN group, the VLAN device metrics appear in a table with the following headings:

  • Device: Provides a link to the corresponding device. For local devices, the link leads to that device. For remote devices, the link leads to the gateway device through which the requests were routed.

  • Packets In: Represents the incoming packet rate for the currently selected VLAN in the area chart.

  • Packets Out: Represents the outgoing packet rate for the currently selected VLAN in the area chart.

  • Bytes In: Represents the incoming byte count for the currently selected VLAN in the area chart.

  • Bytes Out: Represents the outgoing byte count for the currently selected VLAN in the area chart.

You can filter the list of devices and manage the assignments for a device or group of devices.

Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Filter

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Devices

The Devices sub-page within the Networks functional area lists the devices discovered on the network in the current network capture.

The toolbar for the Devices page provides tools to add the metrics to the Summary dashboard, add the data on the current page to an existing report, and generate a PDF document from the data on the current page.

To view the Devices page:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, click Devices.

The table contains the following columns:

  • Name: The primary name the device uses to communicate on the network. Names are discovered by passively monitoring a variety of naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol. If a device name is not discovered, a NIC manufacturer-based identifier is assigned to the device by looking at the MAC address. If the MAC address range is not registered, or if it belongs to a private MAC address space, the name includes the last six characters of the MAC address (for example, Device 00000c0789b1).

    The device-type icon to the left of the device name identifies the activity primarily associated with this device. Hovering the mouse pointer over the device name displays a tool tip that describes the device type, for example:

    • Web server
    • DB server
    • File server
    • Load balancer
    • Gateway
    • Custom device

    The device name and type can be edited by clicking on the name and using the edit tool on the Device page.

  • MAC Address: The MAC address is a unique identifier of the device network interface. For physical devices that have multiple interfaces, one entry per interface is maintained. The vendor icon displays to the left of MAC Address as determined by the MAC OID lookup.
  • IP Address: The Primary IP address the device uses to communicate on the network. By default, Address Resolution Protocol (ARP) traffic is used to determine the mapping from MAC addresses to IP addresses. In the absence of such traffic, IP packet header information is used. If there is no ARP traffic, the IP address 0.0.0.0 is assigned to routing devices, such as gateways, firewalls, and load balancers, to indicate that it handles packets from many sources.
  • Discovery Time: The time when the device was first discovered. The day of the week, the calendar date, and time are displayed in the following format: Wed Aug 06 09:01.
  • Description: A user-defined description of the device. To edit the device description, click the device name and use the edit tool on the Device page.

To view the detailed information about devices discovered in the network capture:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, click Devices.
  3. If the network capture discovers hundreds of devices, use the Find feature to filter the list of devices displayed in the table.
  4. For more information about using the search feature to filter the device list, refer to Device Search.
  5. To sort the table by column, click the column heading, and then click the arrow in the right corner of the column to sort the entries in ascending or descending order.
  6. To view the network capture details for a specific device, click the device name.

The ExtraHop Web UI is directed to the Devices functional area and opens the device page for the specific device selected.

More Devices Page Activities
Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Multicast

The Multicast sub-page displays metrics for multicast and broadcast traffic on the network. Well-known multicast groups include:

  • IEEE Spanning Tree (STP)
  • Address Resolution Protocol (ARP)
  • IPv6 Neighbor Discovery Protocol (NDP)
  • Cisco Discovery Protocol (CDP)
  • Cisco Shared Spanning Tree Protocol (CSSTP)
  • Alternate Spanning Multicast (ALTSM)
  • Router Information Protocol (RIP)
  • Network Time Protocol (NTP)
  • Open shortest path first (OSPF)
  • Multiprotocol Label Switching (MPLS)
  • Inter Switch Link (ISL)
  • Cisco VLAN Bridge (CVB)
  • Dynamic Host Configuration Protocol (DHCP) client
  • Dynamic Host Configuration Protocol (DHCP) server
  • NETBIOS Name Service
  • NETBIOS Datagram Service
  • Multicast DNS (MDNS)
  • Uncategorized L2 broadcast (L2BCAST)

Other multicast groups are represented using the numeric form of the group address, protocol, and L4 port.

The page-level toolbar for the Multicast page provides tools to add the metrics to the Summary dashboard, add the data on the current page to an existing report, and generate a PDF document from the data on the current page.

To view the Multicast traffic page:

  1. In the navigation bar, click Networks.

  2. Under the Capture node, click Multicast.

The Packet Count by Group bar chart displays the packet count for each of the top-ten multicast groups. The Byte Count by Group bar chart displays the byte count for each of the top-ten multicast groups.

To view multicast traffic details:

  1. In the navigation bar, click Networks, select a network, and then click Multicast.
  2. In a bar graph, mouse over each bar to view details on the specific group’s count.

  3. Click the bar to show the device, packet count, and byte count for the currently selected multicast group.

    Note: If no multicast group is selected, the packet count and byte count is the sum of all multicast group frame counts for the device.
  4. To filter the list of devices associated with the multicast group, enter a search string in the Filter text box. The list filters automatically as search string characters are entered.
  5. To sort the table by column, click the column heading, and then click the arrow in the right corner of the column to sort the entries in ascending or descending order.
  6. To view the multicast details for a specific device, click the device name.

The ExtraHop Web UI is directed to the Devices functional area and opens the multicast page for the device selected.

Multicast Table Actions
Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Filter

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Top Groups

To view multicast top groups:

  1. In the navigation bar, click Networks, click Multicast, and then click Top Groups.

    The Top Groups (Packets) area chart displays how multicast groups contribute to the total packet count on the network. Click a multicast group listed in the legend to list the devices sending or receiving the traffic for that protocol in the Multicast table below.

    The Top Groups (Bytes) area chart displays how multicast groups contribute to the total byte count on the network. Click a multicast group listed in the legend to list the devices sending or receiving the traffic for that protocol in the Multicast table below.

  2. To sort the table by column, click the column heading, and then click the arrow in the right corner of the column to sort the entries in ascending or descending order. Click a multicast group to list the devices sending or receiving the traffic for that multicast group
  3. To view the multicast details for a specific device, click the device name.

    The ExtraHop Web UI is directed to the Devices functional area and opens the multicast page for the specific device selected.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Details

To view multicast group details:

  1. In the navigation bar, click Networks, click Multicast, and then click Details. The Multicast table lists all multicast groups detected on the network and associated packet and byte counts.
  2. To sort the table by column, click the column heading, and then click the arrow in the right corner of the column to sort the entries in ascending or descending order.
  3. Click a multicast group to list the devices sending or receiving the traffic for that multicast group.

  4. To view the multicast details for a specific device, click the device name.

The ExtraHop Web UI is directed to the Devices functional area and opens the multicast page for the specific device selected.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

L2

The L2 network traffic sub-page displays metrics for OSI Layer 2 traffic by packet rate (packets per second) and throughput (in bits per second). It also provides metrics on frame count by L2 Ethertype and by frame size. The L2 network traffic sub-page includes the following sub-pages to present detailed metrics on packets, throughput, and frame count:

  • Packets: Displays the L2 packet rate data as a line chart.
  • Throughput: Displays the L2 throughput data as a line chart in bits per second.
  • Frame Details: Displays L2 frame count statistics as bar charts.

The page-level toolbar for each of these sub-pages provides tools to add the metrics to the Summary dashboard, add the data on the current page to an existing report, and generate a PDF document from the data on the current page.

To view the L2 network traffic sub-page:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, click L2.

  3. To access detailed metrics on the Packets, Throughput, or Frame Count charts:
    • Click the graphic image on the L2 network traffic sub-page.
    • OR

    • Expand the L2 node in the tree, and click the Packets, Throughput, or Frame Details nodes.

The Frame Count by Distribution bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 type (Unicast, Multicast, and Broadcast).

To view the frame distribution by L2 type:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, expand the L2 node, and then click Frame Details.
  3. Mouse over the Frame Count by Distribution histogram bars to view the distribution of frames count for each L2 type.

  4. Click the histogram bars to display the list of devices and the frame count in and out for the specified L2 type.
  5. To filter the list of devices, enter a search string in the Filter text box. The list filters automatically as search string characters are entered.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Packets

The Packets line chart displays the packet rate (in packets per second) for the selected time interval. On the line chart, Current and Max identify the current and maximum packet rates for the given time period. Total identifies the total number of packets for the selected time interval. The gray bands represent the 5th to 95th percentile of the packet rate historically observed for the specific time of day and day of the week.

To view detailed metrics on the Packets line chart:

  1. In the navigation bar, click Networks.

  2. Under the Capture node, expand the L2 node and then click Packets.

  3. To view specific statistics for each data point, move the mouse pointer across the chart to see the packets per second value for each unit on the x-axis of the graph.

  4. To zoom in on a short time interval, drag across the chart to select a particular region.

    When you release the mouse button, the graph is redrawn, showing only the selected region.

    Note: The scales on the chart’s axes change to reflect the range of values in the selected time interval. In addition, the value in the Time Interval tool is adjusted to reflect the fixed time range selected in the graph.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Throughput

The Throughput line chart displays the throughput (in bits per second) over the selected time interval. In the chart, Current and Max identify the current and maximum throughputs. Total identifies the total number of bytes transferred over the selected time interval. The gray bands represent the 5th to 95th percentile of the throughput historically observed for this time of day and day of the week.

To view detailed metrics on the Throughput line chart:

  1. In the navigation bar, click Networks.

  2. Under the Capture node, expand the L2 node and then click Throughput.

  3. To view specific statistics for each data point, move the mouse pointer across the chart to see the throughput in megabits per second for each unit on the x-axis of the graph.

  4. To zoom in on a short time interval, drag across the chart to select a particular region.

    When you release the mouse button, the graph is redrawn, showing only the selected region.

    Note: The scales on the chart’s axes change to reflect the range of values in the selected time interval. In addition, the value in the Time Interval tool is adjusted to reflect the fixed time range selected in the graph.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Frame Details

The Frame Details page provides bar charts to show the frame count by size and type. the Frame Count by Size bar chart displays a logarithmic-scale histogram of the distribution of Ethernet frame size. The values on the x-axis (64, 128, 256, 512, 1024, 1513, 1518, and Jumbo) indicate the maximum size of the frame for the category. For example, 256 represents a frame size between 129 and 256 bytes, inclusive.

To view the frame count by frame size:

  1. In the navigation bar, click Networks.

  2. Under the Capture node, expand the L2 node and then click Frame Details.

  3. Mouse over the Frame Count by Size histogram bars to view the exact frame count for each specified frame size.

  4. Click the histogram bars to display the list of devices and the frame count in and out for the specified frame size.

  5. To filter the list of devices, enter a search string in the Filter text box.

    The list filters automatically as search string characters are entered.

The Frame Count by Type bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (IPv4, IPv6, ARP, IPX, MPLS, LACP, STP, 802.1X, and other).

To view the frame count by frame type:

  1. In the navigation bar, click Networks.

  2. Under the Capture node, expand the L2 node and then click Frame Details.

  3. Mouse over the Frame Count by Type histogram bars to view the exact frame count for each specified frame type.

  4. Click the histogram bars to display the list of devices and the frame count in and out for the specified frame type.

  5. To filter the list of devices, enter a search string in the Filter text box.

    The list filters automatically as search string characters are entered.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

L3

The L3 network traffic sub-page displays metrics for OSI Layer 3 traffic by packet count per L3 network protocol and byte count per protocol. It also provides metrics on IP fragments identified in the network capture. the L3 Protocols table lists the following information for each device in the network capture:

  • Packets In/Out
  • Bytes In/Out
  • IP Fragments In/Out

The page-level toolbar for the L3 network traffic sub-page provides tools to add the metrics to the Summary dashboard, add the data on the current page to an existing report, and generate a PDF document from the data on the current page.

To view the L3 network traffic sub-page:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, click L3.

Packet Count by Protocol

The Packet Count by Protocol bar chart displays the packet count for each L3 protocol type. The values on the x-axis (ICMP6, TCP, UDP, and Other) identify the common L3 protocol types.

To view the packet count by protocol:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, click L3.
  3. Mouse over the Packet Count by Protocol histogram bars to view the exact packet count for each specified protocol.

  4. Click the histogram bars to display the list of devices and the packets in and out (and bytes in and out) for the specified protocol for each device.

  5. To filter the list of devices, enter a search string in the Filter text box.

The list filters automatically as search string characters are entered.

Byte Count by Protocol

The Byte Count by Protocol bar chart displays the byte count for each L3 protocol type. The values on the x-axis (ICMP6, TCP, UDP, and Other) identify the common L3 protocol types.

To view the byte count by protocol:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, click L3.
  3. Mouse over the Byte Count by Protocol histogram bars to view the exact packet count for each specified protocol.

  4. Click the histogram bars to display the list of devices and the bytes in and out (and packets in and out) for the specified protocol for each device.

The table at the bottom of the page lists the peer devices sending or receiving traffic. You can filter the list of devices and manage the assignments for a device or group of devices.

Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Filter

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

Devices

The Devices table displays the device name, packet in/out count, byte in/out count, and IP fragment in/out count for the currently selected L3 protocol. If no L3 protocol is selected, the packet count and byte count is the sum of all L3 protocol counts for the device. Click the device name to navigate to the device details page.

You can filter the list of devices and manage the assignments for a device or group of devices.

Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Filter

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

Devices Table Actions
Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Filter

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

DSCP

The DSCP sub-page displays the number of packets containing differentiated services code point (DSCP) values.

Packets by DSCP: The Packets by DSCP area chart displays the number of packets containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.

Bytes by DSCP: The Bytes by DSCP area chart displays the number of bytes containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

L7 Protocols

The L7 Protocols sub-page displays metrics for OSI Layer 7 traffic by packet count and throughput (total bytes). It also provides metrics on the top devices sending or receiving network traffic. L7 Protocols includes the following sub-pages to present detailed metrics on packets, throughput, and send/receive data:

  • Packets: Displays the L7 packet count data as a line chart.
  • Throughput: Displays the L7 throughput data as a line chart in total bytes per application.
  • Details: Displays the devices sending and receiving traffic for the specified application.

The toolbar for each of these sub-pages provides tools to add the metrics to the Summary dashboard, add the data on the current page to an existing report, and generate a PDF document from the data on the current page.

To view the L7 Protocols sub-page:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, click L7 Protocols.

The Packets by Protocol and Bytes by Protocol charts display activity for the top 10 protocols. To view information about other protocols, click the Details node in the page navigation panel.

To isolate a single protocol, mouse over the protocol in the legend or click the protocol to select it. When you select a protocol, the table displays a list of devices with activity from that protocol. Click a device in the table to view detailed L7 protocol metrics for that device.

To deselect the protocol and view all the top protocols in the chart again, click the selection in the legend again or click the table title below the charts.

To access detailed metrics on the Packets by Protocol or Bytes by Protocol chart:

  • Click the graphic image on the L7 Protocols sub-page.
  • OR

  • Expand the L7 Protocols node in the tree and click the Packets or Throughput nodes.

The table at the bottom of the page lists the devices sending or receiving L7 protocol traffic. You can filter the list of devices and manage the assignments for a device or group of devices.

Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Filter

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Packets

The Packets area chart displays how applications contribute to the total packet count on the network. In the chart, Date identifies the date and time for the data point on the graph that is currently being viewed. Packets displays the packet rate for the protocol at the given data point on the area chart, and the color block identifies the associated protocol name.

To view detailed metrics on the Packets area chart:

  1. In the navigation bar, click Networks.

  2. Under the Capture node, expand the L7 Protocols node and then click Packets.

  3. To view specific statistics for each data point, move the mouse pointer across the chart to see the packets by application value for each time unit on the x-axis of the graph.

  4. To zoom in on a short time interval, drag across the chart to select a particular region.

    When you release the mouse button, the graph is redrawn, showing only the selected region.

    Note: The scales on the chart’s axes change to reflect the range of values in the selected time interval. In addition, the value in the Time Interval tool is adjusted to reflect the fixed time range selected in the graph.

    In addition, the area covered by each application protocol is amplified, making it easier to access the metrics for each application in the time interval.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Throughput

The Bytes by Application area chart displays how applications contribute to the total byte count on the network. In the chart, Date identifies the date and time for the data point on the graph that is currently being viewed. Bytes identifies the throughput for the data point that is currently being viewed in the area chart, and the color block identifies the associated protocol name.

To view detailed metrics on the Bytes by Application area chart:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, expand the L7 Protocols node and then click Throughput.
  3. To view specific statistics for each data point, move the mouse pointer across the chart to see the throughput in megabytes for each unit on the x-axis of the graph.

  4. To zoom in on a shorter time interval, drag across the chart to select a particular region. When you release the mouse button, the graph is redrawn, showing only the selected region.
    Note: The scales on the chart's axes change to reflect the range of values in the selected time interval. In addition, the value in the Time Interval tool is adjusted to reflect the fixed time range selected in the graph.

    In addition, the area covered by each application protocol is amplified, making it easier to access the regions associated with each application in the time interval.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Details

The L7 Protocols Details page provides a complete list of protocols, and the packet and byte count for each.

To view application details:

  1. In the navigation bar, click Networks.
  2. Under the Capture node, expand the L7 Protocols node and then click Details.
  3. The L7 Protocols table lists all networking applications detected on the network and displays the associated packet and byte counts.

  4. To sort the table by column, click the column heading, and then click the arrow in the right corner of the column to sort the entries in ascending or descending order.
  5. Click an application type to list the devices sending or receiving traffic for that application type.

  6. To view the packets in/out and bytes in/out for a specific device per application, click the device name.

The ExtraHop Web UI is directed to the Devices functional area and opens the L7 Protocols page for the specific device selected.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Devices

This section provides information about viewing device metrics to troubleshoot network issues at the device level.

The All Devices page includes a table that lists all devices discovered on your networks. the Devices counter at the bottom of the table identifies the number of devices currently displayed in the table. The table can show up to 1000 devices per page.

The All Devices table contains the following columns:

  • Name: The primary name the device uses to communicate on the network. Names are discovered by passively monitoring a variety of naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol. If no name is discovered, a NIC manufacturer based identifier is assigned by looking at the MAC address. If the MAC address range is not registered or belongs to a private MACs address space, the name echoes the MAC address (for example, Device 00000c0789b1). To the left of the device name, a device type icon identifies activity primarily associated with this device. Mousing over the device name shows a description of the device type, such as:
    • Web server
    • Database server
    • File server
    • Load balancer
    • Gateway
    • Custom device
  • MAC Address: The MAC address is a unique identifier of the device network interface. For physical devices that have multiple interfaces, one entry per interface is maintained. The vendor icon as determined by the MAC OID lookup displays to the left of the MAC address.
  • VLAN: The Virtual Local Area Network (VLAN) of the device. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.
  • IP Address: The last IP address the device used to communicate on the network. By default, ARP traffic is used to determine the mapping from MAC addresses to IP addresses. In the absence of such traffic, IP packet header information is used. If there is no ARP traffic, the IP address field is left blank.
  • Discovery Time: The time when the device was first discovered. The day of the week, the calendar date, and time is displayed in the following format: Wed Feb 23 09:01.
  • Description: Provides a space for an optional, user-defined description.

The All Devices page also includes a search feature that uses plain text or regular expressions to locate the metrics for specific devices on the network. For more information, refer to Device Search.

To view information about a specific device:

  1. In the navigation bar, click Devices.
  2. On the All Devices page, click a device to view its details.

    The device L2 page appears.

  3. Click the name of the device in the left panel to manage the device's assignments.

If a device is licensed for limited analysis, the device details page displays a yellow bar that denotes which metrics may be incomplete or unavailable. For more information about controlling which devices receive limited analysis, refer to Device Limits.

More All Devices Page Activities
Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

More Device Page Activities
Edit the Name

To edit the device name:

  1. On the Device page, click the edit icon to the right of the Name field.

  2. In the Name text box, enter a new name for the device.

  3. Click OK.
Edit the Vendor

To edit the device vendor:

  1. On the Device page, click the icon to the right of the Vendor field.
  2. In the Edit Device Vendor dialog box, click a vendor icon.
    OR
    Click Custom and enter a new name in the Vendor text box.

  3. Click OK.
Add a Description

To add an optional description for the device:

  1. On the Device page, click the edit icon to the right of the Description field.
  2. In Description text box, enter a description for the device.
  3. Click OK.
Assign Alerts

To assign alert types to the list of active device alerts:

  1. On the Device page, click the add icon to the left of the Alerts field.

  2. In the Assign Alerts dialog box, select the device alerts that you want to show in the network capture.

  3. In the Filter text box, provide an optional filter string to filter the list of alerts by name.
  4. Click OK.
Remove Alerts

To remove alerts from the list of active device alerts:

  1. Go to the Device page and click the Alerts tab.
  2. Click the delete icon to the left of the alert that you want to delete.

To remove an alert assignment:

  1. On the navigation bar, click Settings and then click the Alerts icon.
  2. Click the name of the alert that you want to remove, click the Assignments tab, and then click the delete icon to the left of the name of the device.

Assign a Tag

To assign a tag to a device:

  1. Go to the Device page and click the Tags tab.
  2. Click the + icon next to Tags and enter a name in the text box.
  3. Click OK.
Remove a Tag

To remove a tag:

  1. Go to the Device page and click the Tags tab.
  2. Click the delete icon to the left of the tag that you want to remove.
Assign a Device to a Group

To assign a device to a device group:

  1. Go to the Device page and click the Groups tab.
  2. Click the + icon next to Groups.
  3. Click the drop-down list to select a device group, or enter a different name to create a new device group.
  4. Click OK.
Remove a Device from a Group

To remove a device from a device group:

  1. Go to the Device page and click the Groups tab.
  2. Click the delete icon to the left of the group.
Assign a Trigger

To assign a trigger to a device:

  1. Go to the Device page and click the Triggers tab.
  2. Click the + icon next to Triggers and select the checkbox next to each trigger you want to associate with the device.
  3. Click OK.
Remove a Trigger

To remove a trigger:

  1. Go to the Device page and click the Triggers tab.
  2. Click the delete icon to the left of the trigger that you want to remove.
Assign Custom Pages

To assign custom pages to a device:

  1. On the Device page, click the Pages tab to see the pages assigned to the device.
  2. Click the add icon to the left of the Pages field to assign previously defined pages that you want to show in the device.
  3. In the Assign Pages dialog box, select the device custom page(s) that you want to show in the network capture.

  4. In the Filter text box, provide an optional filter string to filter the list of pages by name.
  5. Click OK.
Remove Custom Pages

To remove pages from the list of active device custom pages:

  1. On the Device page, click the Pages tab to see the pages assigned to the device.
  2. Click the delete icon to the left of the page to remove it from the list.

Assign a Device to a Flex Grid

To assign the device to a flex grid:

  1. Go to the Device page and click the Flex Grids tab.
  2. Click the + icon next to Flex Grids and select the checkbox next to the grid(s) where you want the device to appear.
  3. Click OK.
Remove a Device from a Flex Grid

To remove the device from a flex grid:

  1. Go to the Device page and click the Flex Grids tab.
  2. Click the delete icon to the left of the flex grid.
Assign a Geomap

To assign a geomap:

  1. Go to the Device page and click the Geomaps tab.
  2. Click the + icon next to Geomaps and select the checkbox next to each geomap you want to associate with the device.
  3. Click OK.
Remove a Geomap

To remove a geomap:

  1. Go to the Device page and click the Geomaps tab.
  2. Click the delete icon to the left of the geomap.
View All Assignments

Click the All tab to view all assignments to the device.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

A network capture collects data on numerous network entities. The ExtraHop system can automatically discover devices, virtual machines, applications, and device containers. The ExtraHop auto-discovery feature includes the following methods for discovering devices:

  • By-IP device discovery that allows for better device management in environments that make heavy use of IP aliasing

  • Layer-2 device discovery that discovers devices by MAC address (default)

  • Layer-3 device discovery that simplifies deployment by allowing users to specify a range of IP addresses behind routers to be discovered as devices

  • Layer-3 device container discovery that allows the definition of devices consisting of one or more IP addresses behind routers

You can filter searches to find specific devices or network entities. the Find controls are located below the page-level toolbar in the functional areas that display lists of devices and device data. For example, in the Devices functional area, the All Devices page includes Find controls to help you locate specific devices in the network capture.

By default, the search feature performs a substring search on the value entered in the Find text box. In other words, if you initiate a name search, and the search string is the letter z, then the list of devices returned by the search includes all devices that have a letter z in the name, regardless of position.

If the search string value starts and ends with a forward slash (/), the portion of the input between the slashes is interpreted as a regular expression. The regular expression must use PostgreSQL syntax. Refer to PostgreSQL documentation for more information.

Searches can also be filtered based on any of the following device attributes:

  • any: Matches a substring in any device element.
  • ip address: Matches a substring in the device IP address. The IP address criteria can include CIDR notation in IP address/subnet prefix length format. For example, 10.10.0.0/16 for IPv4 networks or 2001:db8::/32 for IPv6 networks.
  • name: Matches a substring in the device name. The name criteria can include the DHCP name, NETBIOS name, or DNS name.
  • mac address: Matches a substring in the device MAC address.
  • tag: Matches a substring in the user-defined device tag.
  • type: Matches a substring in the device type. Searches by device attributes, including the following:
    • Activity: Includes the metric types that were active in the selected time interval. For example, a search for "http_server" returns devices with HTTP server metrics and any other device with the custom type set to http_server.
    • Device type: Includes server, gateway, http_server, db_server, firewall, load_balancer, and file_server.
    • Class: Includes custom, node, pseudo, and remote.
  • vendor: Matches a substring in the device vendor name as determined by the MAC OID lookup.
  • vlan: Matches a substring in the device Virtual Local Area Network (VLAN) tag. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.

To use the Find controls to create a filtered search:

  1. Browse to a functional area that includes a device list, such as Networks, Devices, or Device Groups.

  2. In the Find text box, enter the characters that you want to use as the search string.

  3. Note: When entering the search string characters, keep in mind that the string you enter can be fine-tuned to apply to a particular device attribute, like the device name or the MAC address. By default, the device attribute filter is set to any, which applies the search string to all device attributes.
  4. In the by drop-down list, select the device attribute that you want to use in the search.

  5. Click Search.

    The device list is populated with the devices that match the search criteria.

Overview

The Devices Overview sub-page includes interactive charts that provide an overview of a selected device.

To view the Overview sub-page:

  1. In the navigation bar, click Devices.
  2. Click an application in the list.
  3. On the page navigation panel, click Overview.

Each chart shows an overview of activity for all active protocols. You can also view details for only certain protocols as well as a summary of a specific time or date.

To show overall details for only certain protocols, select those protocols in the chart legend.

To show a summary of activity for a specific time or date, mouse over the time period of interest.

  • For statistical charts, a pop-up dialog showing a five-number summary appears, including the minimum, lower quartile, median, upper quartile, and maximum values.
  • For area charts, a pop-up dialog showing total count and time appears.

Note: Because area charts are stacked, the total count represented by the number on the left side of the chart is a sum of the count for each individual protocol.

To show a particular region of the chart, click and drag across that region.

To show only a specific protocol in the chart, mouse over the protocol in the chart legend.

To view details for a specific protocol, click it in the chart. The protocol's application page appears.

For more information about working with the charts, refer to Drill-Down Functionality. For information about a specific protocol, refer to that protocol's application topic.

Transactions: Shows the total number of transactions (requests and their responses) for the active protocols excluding SSL and ICA, which are not transactional protocols.

Errors: Shows the total number of errors for the active protocols excluding SSL and ICA.

Transaction Time: Shows the total server processing time for the active protocols.

Total Time: Shows the total time, which includes request transfer time, server processing time, and response transfer time.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Custom Page

If a custom page has been assigned to an device, the name of the custom page appears in the left panel.

To view a custom page for a device:

  1. In the navigation bar, click Devices.
  2. In the All Devices table, click a device.
  3. In the page navigation panel within the Device functional area, click the name of the custom page to view the page.
Toolbar and Metric Display
Edit Page

Click the Edit Page button to perform one of the following actions.

Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Alert History

The Alert History sub-page provides an alert summary for network-level alerts. The ExtraHop system can be configured to generate both threshold and trend-based alerts for any metric in the system. Alerts can be configured to send email notifications or SNMP traps as proactive early warnings for potential performance problems.

The device Alert History page displays all alerts, including alerts that have been acknowledged previously, and the corresponding time for each alert for the current device. The Alert History page also includes additional information about trend alerts that have fired.

To use the Alert History page, you must first create alerts. For more information, refer to Alert Configuration.

To view the alert history for a device:

  1. In the navigation bar, click Devices.

  2. In the All Devices table, click a device.

  3. In the page navigation panel within the Device functional area, click Alert History.

  4. Find a specific alert in the table.

    (ECM Only) Click the Show drop-down list and select one of the following options:

    • All Alerts: Displays alerts created on the ECM and the node.
    • ECM Alerts: Displays alerts created on the ECM only.
    • Local Alerts: Displays alerts created on the node only.

    To sort the table by time, click the Time column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

    To sort the table by alert entry, click the Alerts column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

  5. Click the alert to view more information. The Alert Details pop-up window includes the following:

    • Name: The name of the alert.
    • Expression: The metric, time interval, operator, and sensitivity that were defined when the alert was created.
    • Value: The value of the metric at the time the alert fired. This is used for comparison against the alert expression.
    • Description: The optional user-defined description of the alert.

    For trend alerts, the Trend Alert Details pop-up window includes the following:

    • Name: The name of the alert.
    • Alert Conditions: The type of alert, time interval, operator, and/or percentage of the trend that were defined when the alert was created.
    • View at Time of Alert: The alert graph from when the alert was fired.
    • View Current State: The alert graph of the current trend state of the alert.

To view trend alerts:

  1. On the Alert History page, click the Current Trend State tab to view a list of trend-based alerts assigned to the device.

  2. Find a specific trend in the table.

    To sort the table by trend, click the Trend column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

    To sort the table by metric, click the Stat column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

  3. Click the trend name to view more information about the trend alert.

  4. Click the Alert Graphs tab to view the trend alert over time and whether or not it has fired.

    • Alert Condition Nominal: Indicates the metrics being gathered have not reached an alert state.

    • Alert Firing: Indicates that the metrics being gathered have met the alert criteria.

  5. Click the Alert Rules tab to view the rules of the trend alert and whether or not it has fired.

    • Alert Condition Nominal: Displays the alert rules in green.

    • Alert Firing: Displays the alert rules in red.

  6. Click Back to Trend Alerts to return to the Current Trend State table.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

L3 Devices

The L3 Devices sub-page lists the L3 devices associated with the device.

To view L3 devices:

  1. In the navigation bar, click Devices.
  2. In the All Devices table, click a device.
  3. In the page navigation panel within the Device functional area, click L3 Devices.

  4. To search for a device in the table, enter a search string in the Find text box. For more information about searching for a device, refer to Device Search.

The table contains the following columns:

  • Name: The primary name the device uses to communicate on the network. Names are discovered by passively monitoring a variety of naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol. If a device name is not discovered, a NIC manufacturer-based identifier is assigned to the device by looking at the MAC address. If the MAC address range is not registered, or if it belongs to a private MAC address space, the name includes the last six characters of the MAC address (for example, Device 00000c0789b1).

    The device-type icon to the left of the device name identifies the activity primarily associated with this device. Mousing over the device name displays a tool tip that describes the device type, for example:

    • Web Server
    • DB Server
    • File Server
    • Load Balancer
    • Gateway

    The device name and type can be edited by clicking on the name and using the edit tools on the Device page.

  • MAC Address: The MAC address is a unique identifier of the device network interface. For physical devices that have multiple interfaces, one entry per interface is maintained. The vendor icon displays to the left of MAC Address as determined by the MAC OID lookup.
  • VLAN: The VLAN tag of the device.
  • IP Address: The Primary IP address the device uses to communicate on the network. By default, Address Resolution Protocol (ARP) traffic is used to determine the mapping from MAC addresses to IP addresses. In the absence of such traffic, IP packet header information is used. If there is no ARP traffic, the IP address 0.0.0.0 is assigned to routing devices, such as gateways, firewalls, and load balancers, to indicate that it handles packets from many sources.
  • Discovery Time: The time when the device was first discovered. The day of the week, the calendar date, and time are displayed in the following format: Wed Feb 23 09:01.
  • Description: A user-defined description of the device. To edit the device description, click the device name and use the edit tools on the Device page.
Toolbar and Metric Display
Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Geomaps

The Geomaps sub-page lists the geomaps associated with the device. Geomaps display worldwide activity based on the metrics defined in that geomap. For more information about geomap settings, refer to Geomaps.

To view a list of geomaps:

  1. In the navigation bar, click Devices.
  2. In the All Devices table, click a device.
  3. In the page navigation panel within the Device functional area, click the Geomaps node to view the geomap details.

To sort the table alphabetically by geomap, click the Geomap column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

To sort the table alphabetically by metric, click the Metric column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

For more information about the geomap interface, refer to Geomap Interface.

Toolbar and Metric Display
Pin to Summary

Click the Add to Summary button to add this page view to the Summary page. Click OK and go to the Summary page to view the change.

Activity Map
Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Multicast

The Multicast sub-page for a device displays metrics for multicast and broadcast traffic on the network.

To view multicast traffic:

  1. In the navigation bar, click Devices.
  2. In the All Devices table, click a device.
  3. In the page navigation panel within the Device functional area, click Multicast.

Well-known multicast groups include:

  • IEEE Spanning Tree (STP
  • Address Resolution Protocol (ARP
  • IPv6 Neighbor Discovery Protocol (NDP)
  • Cisco Discovery Protocol (CDP)
  • Cisco Shared Spanning Tree Protocol (CSSTP)
  • Alternate Spanning Multicast (ALTSM)
  • Router Information Protocol (RIP)
  • Network Time Protocol (NTP)
  • OSPF
  • MPLS
  • Inter Switch Link (ISL)
  • Cisco VLAN Bridge (CVB)
  • DHCP client (DHCP_CLIENT)
  • DHCP server (DHCP_SERVER)
  • NETBIOS Name Service (NETBIOS_NS)
  • NETBIOS Datagram Service (NETBIOS_DGM)
  • Multicast DNS (MDNS)
  • Hot Standby Router Protocol (HSRP)
  • Uncategorized L2 broadcast (L2BCAST)

Other multicast groups are represented using the numeric form of the group address, protocol, and L4 port.

  • Packet Count by Group: The Packet Count by Group bar chart displays the packet count for each of the top-ten multicast groups in which the selected device participates.
  • Byte Count by Group: The Byte Count by Group bar chart displays the byte count for each of the top-ten multicast groups in which the selected device participates.
  • Multicast Groups: The Multicast Groups table displays the multicast group, packet group, and byte count for the selected device.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

L2

To view the L2 device-level metrics:

  1. In the navigation bar, click Devices.
  2. In the All Devices table, click a device.
  3. Under the device node, click L2.
  4. To access detailed metrics on the Packets or Throughput page, click the graphic image on the L2 summary page or expand the L2 node in the tree and click the Packets or Throughput node.

For device and device group metrics, the L2 page includes the following data:

  • VLAN Tagged: The number of frames containing VLAN tags observed over the selected time interval. In reflects number of VLAN tagged frames received by the device. Out reflects number of VLAN tagged frames sent by the device.

  • Packets: The Packets line chart displays the incoming and outgoing packet rate (packets per second) over the selected time interval.

  • Throughput: The Throughput line chart displays the incoming and outgoing throughput (bits per second) over the selected time interval.

  • Frame Count by Size: The Frame Count by Size bar chart displays a logarithmic-scale histogram of the distribution of incoming and outgoing Ethernet frame size.

  • Frame Count by Type: The Frame Count by Type bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (ipv4, ipv6, arp, ipx, mpls, lacp, stp, 802.1X, and other).

  • Frame Count by Distribution: The Frame Count by Distribution bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 type (unicast, multicast, and broadcast).

Toolbar and Metric Display
Pin to Summary

Click the Add to Summary button to add this page view to the Summary page. Click OK and go to the Summary page to view the change.

Activity Map
Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report
Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF
PDF

Click the PDF button to generate a PDF of the current interface page.

Export Data
Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Packets

The Packets In and Packets Out line charts display the packet rate (in packets per second) for the selected device over the given time interval. On the line chart in the L2 page summary, Current and Max identify the current and maximum packet rates for the given time period, respectively. Total identifies the total number of packets for the selected time interval. To view specific statistics for each data point, move the mouse pointer across the chart to see the packets per second value for each unit on the x-axis of the graph.

You can click and drag across the chart to zoom in on a particular region. When you zoom in this way, the value in the Time Interval control adjusts automatically to reflect the selected interval. For more information about zooming in, see Zooming in on a Fixed Time Period.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Throughput

The Throughput In and Throughput Out line charts display the throughput (in bits per second) over the selected time interval. On the line chart in the L2 page summary, Current and Max identify the current and maximum throughputs. Total identifies the total number of bytes transferred over the selected time interval. To view specific statistics for each data point, move the mouse pointer across the chart to see the throughput in megabits per second for each unit on the x-axis of the graph.

You can click and drag across the chart to zoom in on a particular region. When you zoom in this way, the value in the Time Interval control adjusts automatically to reflect the selected interval. For more information about zooming in, see Zooming in on a Fixed Time Period.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

L3

To view the L3 device-level metrics:

  1. In the navigation bar, click Devices.
  2. In the All Devices table, click a device.
  3. Under the device node, click L3.

For device and device group metrics, the L3 page includes the following data:

  • IP Fragments: Displays the IP fragments in and out for the device.
  • Packet Count by Protocol: the Packet Count by Protocol bar chart displays the incoming and outgoing packet count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol.
  • Byte Count by Protocol: the Byte Count by Protocol bar chart displays the incoming and outgoing byte count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol. IP types include TCP, UDP, ICMP, SCTP, IPSEC, GRE, ICMP6, VRRP, and OTHER.
  • Devices: the Devices table displays IP addresses and host names with which the device or group of devices communicates, packet in/out count, and byte in/out count for the currently selected L3 protocol. If no L3 protocol is selected, the packet count and byte count is the sum of all L3 protocol counts for the device. Click the device name to navigate to the device.

The table at the bottom of the page lists the devices associated with this device. You can filter the list of devices and manage the assignments for a device or group of devices.

Select Action

Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

  • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
  • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
  • Add to Group: Adds a device to a device group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a device group.
  • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
  • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
  • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
  • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
  • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
Filter

The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

ICMP Details

The ICMP Details page includes the following data:

  • ICMP Packets In: Displays a list of ICMP response types and associated packet counts received by the current device in the selected time interval.
  • ICMP Packets Out: Displays a list of ICMP response types and associated packet counts sent by the current device in the selected time interval.
  • ICMPv6 Packets In: Displays a list of ICMPv6 response types and associated packet counts received by the current device in the selected time interval.
  • ICMPv6 Packets Out: Displays a list of ICMPv6 response types and associated packet counts sent by the current device in the selected time interval.

The following is a list of ICMP types and codes recognized by the ExtraHop system:

  • Destination Unreachable:
    • Dest Unreach - Network
    • Dest Unreach - Host
    • Dest Unreach - Protocol
    • Dest Unreach - Port
    • Dest Unreach - Fragmentation Needed
    • Dest Unreach - Source Route
  • Time Exceeded:
    • Time Exceeded - Transit
    • Time Exceeded - Fragment Reassembly
  • Redirection:
    • Redirect - Network
    • Redirect - Host
    • Redirect - ToS Network
    • Redirect - ToS Host
  • Miscellaneous:
    • Bad Param
    • Source Quench
    • Echo
    • Echo Reply
    • Timestamp
    • Timestamp Reply
    • Info Request
    • Info Reply
  • ICMPv6 Destination Unreachable:
    • Dest Unreach - No route
    • Dest Unreach - Prohibited
    • Dest Unreach - Bad scope
    • Dest Unreach - Host
    • Dest Unreach - Port
  • ICMPv6 Time Exceeded:
    • Time Exceeded - Transit
    • Time Exceeded - Fragment Reassembly
  • ICMPv6 Parameter Problem:
    • Bad Param - Header Error
    • Bad Param - Unknown Next Header
    • Bad Param - Unknown Option
  • ICMPv6 Miscellaneous:
    • Packet Too Big
    • Echo
    • Echo Reply
    • MLD Query
    • MLD Report
    • MLD Done
    • ND Router Solicit
    • ND Router Advert
    • ND Neighbor Solicit
    • ND Neighbor Advert
    • ND Redirect
    • Router renumber
    • FQDN Query
    • FQDN Reply
    • MLDv2 Listener Report
    • MLD Mtrace Rsp
    • MLD Mtrace
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

DSCP

The DSCP sub-page displays the number of packets containing differentiated services code point (DSCP) values.

Packets In by DSCP: The Packets In by DSCP area chart displays the number of incoming packets containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.

Packets Out by DSCP: The Packets Out by DSCP area chart displays the number of outgoing packets containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.

Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

L4 TCP

To view the TCP device-level metrics:

  1. In the navigation bar, click Devices.
  2. In the All Devices table, click a device.
  3. Under the device node, click TCP.

The TCP device toolbar includes the following controls:

The TCP Details drop-down list specifies what type of additional TCP information is displayed when a counter is clicked next to each top-level metric. The user can choose between the following options: By IP for IP addresses and By L7 Protocol. For example, the top-level metric, TCP Closed connections, shows how many connections were closed by the current device during the selected time frame. Selecting By IP and clicking on the closed counter will show which IP addresses originated these connections. Selecting By L7 Protocol and clicking on the closed counter will show which applications were accessed by the requestor.

For device metrics, the TCP page includes the following data:

Connections: The TCP connection metrics for the specified time interval.

  • Accepted: Number of inbound connections accepted by the device. Click to display the peer devices from which the connections originated and the associated round-trip time.

  • Connected: Number of outbound connections initiated by the device. Click to display the peer devices to which the connections were established and the associated round-trip time.

  • Closed: Number of connections explicitly shut down by the device or its peer. Closed connections are explicitly shut down by at least one of the endpoints. Click to display the peer devices for which the connections were closed.

  • Aborted: Number of connections aborted by the current device. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the peer devices to which the current device aborted the connections.

  • Expired: Number of connections involving the device for which tracking was stopped due to inactivity. Click to display the peer devices with which the connections were associated.

  • Established: For a given time interval, the number of open connections involving the device at end of the interval. Click to display the peer devices with which connections have been established.

  • Established Max: Maximum number of established connections observed at any point within the selected time interval.

  • Desync: Number of times synchronization was lost when processing TCP connections for the device. Large numbers might indicate dropped packets on the monitoring interface, SPAN, or network tap.

The Connections Chart displays the number of accepted, connected, closed, and aborted connections as a function of time over the selected time interval.

Click the chart to display a larger version. Date represents the date and time for the currently moused-over point on the graph. Connects, Accepts, Closes, and Aborts represent the number of outgoing, incoming, closed, and aborted connections respectively for the currently moused-over point in the graph. Click and drag across the chart to select a particular region.

The Round-Trip Time line chart displays the median round-trip time in milliseconds from the current device to all peer devices as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

The Retransmission Timeouts bar chart represents retransmission timeouts in and out of the current device as a function of time over the selected time interval. Click and drag across the chart to select a particular region.

The Connections Chart displays the number of accepted, connected, closed, and aborted connections as a function of time over the selected time interval. Date represents the date and time for the currently moused-over point on the graph. Connects, Accepts, Closes, and Aborts represent the number of outgoing, incoming, closed, and aborted connections respectively for the currently moused-over point in the graph. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

The Throttling In: Receive Windows and Zero Windows line chart represents the incoming receive and zero windows of the current device as a function of time over the selected time interval. Click and drag across the chart to select a particular region.

The Throttling Out: Receive Windows and Zero Windows line chart represents the outgoing receive and zero windows of the current device as a function of time over the selected time interval. Click and drag across the chart to select a particular region.

More Information about L4 TCP
How TCP Works

TCP divides data into segments and does the following:

  1. Routes segments through the network.
  2. Reassembles segments at the destination.
  3. Verifies accuracy and correct assembly order.
  4. Streams data to the application.

TCP segments include a header section that contains the destination IP address and a data section that includes message data.

TCP flow control works as follows:

  1. The client tells the server the number of bytes it is willing to receive at one time.
  2. The client’s receive window becomes the server's send window.
  3. Likewise, the server tells the client how many bytes of data it is willing to take.
  4. The server's receive window becomes the client's send window.
How Throttling Works

The following process describes a receive window throttle condition:

  1. The ExtraHop system sees the rcv window from the receiver come in at 16KB.
  2. The ExtraHop system sees the sender drop 16KB on the wire, and then stops sending data.
  3. A few milliseconds later, the ExtraHop system sees another ACK come in from the receiver, advancing the window another 16KB.
  4. The ExtraHop system sees the sender drop another 16KB on the wire.
Toolbar and Metric Display
Open in Metric Explorer

Click the Open in Metric Explorer button to add these metrics to a widget in the Metric Explorer.

Activity Map

Click the Activity Map button. In the Activity Map window, you can specify the output format, select an activity filter, label connections by activity type, and hide inactive devices, if applicable.

On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add to Report

Click the Add to Report button to add information to a selected report. Click the Add to Report drop-down list, select an existing report, and click OK.

To create a new report, click the Add to Report button. Click the Add to Report drop-down list and select New Report. In the Report Configuration window, enter a report name and click OK. The new name appears in the Add to Report drop-down list. Select the name and click OK.

PDF

Click the PDF button to generate a PDF of the current interface page.

Pin to Summary

Click the Pin to Summary button to add this page view to the list of Summary dashboards. Click OK and the ExtraHop Web UI redirects to the Summary page.

Export Data

Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.

Details

Specifies what type of additional TCP information is displayed, when a counter is clicked next to each top-level metric. You can choose between the following options: By IP for IP addresses and By L7 Protocol. For example, TCP Closed connections is a top-level metric showing how many connections were closed by the current device during the selected time frame. Selecting By IP and clicking on the closed counter will show which IP addresses originated these connections. Selecting By L7 Protocol and clicking on the closed counter will show which applications were accessed by the requestor.

The L4 TCP Details page includes the following data:

  • Connections: The TCP connection metrics for the current device.

    • Accepted: Number of inbound connections accepted by the device. Click to display the peer devices from which the connections originated and the associated round-trip time.

    • Connected: Number of outbound connections initiated by the device. Click to display the peer devices to which the connections were established and the associated round-trip time.

    • Closed: Number of connections explicitly shut down by the device or its peer. Closed connections are explicitly shut down by at least one of the endpoints. Click to display the peer devices for which the connections were closed.

    • Expired: Number of connections involving the device for which tracking was stopped due to inactivity. Click to display the peer devices with which the connections were associated.

    • Established: For a given time interval, the number of open connections involving the device at end of the interval. Click to display the peer devices with which connections have been established.

    • Established Max: Maximum number of established connections observed at any point within the selected time interval.

    • Desync: Number of times synchronization was lost when processing TCP connections for the device. Large numbers might indicate dropped packets on the monitoring interface, port mirror, or network tap.