Web UI Guide

About this guide

This guide provides information about the web-based user interface (Web UI) for the ExtraHop Discover and Command appliances.

The purpose of this guide is to help users understand the ExtraHop system architecture and functionality as well as learn how to operate the controls, fields, and options available throughout the Web UI.

Administrator features and functions are explained in the ExtraHop Admin UI Guide.

Introduction to the ExtraHop system

Discover, observe, and analyze data with the ExtraHop system to get insights about what is happening on your network—from packets to payloads—in real-time.

The ExtraHop system helps you to monitor network activity and all your applications. For example, you can learn how well applications are using network resources, how systems and devices are communicating with each other, and how to identify transactions that are flowing across the data link layer (L2) up to application layer (L7) in your network.

Overall, the ExtraHop platform works in the following ways:
  • Passively collecting flow data and transactions from wire data
  • Collecting NetFlow and IPFIX traffic from remote flow networks.
  • Automatically discovering and classifying devices that are communicating on the network
  • Providing you with over 3,400 built-in metrics for over dozens of protocols
  • Enabling you to create custom metrics, alerts, and reports
Note:To learn more about how ExtraHop works, view the following training modules:

ExtraHop platform architecture

The ExtraHop platform comprises a suite of appliances that are designed to passively monitor the network traffic in your environment in real time. The ExtraHop system provides you with top-level and detailed metrics about the devices on your network, which you can analyze to determine where problems in your network might be developing.

ExtraHop Discover Appliance

The ExtraHop Discover appliance (EDA) provides the ability to analyze and visualize all of your network, application, client, infrastructure, and business data. The EDA passively collects unstructured wire data—all of the transactions on your network—and transforms this data into structured wire data.

Deploy a single EDA, either physical or virtual, anywhere in your network environment.

ExtraHop Explore Appliance

The ExtraHop Explore appliance (EXA) integrates with the ExtraHop Discover appliance to store transaction and flow records sent from the EDA. You can see, save, and search the structured flow and transaction information about events on your network with a simple, unified UI, with no modifications to your existing applications or infrastructure. Deploy a cluster of three or more EXA nodes to take advantage of data redundancy and performance improvements.

ExtraHop Command Appliance

The ExtraHop Command appliance (ECA) provides centralized management and reporting across multiple ExtraHop Discover appliances that are distributed across datacenters, branch offices, and the public cloud.

With an Explore appliance or cluster, you can pair the Explore appliance to multiple Discover appliances, and then query the records stored on each Discover node from the Command appliance.

For most large ExtraHop deployments, a dedicated ECA is the most efficient way to manage all of your remote appliances.

To learn more about the ExtraHop platform, view the following training modules:

Metrics in the ExtraHop system

ExtraHop enables you to collect and analyze both wire and machine data. Wire data is observed in real time, which provides information about what’s happening on your network. Flow data, a type of machine data, can also be collected from a network device and sent to the ExtraHop for analysis or storage. Flow data is an alternative if wire data cannot be collected from a remote network.

Wire data

With wire data, the ExtraHop system passively collects a copy of unstructured packets through a port mirror or tap and stores the data in the appliance datastore. The copied data goes through real-time stream processing, which transforms the packets into structured wire data through the following stages:
  1. TCP state machines are recreated to perform full-stream reassembly.
  2. Packets are constructed into flows.
  3. The structured data is analyzed, which leads to the following results:
    1. Transactions are identified
    2. Devices are automatically discovered by MAC and IP address detection and then classified by their activity.
    3. Metrics are generated and associated with protocols and sources, and the metric data is then aggregated into metric cycles. For more information, see the Sources section.
      Note:Aggregation roll ups, also referred to as metric cycles, help determine the granularity of metric data in time series analyses. For more information, see the Time interval section.

Flow data

With flow data, network devices (also referred to as flow exporters) are configured to cache and send network flow reports to a remote device, such as an ExtraHop Discover appliance. The ExtraHop system receives and analyzes these reports in the appliance datastore through the following process.

  1. Flow exporters detect and format traffic, caching information about the flow, including source and destination IP addresses, port, IP protocol, and number of bytes and packets.
  2. The flow exporter sends the cached information from the flow network to the Discover appliance, which acts as a collector and analyzer for the flow data.
  3. The flow network traffic is analyzed and processed as follows:
    1. Flows are identified
    2. Metrics are aggregated for the total number of bytes and total number of packets in each flow.

Device discovery

The ExtraHop system automatically discovers devices based on what is happening on the network. ExtraHop has two device discovery modes: layer 2 (L2) discovery and layer 3 (L3) discovery.

L2 discovery
Detects an L2 address (MAC address).
L3 discovery
Detects an L3 address (IP address). This mode is the default and most commonly deployed discovery mode. The ExtraHop system discovers the IP address for a device by monitoring ARP (Address Resolution Protocol) responses, and then matching the MAC address in the response to a parent L2 device. The ExtraHop system maintains the linkage between L2 “parent” and L3 “child” devices.

After a device is discovered, the ExtraHop system tracks all of the wire data traffic associated with the device. Based on the type of traffic, the ExtraHop system assigns a device type to the device, such as a gateway, file server, database, or load balancer.

A device can be identified by multiple names, which are all searchable. The ExtraHop system discovers device names by passively monitoring naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol (CDP). If a name is not discovered through a naming protocol, the default name is derived from the device attributes (MAC address for L2 devices and IP address for L3 devices). You can also create a custom name for a device on the Devices page.

By default, all IP addresses that are observed outside of locally-monitored broadcast domains are aggregated at one of the incoming routers in your network. To identify and learn about individual devices outside of these routers, which are beyond your local network, you can create custom devices and enable reporting on these devices. For more information, see the Custom devices section. You can also create a remote network that defines a range of IP addresses that are not on the local network. The ExtraHop system will then discover remote devices by their IP address.

Search for a device

You can filter searches on the Devices page with Find controls, which are located below the toolbar, to help you locate specific devices in the network capture.

By default, the search feature performs a substring search on the value entered in the Find text box. For example, if you submit the letter z for a name search, then the list of devices returned by the search includes all devices that have a letter z in the name, regardless of position.

Searches can be filtered by the following device attributes:

any
Matches a substring in any device element.
ip address
Matches a substring in the device IP address. The IP address criteria can include CIDR notation in IP address/subnet prefix length format. For example, 10.10.0.0/16 for IPv4 networks or 2001:db8::/32 for IPv6 networks.
name
Matches a substring in the device name.
node
(Command appliance only) Matches a substring in the node name.
mac address
Matches a substring in the device MAC address.
tag
Matches a substring in the user-defined device tag.
type
Matches a substring to a specified device attribute type. When you select type, the Find text box becomes a drop-down list. In the Find drop-down list, select from the following:
Activity
Includes the metric types that were active in the selected time interval. For example, selecting HTTP Server returns devices with HTTP server metrics, and any other device with the custom type set to HTTP Server.
Device type
Includes Gateway, Firewall, Load Balancer, File Server, and Custom Device.
Class
Includes Node, Remote, Custom, and Pseudo.
vendor
Matches a substring in the device vendor name as determined by the Organizationally Unique Identifier (OUI) lookup.
vlan
Matches a substring in the device Virtual Local Area Network (VLAN) tag. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.
  1. Navigate to a page that includes a device list, such as Networks, Devices, or Groups.
  2. In the Find field, type search string characters.
    The device attribute filter is set to any by default, which applies the search string to all device attributes. You can adjust the search string to apply to a particular device attribute, such as the device name or the MAC address.
  3. In the by drop-down list, select the device attribute that you want to search for.
    If you select the type attribute in your search, the Find field becomes a drop-down list that is populated with attributes to choose from.
  4. Click Search.
    The device list is populated with the devices that match the search criteria.

Where to start in the ExtraHop system

Log into the ExtraHop Web UI and explore your network environment. The ExtraHop system supports two primary workflows for learning more about your environment:

Top-down
Start with high-level charts and device groups that display all of the activity on your network. When you see something interesting, you can drill-down to specific devices and transaction details.
Bottom-up
Search for a particular device, URI, or database. You can then explore real-time metrics and activity associated with that device, and pivot to different devices and protocols to learn more.

Explore your environment from the top-down

Review system dashboards
When you log into the ExtraHop system, you will see the Activity dashboard. This dashboard is a good starting point because it shows you everything happening on your network. For more information about this dashboard, and how to build your own, see the Get started with dashboards section.
Drill down on interesting data
When you see a spike in traffic or other interesting data, you can drill down to see which devices are associated with that data. For more information, see the Drill-down functionality section.
Explore activity groups
Another way to get a top-down view of specific activity is to explore activity groups. For more information, see the Activity groups page section.

Explore your environment from the bottom-up

Search for a device
ExtraHop automatically discovers devices that communicate on the network. You can search for devices by IP address, URI, or other attributes. For more information, see the Search for a device section.
Create a group
After you have found devices that are important to you, you can build a device group of devices and track their activity. For more information, see the Device groups section.
Build a dashboard
You can create a custom dashboard view of your devices to see real-time information that is most relevant to you. For more information, see the Dashboard walkthrough: View web application performance topic.

Customize your ExtraHop system

As you become familiar with the ExtraHop system, you can create customizations to support your workflows, identify specific issues, and collect custom metrics.

Set up alerts
Configure threshold and trend-based alerts that notify you when there is a potential issue with a network device. For more information, see the Alerts section.
Create reports
Generate reports on network metrics for a particular time interval, and export the information as a PDF file or as CSV data. For more information, see the Reports section.
Build a geomap
Geomaps display metrics across a global map, which indicates where metrics activity has occurred. For more information, see the Geomaps section.
Apply a bundle
Bundles are system objects saved as a JSON file. A bundle contains information about a selected ExtraHop system configuration, such as triggers, dashboards, applications, or alerts. Apply a bundle to your ExtraHop system, or create a bundle to share with others. For more information, see the Bundles section.
Build a trigger
Create a custom metric with a trigger. Triggers are custom scripts that perform an action upon a pre-defined event. Triggers require planning to make sure a trigger doesn’t negatively impact system performance. For more information, see the Triggers section.

Additional resources

Introduction to the ExtraHop Web UI

The ExtraHop Discover and Command appliances provide access to your network, application, client, and infrastructure data through a dynamic and highly customizable Web UI.

After you log into the ExtraHop appliance with a browser over HTTPS, you can immediately view your network activity through built-in system dashboards. If your environment includes a Command appliance, you can monitor all of the activity on your distributed Discover appliances from a single, centralized Command appliance.

The Web UI also enables you to:

  • Create custom dashboard views of your network traffic in real time for the information that is most relevant to you. For more information, see Dashboards.
  • Configure threshold and trend based alerts that notify you when there is a potential issue with a network device. For more information, see Alerts.
  • View and drill down into real-time metrics about protocol activity discovered through your network tap or through flow reports sent from remote network devices. For more information, see Metrics and Drill-down functionality.
  • Generate reports on network metrics during a particular time interval, and export the information to PDFs or as CSV data. For more information, see Reports.
  • Create custom applications and custom metrics, and track metrics for proprietary traffic. For more information, see Customizing ExtraHop appliances.
  • Collect and analyze flow data, a type of machine data, from your network devices. For more information, see Flow networks.

In addition, if your ExtraHop Discover appliance is paired to an ExtraHop Explore appliance, you can directly access stored transaction records through the Discover Web UI. Or, if you are monitoring multiple Discover appliances through a Command appliance, you can retrieve record information by node through the Command Web UI.

Discover and Command appliance administration tasks are available through the ExtraHop Admin UI for users with full administrator permissions. For more information, see the ExtraHop Admin UI Guide.

Explore appliance administration tasks are available through the ExtraHop Explore Admin UI. For more information, see the ExtraHop Explore Admin UI Guide.

See the complete ExtraHop documentation set: https://docs.extrahop.com.

The ExtraHop Web UI provides a framework of elements that remain static as you move around the system. The information and options in the left and content panes of the Web UI change based on your selections in the top menu.

The following figure identifies both global navigation elements and the areas of the Web UI that will change based on your selection.

Top menu

The following elements are located across the top of the Web UI.

Dashboards
Provides built-in system dashboards that give you an instant view of the activity on your network. You can also create and share dashboards with other users.
Metrics
Provides access to system metrics sources, group metrics, and record queries.
Alerts
Provides access to the Alerts pages where you can configure new alerts and view the alert history for your appliance.
Global Search field
Enables you to type any object or search criteria and find a match on your Discover appliance. If you have an ExtraHop Explore appliance configured, you can also search for saved records.
Community Icon
Launches a new tab in your web browser to the ExtraHop forums and to other external resources.
Help icon
Launches documentation for the page that you are currently viewing.
System Settings
Provides access to system configuration options.
User Icon
Enables you to log in and log out of your Discover appliance or Command appliance, change your password, and access API options.

The following elements are located across the top of the Web UI, below the top menu.

Pane toggle
Enables you to collapse or expand the left pane.
Global Time Selector
Enables you to determine the global time interval that is applied to all system metrics.
Recent Pages
Enables you to see the most recent pages you visited. Repeated pages are deduplicated and condensed to save space.
Navigation Path
Displays where you are in the system and provides available pivot points so you can search for the same metrics across multiple protocols, devices, or other swappable criteria.
Command menu drop-down
Appears throughout the Web UI and contains context-sensitive commands for the area you are in. For example, when you click the Dashboards top menu, the command menu at the end of the navigation bar provides options to view dashboard properties and to create a new dashboard.

The left pane and content pane change based on your selections. See the following sections to learn more about each feature.

Time Selector

The Time Selector enables you to specify a time interval for the collection and presentation of network data. There are two types of Time Selectors: a Global Time Selector for specifying global time intervals, and a Region Time Selector for specifying region time intervals.

The Global Time Selector is located at the top-left of the navigation bar. Access the Region Time Selector by clicking the command menu next to the region name and selecting Use Region Time Selector.

A global time interval is applied across the Discover appliance. Navigating from one area to another will not change the time interval for the metrics you are viewing. This means that the same time interval applies whether you are viewing different metrics across the Web UI or if you are drilling-down to view detailed metrics.

Note:Logging out of the Discover appliance will reset the global time interval to the Last 30 minutes. However, global time interval information is included at the end of the URL. To maintain a specific global time interval after logging out, copy or bookmark the URL. Make sure that the entire URL is copied to maintain the specified global time interval.

A region time interval is applied by dashboard region and you can set different time intervals per-region. When you add a widget to an existing region, the widget inherits the time interval for that region.

You can apply either a global time interval or a region time interval to a dashboard region. To toggle between time intervals, start by clicking the command menu in the region header. To apply a region time interval, select Use Region Time Selector. To apply a global time interval, select Use Global Time Selector. When the Region Time Selector disappears from the region header, this indicates that the global time interval is applied to the region.

To specify a global or region time interval:

  1. Click the Global Time Selector or the Region Time Selector.
  2. From the Time Interval tab, select one of the following options:
    Last 30 minutes
    Displays the last 30 minutes of data collected.
    Last 6 hours
    Displays the last six hours of data collected.
    Last day
    Displays the last 24 hours of data collected.
    Last week
    Displays the last seven days of data collected.
    Last
    Displays the data collected within a custom time window. For more information, see the Specify a time window section.
    Custom time range
    Displays the data collected within a fixed time range. For more information, see the Specify a custom time range section.
  3. Click Save.

You can view metrics with different levels of granularity based on the time interval that you specify. For more information, see the Time interval section.

Time intervals are preserved across a login session. The five most recent unique time intervals are also saved in the History tab.

To select a previous time interval:

  1. Click the Global Time Selector or Region Time Selector.
  2. Click History.
  3. Select a time interval. You selection will be applied to the options on the Time Interval tab.
  4. Click Save.
Displaying running time and snapshot time intervals

For dashboards and top-level metrics pages—where metrics are polled automatically—you will see the running time for the global time interval displayed in the Global Time Selector.

For a detailed metric page or a records query results page—where metrics are not polled automatically—you will see the snapshot of the global time interval, which includes a blue refresh icon and gray text that indicates when the metric or record query was last polled. To reload the metrics or query for the specified time interval, click the refresh icon in the Global Time Selector display.

Specify a time window

To view metrics that occurred at a specific time, you can modify the settings in the custom time window option in the Time Selector to specify the number of minutes, hours, days, or years from the present.

To specify a custom time window for a global or region time interval:

  1. Click the Global or Region Time Selector and select the Last radio button in the Time Interval tab.
  2. Type the number of units of time.
  3. Click the drop-down list and select microseconds, milliseconds, minutes, hours, days, weeks, months, or years.
  4. Click Save.
Specify a custom time range

To view metrics that occurred during a specific time, you can specify a custom time range or you can zoom in on a chart.

To specify a custom time range:

  1. Click the Global Time Selector or Region Time Selector.
  2. From the Time Interval tab, and select Custom Time Range.
    The drop-down field will display a default time range.
  3. Click the drop-down field. A calendar dialog box opens.
  4. Click a day to specify the start date for the range. One click will specify a single day. Clicking another day will specify the end date for the range.
    Note:Use the back and forward arrows on the calendar to change the month displayed on the calendar.
  5. Click Save.
Zoom in on a time range

You can click-and-drag across a region in a line chart to zoom in and specify a custom time range in the Time Selector. For example, if you observe a spike in a chart, you can click-and-drag across the spike to zoom in on the activity that occurred in that time range.

Note:This option is only available for time-series charts. It is not available for bar charts, text widgets, or tables.

If you are zooming in on a chart within a dashboard region that has a region time interval applied to it, this time range will become the region time interval for every widget in that region (unless you have applied a global time interval to that dashboard region). The ability to zoom in on a time range is useful for observing other metric activity that occurred in that same time range. For more information, see the Time Selector section.

If the specified time range is valid it appears green. If the specified time range is less than one minute, the range is invalid and appears red.

Note:Data might not be available for the zoomed time range.
  1. Click and drag your mouse across the chart to select a time range.
  2. Release the mouse button. The graph is redrawn to the specified time range.

The scales on the chart’s axes update to reflect the range of values in the zoomed time range. In addition, the Custom Time Range value in the Time Selector adjusts to reflect the time range in the chart.

If you want to revert from the zoomed time range back to your original time interval, click the undo icon—a magnifying glass with a minus sign—in the Time Selector. For example, if you originally specified Last 30 minutes as your time interval, and then perform a series of zoom operations on a chart, you can revert back to your original 30-minute time interval with one click on the undo icon.

Get started with ExtraHop

The Get started series introduces new users to the basic concepts, features, and functionality of ExtraHop features.

The following sections will introduce you to terminology and show you how to navigate ExtraHop features in the Web UI. After you have read these sections, you can find comprehensive procedures for each feature in their respective sections.

Get started with dashboards

The ExtraHop Discover appliance provides expansive and granular metrics about the traffic on your network. The possibilities are endless, but the initial view can be overwhelming.

A dashboard is a customizable HTML page that displays different views of your network through widgets such as charts. Dashboards are a powerful feature that can help showcase the data that is most relevant to your daily operations in real-time and manage the signal to noise ratio of your network activity.

Comprehensive concepts and procedures are available in the Dashboards section, but the information in the following sections will help you get started.

Note:To learn more about dashboards, view the following training modules:

When you log into the ExtraHop appliance for the first time, a built-in system dashboard displays a high-level overview of all the activity happening on your network.

All ExtraHop users with active accounts can view the two system dashboards, which are the Activity dashboard and the Network dashboard. For more information, see the System dashboards section.

The following figure shows how you can modify global navigation options and control your view of dashboard metrics.

When you select Dashboards from the top menu, the left pane displays the dashboard dock. The dock has a set of folders that contains the system dashboards and any custom dashboards that you create or share. You can create additional folders in the dock as needed. When you select a dashboard from the left pane, the dashboard displays in the center pane.

The following fields and controls are available in the dashboard dock.

  • Type to filter field: Enables you to limit the displayed list of items.
  • Dashboard sort buttons: Enables you to switch between ascending, descending, and custom sort views.
  • Dashboard Inbox: Displays a list of dashboards that have been shared with you by other users. To share your dashboard with others, see the Share a dashboard section.
  • My Dashboards: Displays a list of dashboards that you created. You can keep these dashboards private or share them with other users. To create your own dashboard, see the Create a dashboard and Configure a dashboard sections. Editing access to your dashboard can be granted on a per-user basis. For more information, see the Share a dashboard section.
  • System Dashboards: Displays the default built-in dashboards that provide you with a high-level overview of everything happening on your network in real-time. The two system dashboards, which are the Activity dashboard and the Network dashboard, cannot be deleted, modified, or shared. For more information, see the System dashboards section.
  • New Dashboard: Enables you to create a new dashboard.
  • Command menu button: Enables you to edit the dock and create a new, empty folder.

In addition, when you select Dashboards from the top menu, a command menu appears on the far right of the navigation bar. The following fields and controls are available in the Dashboards command menu.

  • Edit Layout: Customize your dashboards.
  • Dashboard Properties: Edit your dashboard name and access rights.
  • Share: Share your dashboard with another user.
  • Print: Send the dashboard you are viewing to a printer.
  • Modify Sources: Modify the metric sources used in the dashboard.
  • Copy: Save a duplicate of your dashboard.
  • Delete: Remove a dashboard from the system.
  • New Dashboard: Create a new dashboard.
  • Show Descriptions: Display tooltips where available.
  • Presentation Mode: Display a full-screen view of the metrics on the currently selected dashboard.
  • Widget Slideshow: Display a slideshow of widgets within the current window.
  • Metric Explorer: Configure and add widgets to to a dashboard.

Plan a dashboard

Building a custom dashboard is one of the most effective ways to monitor high-priority network traffic and troubleshoot an issue.

There are four basic steps to building a custom dashboard from the Dashboard page:

  1. Identify the devices or traffic that you want to monitor. For example, there are three categories of metrics you might want to start with:
    • Availability metrics: These metrics track client requests and server responses and help answer the question, is my server offline or unavailable?
    • Reliability metrics: These metrics track error rates for server responses and help answer the question, is my server functioning properly?
    • Performance metrics: These metrics track server performance by measuring server processing times for sending response to requests and help answer the question, is my server properly resourced?
  2. Create a dashboard, which will provide an empty region containing an empty chart and empty text box widget.
  3. Add data to the empty chart with the Metric Explorer, which provides options for configuring metric sets and chart types.
    • Select a metric source, which might be an important server (such as web server, database, or LDAP server) or a group of devices generating specific traffic (such as all HTTP clients).
    • Select metrics, which might be about availability (such as HTTP request and response rates), reliability (such as database errors over time), or performance (such as server processing times).
    • Select a chart type.
  4. Configure a dashboard, by adding more widgets and regions.
    Tip:Consider adding multiple chart types for a single metric to create multiple views of that data.
Note:You can also build a dashboard from a protocol page. This method enables you to quickly add charts to a new or existing dashboard around an application, device, network, or group that you are exploring in the Web UI. For more information, see the Create a chart section.
Note:Learn more by taking the Build Your First Dashboard training.

Dashboard components

Dashboards are composed of customizable regions and widgets. Regions are spaces that hold and compartmentalize widgets. Widgets are objects contained within regions. A widget is a chart, text box, alert history list, activity group list, or network list. Understanding how these components work and the type of information each widget displays can help you build your dashboard.

Region

A region is a compartment that contains widgets.

You can modify regions in the following ways:
  • Apply a specific time range to all of the widgets within a region.
  • Rename the title of your region
  • Modify the metric source for all of the widgets within a region
  • Delete a region, which will also delete all of the widgets within that region
  • You can click and drag from the lower right corner of the region to resize the compartment and make room for additional widgets
Note:See the Time Selector section to learn about the differences between the global time interval and region time interval.
Widget

Widgets are configurable dashboard components that can be added to a region for different functions. Drag-and-drop different types of widgets into a region, or drag-and-drop a new region onto your dashboard.

The following widget types are available:

Chart widget
A chart contain metrics. When you configured the chart for the first time, you need to select which chart is best for visualizing data. For example, candlestick chart is effective for seeing outliers easily. For more information, see Edit a chart section.
Text box widget
A text box contains that text that you write and format in Markdown. Text boxes are useful for adding descriptive information about charts and regions. For more information, see Edit a text box widget section.
Alert History widget
Displays details about active alerts for metric sources on your network. For example, with this widget, you can quickly identify emergency alerts that have fired, and then navigate to the source of the alert.
Activity Groups widget
Displays the number of devices in activity groups. The Discover appliance automatically generates activity groups, which are groups of devices based on the type of network traffic they generate. A device might appear in more than one activity group if it has multiple types of traffic. For example, with this widget, you can see how many CIFS clients are actively generating requests on your network.
Networks widget (Command appliance only)
Displays the details about network captures that the Command appliance is configured to monitor. You can see how many devices and applications are active on each network.

Metric Explorer

The Metric Explorer is a tool for creating and editing dashboard charts. In the Metric Explorer, you can add metrics to a chart and immediately view how metric data will appear in a preview pane. The preview pane dynamically updates as you make metric and chart type selections, which enables you to explore and change how your data is visualized in a dashboard.

The Metric Explorer provides the following components for configuring a chart.

Metrics tab
Add metric sets to your chart. A metric set consists of a single type of source and one or more metrics.
Note:You can add multiple metric sets to display in a single chart. For example, one metric set can contain a mix of device sources (such as servers) and another metric set can contain application sources.
Source
In the Source section, add a metric source, such as an application, device, group, or network capture.
Metric
In the Metric section, search for and select compatible metrics for the source. Depending on the type of metric you select, data calculation options are listed underneath the metric name. For example, when you select whether you select a count metric type (such as HTTP Requests or Network Bytes), you can select to display a rate or count. When you select a dataset metric type (such as Server Processing Time), you can choose to display a summary of percentile values or a specific percentile value.
Detail
Optionally, in the Detail section, drill down to display detail metrics for the entire metric set in your chart.
Time interval
Specify a time interval to view presentation of network data in your chart. You can change the time interval, but your changes will not be saved with other chart configurations. You must change the time interval with the Time Selector in your dashboard.
Analysis tab
Add a static threshold line and a dynamic baseline to your chart.
Options tab
Select configuration options, such as changing a chart title, units, and labels.
Preview section
Preview how metric data will display in your chart. The chart dynamically updates as you add and remove metrics from the Metrics tab.
Chart section
Select a chart type to display data. Toggle between different time-series and non time-series chart types to determine which chart is the best choice for visualizing the data you are interested in.
Note:Some charts have specific metric requirements.

The following figure displays a configured line chart. The chart is displaying data for one metric set, Application Metrics, the average rate data calculation for the HTTP Responses metric, and detail metric keys for client IP addresses.

Dashboard walkthrough: monitoring website performance

When website performance slows down, knowing whether the issue is occurring at the application or network-level can save you troubleshooting time. In the ExtraHop system, a dashboard is an effective tool for monitoring real-time data, and for identifying and troubleshooting issues.

In this walkthrough, you will build a dashboard to help answer the following questions about website performance in your network environment:
  • How many requests are clients sending to my web servers?
  • Are my web servers working properly?
  • Is network availability affecting web applications?
  • Is my network unusually slow?
Prerequisites
  • Familiarize yourself with the concepts in this walkthrough by reading the Get started with dashboards section.
  • You must have access to an ExtraHop Discover appliance with a user account that has limited or full write permissions.
  • Your ExtraHop appliance must also have network data with web server traffic. If you do not have access to web server data, you can perform this walkthrough in the ExtraHop demo.
Create a dashboard
When you create a new dashboard, the workspace opens in an editable layout mode with a single region and two empty widgets: a chart and a text box.
  1. Log into the ExtraHop Web UI.
  2. On the Dashboard page, click the command menu in the upper right corner, and select New Dashboard to create an empty dashboard.
  3. Type a name for your dashboard title in the Title field. For this walkthrough, type Website performance.
  4. Click Create.
Configure your first chart

Your new dashboard contains an empty chart, which you will configure to display the total number of HTTP requests that were sent to your web servers. This step will help you understand how web transactions might affect website performance.

You will add more charts later, but these initial steps will show you how to add data to a chart by first selecting a metric source and then adding a metric in the Metric Explorer.

  1. Click the empty chart widget in your newly created dashboard to launch the Metric Explorer.
  2. Click Add Source and type All Activity. All Activity application is a metric source that is available by default to all users and contains metrics about all of the devices discovered on your network.
    Tip:If there is a specific web server that you want to monitor, type the name of the server into the search field instead of All Activity, and select that server as your source.
  3. Select All Activity from the list. After you make your selection, a field appears for you to select a metric that is associated with this source.
  4. Begin typing HTTP requests to filter this metric from all of the available metrics, and then select HTTP Requests.
  5. Select the Value chart type from the bottom of the Metric Explorer. The preview pane immediately displays the number of HTTP requests sent to web servers on your network that have occurred during the last 30 minutes.
  6. Click Save to return to your dashboard.
The following figure displays the chart configuration settings.

Because dashboards are often shared with members of a network team, you can add explanatory text boxes next to your charts. For this walkthrough, however, we will not be adding text, and you can delete the text box by completing the following steps:
  1. Click the command menu in the upper right corner of the text box widget and select Delete.
  2. Click Delete Widget.
Customize the dashboard layout
One of the powers of dashboards lies in compiling multiple charts into a single page, giving you many views of your network traffic. In this section, you’ll learn how to customize the layout of your dashboard by adding and arranging more charts.

When the dashboard is in layout mode, all dashboard components (regions and widgets) are available for you to drag and drop from the bottom of the dashboard page.

  1. Drag the corner of the dashboard workspace to make room for additional charts.
  2. Drag a chart widget from the bottom of the dashboard to the empty area of the top region where the text box previously was.
    Note:If there is overlap, dashboard components outline in red, and you must click and drag the sides of the widgets and regions to make room.
  3. Drag a new region to the dashboard.
  4. Drag two more chart widgets into the new region.
  5. In each region header, click Rename to type a unique name for each region. For this walkthrough, rename the top region to Web and the bottom region to Network.
Add more HTTP metrics to your dashboard

Repeat the instructions provided earlier to configure the new empty charts. Continue to set your source to All Activity. This source ensures that all of the metrics you are observing are related to the same set of web servers.

The tables below outline the selections you should make for the metrics and chart types in each chart.

Charts in the Web region

Chart 1: Already displays the total number of client HTTP requests sent to your web servers.

Chart 2: Correlate web transactions (HTTP responses) to critical server errors (HTTP Errors) in the line & column chart, as displayed in the following figure:

What to Configure What to Select
Source All Activity
Metrics
  1. HTTP Responses
  2. HTTP Errors
Chart type
  1. Line & column
  2. Select Display as columns on the HTTP Errors metric.
Charts in the Network region

Chart 1: Observe how long it takes for data to cross the network (HTTP Round Trip Time) in a line chart. You’ll want to see the median (50th percentile) and 95th percentile values for this metric, which requires adding the metric twice, as displayed in the following figure:

What to Configure What to Select
Source All Activity
Metrics
  1. Add HTTP Round Trip Time twice
  2. Add a 95th percentile line:
    1. Click Median underneath one of the metric names.
    2. Select Percentile from the drop-down list.
    3. Type 95 and click Save.
Chart type Line

Chart 2: Correlate network retransmission timeouts to website performance in an area chart, as displayed in the following figure:

What to Configure What to Select
Source All Activity
Metrics
  1. HTTP Request RTOs
  2. HTTP Response RTOs
Chart type Area
Monitor your website performance

After you have completed configuring all of the charts, click Exit Layout Mode. Your dashboard should look similar to the following figure. However, data in your dashboard charts will look different because they are reflecting activity occuring on your network.

Now you can monitor and assess your website performance on a regular basis. Refer to the following charts for hints about what to look for.
Question What to look for in your dashboard
How many requests are clients sending to my web servers? The Value chart lets you glance at the total value for a metric. Monitoring the total number of requests daily can give you a sense of the amount of website transactions that are being received by your servers.
Are my web servers working properly? The Line & column chart shows you the relationship of 500-level status codes (server unavailability errors) to web transactions over time. An increase in errors that correlates with a drop in transactions might indicate that a server issue is affecting website performance.
Is network availability affecting web applications? The median line in the line chart gives a sense of how long it typically takes for packets, or data, to transfer between clients and servers across the network over time. The 95th percentile line displays the longest data transfer times. Spikes and trends that are correlated to a drop in web transactions might indicate that a network issue is affecting website performance.
Is my network unusually slow? The retransmission timeout (RTO) metric helps to identify packet loss and to locate the congested links. Because the combination of request and response RTOs can contribute to a slow website, if you see a large volume of your area in the chart that correlates to a drop in web transactions, this might indicate that a network issue is affecting website performance.
Share your dashboard

Share this dashboard with other teams to help you keep an eye on website performance and identify issues that are potentially occurring in an application or on the network.

  1. In the upper right corner of the dashboard, in the navigation bar, click the command menu.
  2. Click Share.
  3. Select All users can view; only specified users can edit to provide all ExtraHop users at your organization with dashboard viewing privileges.
    Note:You can restrict dashboard access to specific users. For more information, see the Share a dashboard section.
  4. Click Save.

Get started with metrics

The ExtraHop system provides you with over 3,400 built-in metrics for over a dozen protocols. A metric is a measurement of observed network behavior. Because the ExtraHop system provides so many L2 through L7 protocol metrics to view, it can be challenging to know where to find the metrics that are most important to you.

You can view metrics and records by their source, such as a device, application, network capture, or flow network. In the Discover and Command appliances, you can search for metrics by source or protocol pages and you can view metrics in dashboard widgets.

To find metrics in protocol pages, click Metrics from the top menu. The left pane displays sources, device groups, and record queries. As you select options from the sources and groups in the left pane, the center pane displays the protocol pages associated with your selection. Protocol pages display metrics in tables, lists, and charts.

The following fields and controls are available in the left pane:

Type to filter field
Enables you to limit the displayed list of items.
Sources
Enables you to select metrics for applications, devices, and networks.
Groups
Enables you to select metrics for activity groups or to create a custom group and view metrics associated with those groups.
Records
Enables you to query records and save queries for future use.
Tip:When looking for important metrics that are relevant to you, start with a device you are already familiar with. Search for a device, and then click on the device name. On the device protocol page, you can pivot across protocols in the left pane and view top-level metrics and charts in the center pane to see all of the network activity associated with your device.
Note:If there are no results for a metric, or if a protocol appears to be missing, the ExtraHop system did not detect any related activity or traffic for that source. To learn more about how the ExtraHop system collects metrics, see the Metrics in the ExtraHop system section.

Dashboards are another way to explore the metrics that are most relevant to you. For example, you can plan and build a custom dashboard with charts that highlight your top devices and most critical network traffic. For more information, see the Get started with dashboards section.

If your Discover appliance is paired with an Explore appliance, you can search for flow and transaction information about metric sources through record queries. For more information about records and record queries, see the Records section.

Sources

In the ExtraHop system, a metric is a measurement of observed network behavior. Metrics are generated from network traffic, and then each metric is associated with a source. Each source provides access to a different collection of metrics.

Select from the following sources as you configure dashboard widgets or navigate across protocol pages:

Applications
Applications are user-defined containers for metrics that are associated with multiple devices and protocols. These containers can represent distributed applications on your network environment. In the ExtraHop system, applications are defined by triggers, which are custom scripts. Triggers can collect metrics across multiple types of network traffic to capture information with cross-tier impact. For example, if you want a unified view of all the network traffic associated with a website—from web transactions to DNS requests and responses to database transactions—you can write a trigger to create a custom application that contains all of these website-related metrics. The default All Activity application contains metrics for every device on your network. For more information, see the Applications section.
Devices
Devices are objects on your network that have been automatically discovered a MAC address and IP address, and classified by the ExtraHop system. Metrics are available for every discovered device on your network. For more information, see the Devices page and the Search for a device sections.
Networks
A network is the entry point for the network capture and flow networks. These metrics provide a summary of all network activity retrieved in the capture or sent from a flow network. For more information, see the Networks section.
VLANs
A Virtual Local Area Network (VLAN) is a logical grouping of traffic or devices on the network. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves the tags on the mirror port. To locate a VLAN, click Metrics, and then click Networks.
Device groups
Device groups, also known as custom groups, can be either static or dynamic. You must manually identify and assign individual devices to a static group. Alternatively, you can configure rules to automatically assign devices to a dynamic group. For example, you can create a dynamic group and then configure a rule to add all devices within a certain IP address range to that group automatically. For more information, see the Device groups section.
Activity groups
Activity groups contain devices that are automatically grouped together based on their network traffic. A device with multiple types of traffic might appear in more than one activity group. For more information see the Activity groups page section.
Top-level metrics and detail metrics

Top-level metrics and detail metrics provide different views about network activity. Top-level metrics provide you with a big-picture value to help identify what is happening on your network. You can then drill down on a top-level metric to view detail metrics. Detail metrics provide you with a value for a specific key (such as a client or server IP address), which gives you insight into how a specific device, method, or resource is affecting the network.

On the Dashboard page, you can configure charts to display either top-level or detail metrics. On protocol pages, you can view top-level metrics and then drill down to view detail metrics.

A top-level, or base, metric gives you a sum of data for a specified time period. The ExtraHop system provides you with real-time updates about top-level metrics. For example, you can view the total number of HTTP requests sent by a device for the last 30 minutes.

In the following figure, a Bar chart displays the top-level metric for the total number of HTTP requests that were sent to a web server during a specific time period.

Detail metrics provide you with a metric value for a specific key, such as a client IP address, server IP address, URI, hostname, referrer, certificate, or method. For example, you can drill down on the total number of HTTP requests to break out the number of requests sent per client. When you drill down, the ExtraHop system provides you with a topnset of detail metrics. A topnset is the top 1,000 key-value pairs calculated for the time interval you specify in the Time Selector. A topnset is not a complete data set because a topnset only represents the key-values that are recorded for a specific aggregation roll up (based on a specified time interval), and is limited to up to 1,000 keys per topnset.

In the following figure, a Bar chart displays detail metric values by client (which is a key) after drilling down on the top-level metric for HTTP requests. Specifically, the chart displays eight clients that sent the most requests to the web server during a specific time period. You can configure charts to show you either a specific key or a specific number of keys from a topnset.

Note:When drilling down to detail metrics from protocol pages, you might encounter a chart that includes more than 1,000 keys. Some charts in the ExtraHop system combine topnsets for multiple detail metrics into one table. You can then sort keys by detail metrics. For example, when you drill down on the responses metric by URI from the Metrics > Applications > All Activity > Web page, the chart displays both a topnset of URIs for HTTP Responses and a topnset of URIs for Server Processing Time.
Types of top-level metrics

Each top-level metric in the ExtraHop system is classified into a metric type. Understanding the distinctions between metric types can help you configure charts or write triggers to capture custom metrics. For example, a heatmap chart can only display dataset metrics.

Count
The number of events that occurred over a specific time period. You can view count metrics as a rate or a total count. For example, a byte is recorded as a count, and can either represent a throughput rate (as seen in a time series chart) or total traffic volume (as seen in a table). Rates are helpful for comparing counts over different time periods. A count metric can be calculated as a per-second average over time. When viewing high-precision, or 1-second, bytes and packet metrics, you can also view a maximum rate and minimum rate. Count metrics include errors, packets, and responses.
Dataset
A distribution of data that can be calculated into percentiles values. Dataset metrics include processing time and round trip time.
Maximum
A single data point that represents the maximum value from a specified time period.
Sampleset
A summary of data about a detail metric. Selecting a sampleset metric in a chart enables you to display a mean (average) and standard deviation over a specified time period.
Snapshot
A data point that represents a single point in time.
Tip:Visit the Tip of the Week: Metric Types post on the ExtraHop community forum.
Drill-down functionality

You can drill down on high-level information in the ExtraHop Web UI to identify root causes of interesting activity. Specifically, you can drill down on the top-level metrics you see in the ExtraHop system to view detail metrics about a device.

Note:If your Discover appliance is paired with an ExtraHop Explore appliance, you can drill down on a protocol or metric to view stored records. For more information, see the Records section.
Drill down on dashboard data

If you see interesting activity in a dashboard chart, you can navigate from the chart to the associated protocol page and drill down to see which devices are associated with the activity.

  1. Navigate to a protocol page completing one of the following steps:
    • Click the chart title.
    • Click the command menu next to the Go to <metric source>, where <metric source> is the application, device, network, or group configured in the chart. Click the expanded menu option, which will take you to the associated protocol page.
  2. On the protocol page, click or hover over the top-level metric of interest.
    Typically, there is a table beneath the charts that displays the list of devices associated with the protocol activity.
  3. In the Device column of the table, click the name of the device with interesting activity. The Devices page opens with additional information.
Drill down on protocol page data

You can drill down into metrics for top-talking protocols and devices on individual metric source pages, such as applications, networks, or devices pages.

  1. Click Metrics.
  2. Click Applications, Devices or Networks.
  3. Select a specific application, device, or network capture from the center pane.
    Note:For flow networks, you must create a dashboard to visualize the data. For more information, see Configure a dashboard for NetFlow traffic.
  4. Click the protocol of interest in the left pane.
  5. Hover over the charts to view any metrics that appear outside the normal range.
  6. Click the data you find interesting in the chart to isolate data to a device or look for devices related to interesting data in a table beneath the chart.
  7. Click the name of the device to view device details.
For example, to find the top-talkers for the L7 protocol, complete the following steps:
  1. Click Metrics and then click Networks.
  2. Select a network in the center pane.
  3. Click L7 Protocols in the left pane.
  4. Hover over the charts to view any metrics that appear outside the normal range.
  5. Click the legend on the graph to isolate the L7 protocol metrics. The Protocols table at the bottom of the page displays the list of applications associated with the selected protocol. From this list of devices, you can see which device is causing the spike in network traffic.
  6. In the Device column of the table, click the name of the device that is causing the spike in network traffic. The Devices page appears with additional information.
Time interval

In time-series charts, where you can view how a metric changes over time, the aggregation interval displays how the metric data is rolled up. The aggregation roll up, also known as a metric cycle, provides information about the level of granularity for count metrics for the time interval that you specify in the Time Selector.

Note:The aggregation roll up is not displayed in list and value charts.

The following table provides information about which aggregation roll up can be displayed for a specified time interval.

Time Interval Aggregation Roll Up (if available) Notes
Less than six minutes 1-second A 1-second roll up is only available for custom metrics and for the following built-in throughput and packet metrics:
  • Network source > Network Bytes (total throughput)
  • Network source > Network Packets (total packets)
  • Device source > Network Bytes (combined inbound and outbound throughput by device)
  • Device source > Network Bytes In (inbound throughput by device)
  • Device source > Network Bytes Out (outbound throughput by device)
  • Device source > Network Packets (combined inbound and outbound packets by device)
  • Device source > Network Packets In (inbound packets by device)
  • Device source > Network Packets Out (outbound packets by device)
120 minutes or less 30-second If a 30-second roll up is not available, a 5-minute or 60-minute roll up will be displayed.
Between 121 minutes and 24 hours 5-minute If 5-minute roll up is not available, a 60-minute roll up will be displayed.
Greater than 24 hours 60-minute  
Note:If you have an extended datastore that is configured for 24-hour metrics, a specified time interval of 30 days or longer will display a 24-hour aggregation roll up.

Explore how metric data changes over different time intervals with the Time Selector.

Get started with triggers

Application Inspection Triggers provide programmable event processing at the application-protocol level. You can write a trigger, which is a block of JavaScript, through the trigger API to extract, store, and visualize custom wire data events and metrics that are specific to your business, infrastructure, network, clients, and applications.

Triggers enable you to extract small or large amounts of data across multiple types of network traffic. In the ExtraHop system, an application is a container that collects metric data associated with specified devices and protocols. You can write a trigger that extracts metrics on specific events and devices that represent a cross-section of your network; the resulting application provides a unified view of the metrics.

Additional trigger tasks include:

  • Creating custom metrics and saving them to the ExtraHop Discover appliance datastore.
  • Generating records and writing them to the ExtraHop Explore appliance for long-term storage and retrieval.
  • Sending data to syslog consumers such as Splunk or to third party databases such as MongoDB or Kafka.
  • Initiating packet captures to collect user-specified criteria from individual flows on your network.
  • Parsing TCP and UDP payloads from unsupported protocols through universal payload analysis (UPA).

Concepts and procedures are available in the Triggers section, but the information in the following sections will help you get started:

To learn more about triggers, view the following online training modules:

In the ExtraHop Web UI, the Triggers page lists information about available triggers and provides access to the Trigger Configuration window, where you can write or modify triggers.

The Triggers page contains a list of current triggers with the following information:

Name
The user-defined name of the trigger.
Author
The name of the user that wrote the trigger. Default triggers display ExtraHop for this field.
Events
The system events that cause the trigger to run, such as HTTP_RESPONSE.
Type
The type of metric source for the trigger, such as a device or a network.
Debug Mode
Whether debugging is enabled. If debugging is enabled, output from debug statements in the trigger script are logged in the runtime log output.
ECA
The appliance where the trigger was written. If the trigger was created on an ExtraHop Command appliance, the Command appliance name is displayed. Otherwise, this field displays Local to indicate that the trigger was written on the local Discover node. This column is only available from a Discover node that is in a Command cluster.
Description
The user-defined description of the trigger.
Status
Whether the trigger is enabled. If the trigger is enabled, the number of device assignments also displays.

Plan a trigger

Writing a trigger to collect custom metrics is a powerful way to monitor your application and network performance. However, triggers consume system resources and can affect system performance, and a poorly-written trigger can cause unnecessary system load. Before you write a trigger, evaluate what you want your trigger to accomplish, identify which events and devices are needed to extract the data you need, and determine whether a solution already exists.

  1. Identify the specific information you need to collect. For example:
    • When will my SSL certificates expire?
    • Is my network getting connections on non-authorized ports?
    • How many slow transactions is my network experiencing?
    • What data do I want to send to Splunk through an Open Data Stream?
  2. Review the Metric Catalog to determine whether a built-in metric already exists that extracts the data you need. Built-in metrics do not create additional load on the system.
  3. Identify which system events produce the data that you want to collect. For example, a trigger that monitors cloud application activity in your environment might run on HTTP responses and on the open and close of SSL connections. For a complete list of system events, see the Classes and events section of the ExtraHop Trigger API Reference.
  4. Identify the devices or networks that you want to monitor and collect metrics from. A trigger consumes fewer system resource if you target specific devices instead of all devices of a particular type or group. For example, a trigger that looks for slow responses from your online catalog should be assigned only to HTTP servers that handle catalog transactions and not to all HTTP servers.
  5. Determine how you want to visualize or store data collected by the trigger. For example, you can view metrics on a dashboard or a protocol applications page, you can send records to the ExtraHop Explore appliance, or you can send data to another third-party system, such as Splunk.
  6. Determine if a trigger already exists that meets your needs or might be easily modified; always start with a pre-existing trigger whenever possible. Search the following resources for an existing trigger:

Build a trigger

After you review the planning process, if you determine that you need to write a trigger, review the following steps for creating and configuring a trigger in the Web UI.

Configure the trigger

On the Triggers page, click New to open the Trigger Configuration window. The Configuration tab enables you to set or edit the following trigger attributes:

Name
A name for the trigger.
Author
The name of the user that wrote the trigger. Default triggers display ExtraHop.
Description
An optional description of the trigger.
Priority
The value that determines which trigger should run first if there are multiple triggers that run on the same event. Greater numbers represent higher priority. If the value is the same for multiple triggers, those triggers run in alphabetical order by name.
Status
A checkbox that enables or disables the trigger.
Debug
A checkbox that enables or disables debugging. If you add debug statements to the trigger script, this option enables you to view the output in the runtime log output.
Events
The events on which the trigger runs. The trigger runs whenever one of the specified events occurs on an assigned device; therefore, you must assign at least one event to your trigger. You can click in the field or begin typing an event name to display a filtered list of available events.
Select advanced options
These options vary by the selected events. For example, if you select the HTTP_RESPONSE event, you can set the number of payload bytes to buffer on those events.

The following figure shows an example of attributes set on the Configuration tab:

Write the trigger script

On the Triggers page, the Editor tab contains the editor in which you write the trigger script.

The editor provides an autocomplete feature that displays a list of properties and methods based on the selected class object. For example, you can press CTRL+Space in the editor to display a list of class objects, and after you select a class, you can type a dot (.) to display a list of available properties and methods as shown in the following figure:

The editor also provides syntax validation of your script. When you save the trigger, the editor displays an error message that calls out any invalid lines in the script. You can fix your code and then attempt to save the trigger again, or you can disable syntax validation and continue to save the trigger. Disabling validation applies only to the trigger you are editing; there is no option to disable validation globally.

The following figure shows a sample error message generated by the editor:

Assign the trigger to devices

The Assignments tab displays the devices or networks that the trigger is assigned to.

Warning:We do not recommend enabling the Assign to All option. Running triggers on unnecessary devices exhausts system resources. Minimize performance impact by assigning a trigger only to the specific devices that you need to collect data from.

Although you create and edit triggers from the Triggers page, you assign triggers from the Metrics page. From the Metrics page, you can select a device, device group, or network and then assign a trigger. The UI navigation is slightly different for each metric source.

View runtime log output

The Runtime Log tab displays exceptions and output from debug statements in the trigger script. This tab only displays after the trigger is saved.

Important:You must enable debugging from the Configuration tab to log debug statement output.

For example, the following trigger monitors HTTP connections on selected devices and returns URIs that contain “seattle”.

if (HTTP.uri.match("seattle")){
    Application("Seattle App").commit();
    debug(HTTP.uri);
}

When a match occurs, the URI that contains the match is written to the runtime log as shown in the following figure:

In addition, the runtime log displays any trigger script exceptions whether or not debugging is enabled. You should fix exceptions when they occur to minimize the performance impact on your system. You can also monitor trigger exceptions from the System Health page in the Admin UI.

Monitor trigger performance

The Performance tab displays a graphical representation of the performance impact the trigger has on your environment. This tab only displays after the trigger is saved.

Important:You must enable debugging from the Configuration tab to view trigger performance results.

The performance graph both validates that your script is running and indicates the performance cost by tracking the number of cycles consumed by the trigger in a given time interval as shown in the figure below:

You can hover over data points on the graph to display details about trigger performance at a single point in time as shown in the following figure:

If the trigger impact is high, re-evaluate the purpose of your trigger and consider the following options:

If the trigger impact is acceptable, you can then expand the scope of the metrics you are collecting or expand the sources that the trigger is assigned to. However, after each incremental increase, re-evaluate your trigger to ensure that the cost to your system is not affecting your system performance.

For an example on how to write and evaluate a trigger, see Trigger walkthrough: Track HTTP 404 errors.

Trigger walkthrough: Track HTTP 404 errors

When your customers and clients cannot reach the information they need due to web page errors, you can write a trigger to help you find answers.

For example, when a customer requests a page that your HTTP server cannot find, the server responds with a 404 status code, or “page not found” error. Such responses tend to indicate that the link the customer clicked leads to an invalid URI. It would be useful to know what URI customers are trying to access and to find the referrer, or source, of the invalid link.

In this walkthrough, you will build a trigger that answers the following questions:

  • Are my customers receiving "page not found" errors?
  • What is the URI of the page that results in the error?
  • What is the referrer that caused the error?

You will create a trigger that generates a new custom metric that returns both the invalid URI and the referrer of the invalid URI. You will also create an application that provides a tailored view of your web traffic by collecting web metrics each time a 404 status code occurs on specified devices.

Prerequisites
  • You should familiarize yourself with the concepts in this walkthrough by reading Get started with triggers.
  • You must have access to an ExtraHop Discover appliance with a user account that has limited write or full write permissions.
  • Your ExtraHop appliance must have network data with web server traffic.
  • It is helpful to have basic JavaScript knowledge.
Configure the trigger

In the following steps, you will name and describe the trigger, enable debugging, and configure the trigger to run on HTTP response events.

  1. Click the System Settings icon, and then click Triggers.
  2. Click New to open the Trigger Configuration window.
  3. In the Configuration tab, type a name for the trigger. For this walkthrough, type HTTP 404 Errors.
  4. Type a description of the trigger. For this walkthrough, type Track 404 errors back to the source.
  5. Click Enable Debugging.
  6. Click in the Events field and select HTTP_RESPONSE from the list.
    Note:If you click Save Changes after this step, the window displays an error. You cannot save the trigger if the Editor tab is empty.
The following figure displays the trigger configuration attributes you configured above:

Write a debug statement

Next, add a simple debug statement to familiarize yourself with the trigger editor layout and features.

When the trigger runs, it seeks HTTP response events and checks if the status code in the response is 404. If a 404 status code is detected, the debug call adds the URL that the user attempted to access to the runtime log.

  1. Click the Editor tab.
  2. Add the following code to the editor:
    if (HTTP.statusCode === 404) {
        debug (HTTP.uri);
    }
    Tip:The editor provides some autocomplete capabilities when typing code. For example, typing a dot (.) after selecting a class object results in a list of methods and properties applicable to the HTTP object. You can select the element you want from the list as shown in the following figure:
  3. Click Save and Close.
Assign the trigger to devices

Before the trigger can log output from the debug statement, you must assign the trigger to at least one device or network. For this walkthrough, you will assign the trigger to HTTP servers in an activity group.

After the trigger is assigned, the system runs the trigger each time an HTTP response occurs on any server in that group.

Important:When creating your own triggers, only assign triggers to the specific devices that you need to minimize the performance impact of your triggers on the system.
  1. Click Metrics from the top menu.
  2. Click Activity Groups, and then click HTTP Servers.
  3. From the table of HTTP servers, click the checkbox in the header row to select all of the servers.
  4. From the Select Action drop-down menu, click Assign Trigger.
  5. Select the HTTP 404 Errors trigger, and then click OK.
  6. Click the System Settings icon, return to the Triggers page, and select the HTTP 404 Errors trigger to open the Trigger Configuration window.
  7. In the Trigger window, click the Assignments tab and verify that the selected HTTP servers are added.
The tab should look similar to the following figure:

View debug output

After you assign the trigger to HTTP servers, the system runs the trigger when HTTP response traffic occurs, and if any responses contain a 404 status code the system sends results to the runtime log.

To view the results of the debug statement, click the Runtime Log tab from the Trigger Configuration window, which should look similar to the following figure:

Debug output starts as soon as the trigger is assigned and saved; however, the log cannot display data from 404 responses that occurred prior to when the trigger was assigned and saved.

Create a custom metric

The debug statement results have verified that there are URIs resulting in 404 status codes. In this section, you will create a custom metric named "404UriAndReferrer" to extract the invalid URIs and corresponding referrers.

The custom metric will return both the invalid URI and the referrer of the link enabling you to extract the two data sets in a single result.

To create a custom metric, you must specify a metric source from which the data is extracted, such as an application, network, or device. In this walkthrough, you will create an application named “File Not Found” as the source for the custom metric.

  1. In the Trigger Configuration window, click the Editor tab.
  2. Add the following trigger code, highlighted in green, to the existing script:
    if (HTTP.statusCode === 404){
        debug (HTTP.uri);
        var app = Application("File Not Found");
    }
    This code declares the application as a variable and specifies the application name. We recommend that you declare a variable for methods that you intend to call more than once to reduce resource consumption by the trigger. In this walkthrough, the code will call the application twice.
  3. Add the following trigger code, highlighted in green, to the existing script:
    if (HTTP.statusCode === 404){
        debug (HTTP.uri);
        var app = Application("File Not Found");
        app.metricAddDetailCount(
            "404UriAndReferrer",
            "404:" + HTTP.uri + " | REFERRER:" + HTTP.referer,
            1);
    } 
    The metricAddDetailCount method specifies the metric name and the event property data returned by the metric. The method also specifies the format of the extracted data as 404: <uri> | REFERRER: <uri> when displayed in a chart. See the Application section of the ExtraHop Trigger API Reference for more information about custom metric methods.
  4. Click Save and Close.
After the code is saved, the ExtraHop system adds the new custom metric to the Metric Catalog and creates the application. At this point, the application is a metric source only; the application does not collect built-in metrics. See the Application section of the ExtraHop Trigger API Reference for more information.
View the custom metric in a chart

To view your custom metric, you must to add it to a chart widget on a dashboard. In the chart, the custom metric will reveal which URIs are invalid and the referrer of each invalid link.

For more information about viewing metrics on a dashboard, see Get started with dashboards.

  1. On the Dashboard page, click the command menu in the upper right corner, and select Create Chart.
  2. Click the empty chart widget in your newly created dashboard to launch the Metric Explorer.
  3. Click Add Source.
  4. Type and select File Not Found, which is the application created by the trigger.
  5. In the Metrics field, type 404 and then select 404 Uri and Referrer, which is the custom metric created by the trigger.
    Note:The ExtraHop system converts the custom metric name you specified in the code to a friendly display name. In this walkthrough, “404UriAndReferrer” is converted to “404 Uri And Referrer”. You can edit the friendly display name in the Metric Catalog.
  6. Select the Bar chart type from the bottom of the Metric Explorer.
  7. In the lower right corner, click Add to Dashboard and select New Dashboard.
  8. Type a name for your dashboard in the Title field. For this walkthrough, type HTTP 404 Errors.
  9. Click Create.
The chart containing data extracted from the custom metric is automatically added to the new dashboard. The dashboard output should look similar to the following figure:

Gather built-in metrics in the application

In the previous steps, you added code to the script to create an application as the source of your new custom metric. In this section, you will add code that enables the application to gather built-in HTTP metrics, but not custom metrics, to provide a tailored view of your web traffic each time a 404 status code occurs on the specified devices.

  1. In the Trigger Configure window, click the Editor tab.
  2. Add the following trigger code, highlighted in green, to the existing script:
    if (HTTP.statusCode === 404){
        debug (HTTP.uri);
        var app = Application("File Not Found");
        app.metricAddDetailCount(
            "404UriAndReferrer",
            "404:" + HTTP.uri + " | REFERRER:" + HTTP.referer,
            1);
        app.commit();
    }
  3. Click Save and Close.
View the application and metric pages

The new “File Not Found” application is created the first time the trigger runs and the conditions specified by the trigger script are met. After you commit the application, it might take several minutes before the trigger runs and data is available in the application.

The committed application adds built-in metric data relevant to the conditions defined by your trigger each time the trigger runs. In this walkthrough, built-in HTTP metrics are added to the application each time an HTTP response results in a 404 status code on the selected devices

The application displays the collected data on one or more protocol pages. Protocol pages are automatically created depending on the protocol objects included in your trigger. In this walkthrough, because the trigger runs on HTTP responses, the “File Not Found” application contains a protocol page called Web that displays built-in HTTP metrics. If you create a trigger configured to run on SSL events, the application displays a page of built-in SSL metrics, and a trigger that runs on Flow events displays a page of built-in L4 metrics.

  1. Click Metrics from the top menu.
  2. In the left pane, click Applications, and then select the File Not Found application.
  3. In the left pane, click Web to view the built-in HTTP metrics collected in the application.
The Web page should look similar to the following figure:

Check the trigger performance

Triggers are a powerful tool that can provide detailed insight to your environment; however, triggers consume resources and affect system performance. In this section, you will check the performance impact of the trigger and learn about small changes you can make to improve performance.

The trigger performance graph provides the number of cycles the trigger has consumed within the specified time interval. You can hover over a data point to display details about trigger performance at a single point in time.

In the Trigger Configuration window, click the Performance tab; the performance graph looks similar to the following figure:

Tip:The System Health page in the Admin UI provides additional trigger performance charts that enables you to monitor the cumulative effect of all of your triggers on the system.

Try making the following changes, and then check the performance graph to view any changes:

  • Comment out the debug statement. You have verified that the trigger works and is collecting the custom and built-in metrics you want; you no longer need the debug output.
    Tip:Although you can simply disable debugging on the Configuration tab, doing so also disables monitoring on the Performance tab. Comment out the debug statement to continue monitoring the performance of this trigger.
  • Reassign the trigger to specific devices instead of all HTTP servers in the activity group.

For additional trigger optimization tips and tricks, see the ExtraHop Trigger API Reference and the following Trigger Optimization 101 blog posts in the ExtraHop Community Forums:

Get started with records

The ExtraHop Discover appliance already enables you to summarize data or export data to external stores through Open Data Stream and ExtraHop Application Inspection Triggers. However, sometimes details are needed for every transaction, and the ExtraHop Explore appliance makes that level of granularity possible through records.

Records are structured information about transaction, message, and network flows that are generated and sent from a Discover appliance to an Explore appliance for storage and retrieval.

With the Discover appliance, you start with a high-level view of your Discover appliance data, and then drill down to devices. With records stored on an Explore appliance, you can drill down to individual transactions from those devices, or you can query for an outlying transaction—one with an overly-long processing time or unusual response size, for example—and then drill down from there to get answers in real time.

Detail metrics display summary information, such as timing or counts for a set of flows or transactions, and you can then drill down to see the records about the individual flows and transactions stored on the Explore appliance.

Comprehensive concepts and procedures about record queries are available in the Records section, but the information in the following sections will help you get started.

Generate records for storage and retrieval

When one or more Discover appliances are paired to an Explore appliance, records configuration options become available through the Web UI and Admin UI.

All ExtraHop users can query for stored records, however only users with full write privileges can write triggers to determine which records are generated and sent to an Explore appliance.

Generate records through triggers

Triggers are custom scripts that perform an action upon a pre-defined event and determine what information is generated and sent to the Explore appliance.

For example, if you want to generate records for all HTTP responses through the built in HTTP record format, you can write the following trigger for the HTTP_RESPONSE event:
HTTP.commitRecord()

Next, assign the trigger to all relevant web servers on your network.

After the trigger-generated records have been stored in the Explore appliance, you can query for the transaction details for all HTTP transactions on your network involving those designated web servers.

For complete information on triggers, see the Get started with triggers section.

Record sources

You can generate records from multiple sources.

Flow records

Flow records show network-layer communication between two devices over an (L3) IP protocol.

The automatic generation of flow records is enabled through the Admin UI. By configuring basic filters (such as IP address and port range), you can specify which flow records are generated. Flow records are generated and sent when a flow terminates, or periodically generated and sent for flows that remain active for an extended period of time. You can write a trigger, with more complex filtering logic, to collect only the flow records that you need.

For more information, see the Automatic Flow Records section in the ExtraHop Admin UI Guide.

L7 records

L7 records show details from individual messages or transactions over L7 protocols. There are three types of supported protocols: transactional (such as HTTP, CIFS, and NFS), message-based (such as ActiveMQ, DNS, and DHCP), and session-based (such as SSL and ICA).

Built-in L7 records are generated by triggers assigned to protocol events (such as HTTP responses).

Records, record types, and record formats

First, let’s take a look at some basic definitions.
Records
A JSON object that contains fields, where each field is a name and a value pair. The value can be a string, number, boolean, array, or nested object.
Record types
A string that is part of each record. Record types link the records that are indexed and stored in the Explore appliance with the record format in the Web UI.
Record formats
A schema on read that determines how each record displays in the Web UI. The Discover and Command appliances have built-in record formats for all built-in record types, and although you cannot modify a built-in record format, you can create a custom record format.

Record format settings are available through the System Settings page. A list of all built-in and custom record formats can be viewed here. When you select a record format from the left pane in the Record Format Settings window, the parameters and schema for that record format displays in the right pane. You can also copy the schema of any record format as a starting point when creating a new custom record format.

For more information, see the Records section.

After records are sent to an Explore appliance, you can query and display the information stored in those records. In addition, you can save record queries to run at a later time.

You can query records that are stored in the Explore appliance from four areas in the ExtraHop Web UI:

  • Click Metrics, and then click Record Queries from the left pane. This page displays a list of saved queries and enables you to create new queries.
  • Type a search term in the global search box at the top of the screen and click Global Records Query to start a query across all stored records.

  • Click the Records icon from the panel of Action icons on an application or device protocol page that has built-in record formats. This option queries for records that match the selected metric source and protocol.

  • Click the Records icon in the left-hand column from any drill-down metrics page. This option queries for records that match the selected metric source, protocol, and detailed stat value.

For a detailed example of a record query, see Records walkthrough: discovering missing web resources.

Records walkthrough: discovering missing web resources

When customers visit your website, a link that results in a "HTTP 404 - File not found" error message can be frustrating and might cause customers to leave your site without finding what they were searching for.

In this walkthrough, you will drill-down on HTTP transaction metrics to discover the source of 404 errors and identify any missing resources on your web server.

Prerequisites
  • Familiarize yourself with the concepts in this walkthrough by reading the Get started with records section.
  • You must have access to an ExtraHop Discover appliance that is paired to an Explore appliance or cluster.
  • Your user account must have full write privileges to create a trigger.
  • Your ExtraHop appliance must have network data with web server traffic and HTTP records that are being written to the Explore appliance. If you do not have access to web server data, you can perform this walkthrough in the ExtraHop demo.
Write a trigger to generate HTTP records

Before you can query for records, you must write a trigger to generate a record every time an HTTP response occurs on specified devices or networks.

Note:If you are performing this walkthrough in the ExtraHop demo, the trigger has already been created, and you can proceed to the Start a new query section.
  1. In the Web UI, click the System Settings icon and then click Triggers.
  2. On the Triggers page, click New.
  3. Type a name for the trigger in the Name field. For this walkthrough, type HTTP response.
  4. Select the Enable Debugging checkbox to help you validate that the script is running correctly.
  5. Click in the Events field and select HTTP_RESPONSE.
  6. Click the Editor tab.
  7. In the Trigger Script editor, type the following code:
    HTTP.commitRecord()
    debug ("committing HTTP record")

    HTTP.commitRecord() is the method of generating the HTTP records, and "committing HTTP record" is the text string that is written in the debug log when the trigger successfully commits the record.

  8. Click Save and Close.
Assign the trigger to an HTTP server

Next, you will assign the trigger to a web server on your network that you want to collect HTTP records for.

  1. Click Metrics.
  2. In the left pane, click Activity Groups.
  3. In the content pane, click HTTP Servers.
  4. Select one of your HTTP servers in the HTTP Server list.
  5. In the Select Action drop-down menu, select Assign Trigger.
  6. In the Assign Triggers dialog box, select the checkbox next to the trigger you created and then click OK.
  7. Verify that the trigger is assigned to the web server by returning to the Triggers page in System Settings, clicking your trigger, and then clicking the Assignments tab. The web server should be listed in the Assignments section.
  8. Next, verify that your trigger is generating HTTP records by clicking the Runtime Log tab. If the trigger is working correctly, you should see a committing HTTP record entry similar to the following:
Start a new query

Now, you will create a new query to view all of the HTTP data received in the last 24 hours.

  1. Click on the Global Time Selector, select Last day and then click Save.
  2. Click Metrics.
  3. In the left pane, under Records, click Record Queries.
  4. In the content pane click New Query. The record results for all records appear in the content pane.
Filter for HTTP traffic

Next, filter the results of your query to only display the metrics related to HTTP records.

  1. From the Record Type drop-down menu, select HTTP and then click out of the field. The content pane updates to display the HTTP transactions and in the left pane, the most common values for Method and Status Code appear.
  2. The following figure shows the results of the query. In this example, there are 3,796 records with a 404 status code.
Refine results

Refine the results further to get a clearer picture of which server is supposed to store the requested resource, the client that is requesting the resource, and finally the path to where the resource should be located.

  1. Click 404 in the Status Code section in the left pane. Results similar to the following appear in table view.
  2. From the Group By drop-down list in the left pane, select URI. You now have a list of URIs that are returning 404 errors. In the figure below, the builder.example.com:8080/version/build-version.htm URI appears to be problematic, recording over 1,600 errors.
  3. Click the URI with the highest count of 404 errors and then click the equals sign (=) to add the URI as a filter.
  4. Find the client or clients that are making the request for that URI. From the Group By drop-down list, select Client Address. From this result, you can see that only one client is requesting this URI that is returning a 404 status code.
Interpreting results

So, what do you know now? With a few simple clicks, you were able to drill down to find a specific client that was requesting a specific URI from a specific server. You now have the information to track the errors back to the source and resolve the 404 error.

Get started with alerts

The Discover appliance associates a baseline value with every metric collected and enables users to set alerts for these metrics. Alerts makes it easy to inform your teams when there are network, device, or application anomalies or Software License Agreement (SLA) violations. You can configure the ExtraHop system to send an email message or an SNMP trap to designated people in your organization.

The Discover appliance has two different types of alerts, threshold and trend. Threshold-based alerts are triggered when a monitored metric crosses a defined value in a time period. These types of alerts are useful for monitoring SLA-violations. Trend-based alerts are triggered when a network statistic is outside of the normal trends observed by the system. These types of alerts are useful for metrics where errors are meaningful and thresholds are difficult to define. Because trend-based alerts need historical data to define a trend, these alerts are triggered approximately three or four days after the Discover appliance has collected data about your network activity.

The Alerts top menu enables you to view system alerts information. When you select Alerts from the top menu, the left pane displays available alert information in the system.

The following fields and controls are available in the Alerts left pane.

Alert History
Enables you to view detected system alerts.
Trouble Groups
Enables you to view built-in metrics groups that have been identified as having problems.

When you select Alerts from the top menu, the content pane displays the latest alerts that you viewed.

For information about creating and configuring alerts, see the Alerts section.

Dashboards

A dashboard is an HTML page that displays real-time and historic data for any built-in or custom metric in the ExtraHop platform. In a dashboard, data is displayed in widgets, and widgets are assembled in regions.

Dashboards are stored separately for each user that accesses the ExtraHop Discover appliance. After you build a custom dashboard, you can share it with other ExtraHop users.
Tip:Essentials dashboards are created by ExtraHop staff to display common and related network metrics. A set of dashboards are available in the Essentials bundle on your ExtraHop appliance. For more information, see the Essentials bundle section.

This section contains information about system dashboards and procedures on how to create, configure, and manage custom dashboards.

Note:To learn more about dashboards, view the following training modules:

System dashboards

Any ExtraHop user with an active account can log in and view system dashboards, which are built into the ExtraHop system. The Activity dashboard and Network dashboard are system dashboards that provide a top-down perspective of all the activity happening on your network.

Note:System dashboards cannot be modified.

Activity dashboard

The built-in Activity dashboard displays the following information about your network.

Traffic Overview
View the types of traffic on your network. For example, the Top L7 Protocols chart displays the most active application protocols. The protocol with the most area, or color, in the chart has the highest volume of packet transmissions during the selected time interval. In the Alert History widget, you can also view up to 40 of the latest alerts that were generated, and their severity levels.
Active Protocols
View important metrics and activity about specific application protocols.
Note:In the ExtraHop Command appliance, you can display the Activity dashboard for each Discover node. The node name appears in the navigation bar; click the down arrow next to the node name to pivot the display to other nodes.

Network dashboard

The built-in Network dashboard displays the following information about your network.

Network L2 metrics
View raw data throughput at the data link layer (L2). You can view throughput, the packet rate, and the breakdown of frame counts by distribution and type.
Network L4 metrics
View TCP activity through connection, request, and response metrics. This data can indicate how effectively data is being sent and received across the transport layer (L4) in your network.
Network Performance
View overall network performance by reviewing the throughput per application protocol and the magnitude of high TCP round trip times.
Network L3 metrics
View data throughput at the Internet layer (L3), and see packets and traffic by TCP/IP protocols.
DSCP
View a breakdown of packets and traffic by Differentiated Services code points, which is part of the DiffServ network architecture. Every IP packet contains a field to express the priority of how the packet should be handled, which are called differentiated services and the values for the priorities are called code points.
Multicast Groups
View traffic sent to multiple receivers in a single transmission, and see packets and traffic by each receiver group. Multicast traffic on a network is organized into groups based on destination addresses.
Note:In the ExtraHop Command appliance, you can display the Network dashboard for each Discover node. The node name appears in the navigation bar; click the down arrow next to the node name to pivot the display to other nodes.

Custom dashboards

Before you create a custom dashboard, it is best to first determine which metrics you want to visualize and monitor in your dashboard. For example, it helps to have a question you want to answer, or an idea of which sources—applications, devices, groups, and networks—that you want to monitor on a regular basis.

We recommend that you review Get started with dashboards section before building your own dashboards.

Create a dashboard

When you create a dashboard, a region containing an empty chart and text widget appear for you to configure. You can expand the region to include a maximum of six charts that are of minimum width. Region and dashboard length are unlimited.

  1. On the Dashboards page, create a dashboard by:
    • Click New Dashboard at the bottom of the left pane (dashboard dock).
    • Click the command menu in the upper right corner of the page and select New Dashboard.
  2. In the Dashboard Properties window, review the following:
    Title
    Type a name for the dashboard.
    Author
    Type your name.
    Description
    Type a brief description of the dashboard.
    Permalink
    (Optional) To change the five-character unique identifier in the permalink, click the link and type a meaningful name.
    Note:The permalink name can have up to 100 characters combining letters, numbers, and the following symbols: ._-+)[]. The name cannot contain spaces.
    Editors
    Specifies the names of users that have editing access for the dashboard. The default editor is the author. Add editors to your dashboard by sharing your dashboard. For more information, see the Share a dashboard section.
    Theme
    Select a radio button to specify a style for the dashboard. Select Light, Dark, or Space.
  3. Click Create.
    The new dashboard is populated with a region that contains an empty chart and text box widget. You can now edit your chart and edit your text box.
  4. Click Exit Layout Mode when you are satisfied with your changes.
    Important:You can also build a dashboard from protocol page for an application, device, network, or device group. This method enables you to quickly add charts to a new or existing dashboard as you discover interesting metrics while browsing the Web UI. For more information, see the Create a chart section.

Configure a dashboard

The following procedures explain how you can modify new or existing custom dashboards.

If you want to learn how to create a new dashboard, see the Dashboard components and Create a dashboard sections.
Note:You can only modify custom dashboards for which you have editing privileges.

There are several ways to configure a dashboard. For more information, see the following sections:

Change dashboard properties

After you created a dashboard, you can modify the metadata that is associated with that dashboard through the dashboard properties options.

  1. On the Dashboards page, click the command menu in the upper right corner of the page, and select Dashboard Properties.
  2. In the Dashboard Properties window, you can modify the following fields:
    Title
    Change the dashboard name.
    Author
    Change the author name.
    Description
    Change the description of the dashboard.
    Permalink
    Change the URL for the dashboard. By default, the permalink is a five-character unique identifier. You can change the identifier to a friendly name.
    Note:The permalink name can have up to 100 characters combining letters, numbers, and the following symbols: ._-+)[]. The name cannot contain spaces.
    Sharing
    To share a dashboard with users who can view and edit, click the link. For more information, see the Share a dashboard section.
    Editors
    View the list of ExtraHop Web UI users with editing access to the dashboard. To change the users, click Sharing.
    Theme
    Select Light, Dark, or Space to change the colors and appearance of the dashboard.
  3. Click Save.
Edit a chart

Add metrics to a dashboard chart and configure how your data is displayed with the Metric Explorer.

Note:You can display rates (such as an average rate, maximum rate, or minimum rate) or percentiles in your chart, depending on the metric you select. For more information, see the Display rates or counts in a chart and Display percentiles or a mean in a chart sections.
  1. Open the Metric Explorer through one of the following steps:
    • On the Dashboard page, click the command menu in the upper right corner and select Edit Layout. Click anywhere within a chart.
    • If the dashboard page is not in layout mode (you do not select Edit Layout), click the command menu in the upper right corner of a chart, and then click Edit.
  2. Select a source and metric, which creates a metric set, by completing the following steps:
    1. Click Add Source.
    2. In the source search field, type the name of a source, such as an application, device, device group, or network.
      Tip:Underneath the search field, click Any Type to filter search results to a specific source type.
    3. Click the source you want to add.
    4. In the metric search field, type the keywords for the metric you want to view. For example, to view HTTP transaction data coming from a client to your web servers, type HTTP requests.
      Tip:Underneath the search field, click Any Protocol to filter search results to a specific protocol or custom metric.
    5. Click the metric you want to add.
      Note:To remove a metric, click the x icon in the upper left corner in the metric field. Or, to replace a metric, click the metric name to open a new search.
    6. To add additional sources to your metric set, click Add Application, Add Device, Add Group, or Add Network, and then search for and select the source you want to add.
      Note:

      You can only specify one source type (such as an application, device, or network) for a metric set. For example, if you select the All Activity application as the source for your first metric set, you can only add additional applications to that metric set.

    7. Optional: To add metrics to your metric set, click Add Metric and then search for the metric you want to include in the metric set.
    8. Optional: To add a new metric set, click Add Source beneath the current metric set.
  3. Select a chart type from the bottom of the Metric Explorer. For more information, see the Chart types section.
  4. Optional: Select a detail metric to drill down on your data, if available for your selected metric. For more information, see the Drill down to display detail metrics in a chart section.
  5. Optional: In the preview pane, click Last 30 minutes to select a different time interval and see how your data appears at different time points.
    Note:The time interval you preview in the Metric Explorer does not apply to your saved dashboard.
  6. Specify additional data calculation and display options:
  7. Click Save.
Chart types
Chart types effectively control how your data is displayed in a dashboard. The Metric Explorer has several chart types, some of which carry restrictions. For example, you can only display dataset metric types in a heatmap or histogram chart.
Tip:Hover your mouse over each chart type in the ExtraHop Web UI to learn about any metric or configuration requirements.
Learn more about each chart type in the following sections:
Chart type Description Compatible metrics
Area chart Displays metric values as a line that connects data points over time, with the area between the line and axis filled in with color. Any metric type.
Bar chart Displays the total value of metric data as horizontal bars. Any metric type.
Candlestick chart Displays data calculations for a distribution of metric values over time. Dataset metric type and high-precision, or 1-second, network (L2) count metrics.
Column chart Displays metric data as vertical columns over a selected time interval. Any metric type.
Heatmap chart Displays a distribution of metric data over time, where color represents a concentration of data. Dataset metric type only.
Histogram chart Dsplays a distribution of metric data as vertical bars, or bins. Dataset metric type only.
Line chart Displays metric values as data points in a line over time. Any metric type.
Line & column chart Displays metric values as a line, which connects a series of data points over time, with the option to display another metric as a column chart underneath the line chart. Any metric type.
List chart Displays metric data as a list with optional sparklines that represent data changes over time. Any metric type.
Pie chart Displays metric data as a portion or percentage of a whole. Count, maximum, snapshot metric types only.
Status chart Displays metric values in a column chart and the status of an alert assigned to both the source and metric in the chart. You can only select one source and metric to display in this chart.
Value chart Displays the total value for one or more metrics. Any metric type.
Area chart

The area chart displays metric values as a line that connects data points over time, with the area between the line and axis filled in with color. If your chart contains more than one metric, data for each metric is displayed as an individual line, or a series. Each series is stacked together to illustrate the cumulative value of the data. Select the area chart to see how the accumulation of multiple metric data points over time contribute to a total value. For example, an area chart can reveal how various protocols contribute to total protocol activity.

Tip:You can isolate individual series in the chart by clicking on the legend.
Available metrics for this chart

This chart is compatible with any metric type.

The types of data calculations that you can display in this chart include rates, percentiles, and the mean.

Bar chart

The bar chart displays the total value of metric data as horizontal bars. Select the bar chart when you want to compare the data for more than one metric for a selected time interval.

Available metrics for this chart

This chart is compatible with any metric type.

The types of data calculations that you can display in this chart include rates, percentiles, and the mean.

Candlestick chart

The candlestick chart displays data calculations for a distribution of metric values over time. A line at each time interval displays three or five data points. If the line has five data points, it contains a body, middle tick mark, an upper shadow line, and a lower shadow line. If the line has three data points, it contains a middle tick mark. Select the candlestick chart to view the variability of data calculations for a specific period of time.

Available metrics for this chart

This chart is compatible with the dataset metric type and high-precision, or 1-second, network (L2) count metrics.

The types of data calculations that you can display in this chart include:

Summary
Summary displays the 95th, 75th, 50th, 25th, and 5th percentile values for dataset metrics. The line will contain five data points. The body represents the range from the 25th percentile to the 75th percentile. The middle tick mark represents the 50th percentile (median). The upper shadow line represents the 95th percentile. The lower shadow represents the 5th percentile.
Percentiles...
Percentile displays either three or five custom percentiles for dataset metrics. Each percentile you enter must be separated by a comma and space. If you specify three data points, the line represents the range of percentile values. The middle tick mark represents the middle value. The upper shadow represents the top range for your selection. The tick mark is the middle value. The lower shadow is the bottom range of your selection.
Rate summary
The Rate Summary displays the maximum, minimum, and average rates for the following 1-second network bytes and packets metrics:
  • Network source > Network Bytes (total throughput)
  • Network source > Network Packets (total packets)
  • Device source > Network Bytes (combined inbound and outbound throughput by device)
  • Device source > Network Bytes In (inbound throughput by device)
  • Device source > Network Bytes Out (outbound throughput by device)
  • Device source > Network Packets (combined inbound and outbound packets by device)
  • Device source > Network Packets In (inbound packets by device)
  • Device source > Network Packets Out (outbound packets by device)

The upper and lower parts of the line represent the range from the maximum and minimum rates. A middle tick mark represents the average rate.

Tip:Hover over a line to view the values of percentiles and count (total number of events that occurred) for a data point.
Column chart

The column chart displays metric data as vertical columns over a selected time interval. If your chart contains more than one metric, data for each metric is displayed as an individual column, or a series. Each series is stacked together to illustrate the cumulative value of the data. Select the column chart to compare how accumulation of multiple metric data points at a specific time point contribute to a total value.

Tip:Click the legend to isolate individual series.
Available metrics for this chart

This chart is compatible with any metric type.

The types of data calculations that you can display in this chart include rates, percentiles, and the mean.

Heatmap chart

The heatmap chart displays a distribution of metric data over time, where color represents a concentration of data. The heatmap legend displays how color corresponds to frequency. Frequency is the number of times a metric value was observed at a specific time interval in the chart. Select the heatmap when you want to identify patterns in the distribution of data.

Note:The dashboard properties theme, such as Light, Dark, or Space, affects whether a darker or lighter color indicates a higher concentration of data points.
The chart displays a default data range between the 5th and 95th percentiles, which filters outliers from the distribution. Outliers can skew the scale of data displayed in your chart, making it more difficult to spot trends and patterns for the majority of your data. However, you can choose to view the full range of data by changing the default filter in the Options tab. For more information, see the Filter outliers section.
Available metrics for this chart

This chart requires a dataset metric type only.

The types of data calculations that you can display in this chart include include percentiles.

Histogram chart

The histogram chart displays a distribution of metric data as vertical bars, or bins. The default view displays a data range from the 5th to 95th percentile (5th-95th), which filters outliers from the distribution. The minimum to maximum (Min-Max) view displays the full data range. Click the magnifying glass in the upper right corner of the chart to toggle between the two views. Select the histogram chart to view the shape of how data is distributed.

Note:Your toggle selection (between the 5th-95th and Min-Max views) will persist for your chart, but not for the users that you shared your dashboard and chart with. To set a persistent toggle selection before sharing a dashboard, see the Filter outliers section.

Data is distributed into bins on a linear or log scale. First, the data range automatically determines whether the chart has a linear or log scale. Then, data is placed into bins. When the data range spans several orders of magnitude, data is placed into bins on a log scale, and Min-Max (log) appears in the upper right corner of the chart. Typically, the 5th to 95th percentile data range does not require a log scale.

Click-and-drag to zoom in on multiple bins or a specific bin. Click the magnifying glass again in the upper right corner of the chart to zoom out to the original view (either 5th-95th or Min to Max).

Note:Zooming in to view a custom time interval does not change the global or region time interval.
Note:The histogram widget can export a CSV file.The tabular data should includes the following columns:
  • Interval
  • Bin start value
  • Bin end value
  • Frequency
Available metrics for this chart

This chart requires a dataset metric type only.

The types of data calculations that you can display in this chart include include percentiles.

Line chart

The line chart type displays metric values as data points in a line over time. If your chart contains more than one metric, data for each metric is displayed as an individual line, or a series. Each series overlaps. Select the line chart to compare changes over time.

Tip:Click the legend to isolate individual series.
Available metrics for this chart

This chart is compatible with any metric type.

The types of data calculations that you can display in this chart include rates, percentiles, and the mean.

Line & column chart

The line & column chart type displays metric values as a line, which connects a series of data points over time, with the option to display another metric as a column chart underneath the line chart. If your chart contains more than one metric (for example, HTTP Requests and HTTP Errors), you can select Display as Columns to display one of the metrics as a column chart underneath the line chart. Select the line & column chart to compare different metrics at different scales in one chart. For example, you can view error rates and the total number of HTTP responses in one chart.

Note:Columns are displayed in the color red by default. To change this color to dashboard properties theme colors, click Options and deselect Display columns in red.
Available metrics for this chart

This chart is compatible with any metric type.

The types of data calculations that you can display in this chart include rates, percentiles, and the mean.

List chart

The list chart displays metric data as a list with optional sparklines that represent data changes over time. Select the list chart to view long lists of metric values, such as detail metrics.

Available metrics for this chart

This chart is compatible with any metric type.

The types of data calculations that you can display in this chart include rates, percentiles, and the mean.

Pie chart

The pie chart displays metric data as a portion or percentage of a whole. If your chart contains more than one metric, data for each metric will be represented as single slice, or series, in the pie chart. Select the pie chart to compare the metric values that are mutually exclusive, such as status code detail metrics for the top-level HTTP Response metric.

You can configure your pie chart to display as a donut chart by selecting Show total value from the Option tab.

To set a specific number of digits displayed in your chart, see the Change percentile precision section.

Available metrics for this chart

This chart is requires a count, maximum, snapshot metric type only.

You can only view rates and count in this chart.

Status chart

The status chart type displays metric values in a column chart and the status of an alert assigned to both the source and metric in the chart. The color of each column represents the most severe alert status of the configured alert for that time interval. Select the status chart to see how data and the alert status for your metric change over time.

For more information about configuring alerts, see the Alert settings section.

To view the status of all of the alerts associated with the selected metric category, click Show Related Alerts. A list of alerts will then be displayed underneath the column chart.

Available metrics for this chart

You can only select one source and metric to display in this chart. This chart is compatible with any metric type.

The types of data calculations that you can display in this chart include rates, percentiles, and the mean. However, you cannot display a summary of percentiles (from the 5th to 95th percentiles).

Value chart

The value chart type displays the total value for one or more metrics. If you select more than one metric, metric values are displayed side-by-side. You can also add optional sparklines that represent data changes over time. Select the value chart to see the total value of important metrics, such as the total number of HTTP errors occurring on your network.

Available metrics for a chart

This chart is compatible with any metric type.

The types of data calculations that you can display in this chart include rates, percentiles, and the mean.

Alert history widget

The alert history widget displays details about active alerts that are assigned to a metric source. You can configure the alert history widget with the Metric Explorer.

Note:The alert history widget can only display up to 40 alerts. If you have more than 40 active alerts, click Show All Alerts in the bottom row of the table.
Available metrics for this widget

This widget requires metric sources only. You cannot add metrics to the alert history chart.

Add a dynamic baseline to a chart

You can add a dynamic baseline to a chart to help distinguish between normal and abnormal activity.

Warning:Deleting or modifying a dynamic baseline can remove dynamic baseline data from the system. If a dynamic baseline is not referenced by any dashboards, the data will be removed from the system to free unused system resources.
  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Click Analysis.
  3. Under Dynamic Baselines, select the type of dynamic baseline you want to add.
    Option Description
    Hour of day Creates a dynamic baseline that displays the median value for a given hour of the day. This option is most useful if activity in your environment usually follows a consistent daily pattern. If you regularly see dramatically different levels of activity on different days of the week, this option is less useful because the baseline usually does not match the current values.
    Hour of week Creates a dynamic baseline that displays the median value for a given hour on a specific day of the week. This option is most useful if you regularly see significantly different levels of traffic during each day of the week.
    Short-term trend Creates a dynamic baseline that displays the median value for the last hour. This option is useful for smoothing chart data to reveal short-term trends.
  4. Click Add to Dashboard.
Dynamic baseline

Dynamic baselines help distinguish between normal and abnormal activity in your chart data.

Select a baseline type that best fits your environment. For example, if you regularly see dramatic changes from one day to another, select an hour-of-week baseline that compares activity seen on specific days of the week. If HTTP activity spikes on Saturdays, this baseline can compare the current spike in HTTP activity with the level seen on other Saturdays at the same hour.

Discover appliances calculate dynamic baselines based on historical data. To generate a new data point on a dynamic baseline, an appliance calculates the median value for a specified period of time. The following table displays how each type of baseline is calculated:

Type Sample window Compares Baseline updated
Hour of day 10 days The same hour of the day. For example, every day at 2:00 PM. Every hour
Hour of week 5 weeks The same hour of week. For example, every Wednesday at 2:00 PM. Every hour
Short-term trend 1 hour Every minute. Every 30 seconds

For example, assume you configure an hour-of-week baseline for HTTP responses on a Sunday. At 10:00 PM, the appliance determines how many HTTP responses there were at 10:00 PM for the last 5 Sundays and calculate the median value; the median number of responses then appear as the baseline value for that hour.

Discover appliances do not begin calculating a dynamic baseline until the setting is enabled. Therefore, dynamic baselines only appear for time periods that occur after the baseline was enabled. Keep in mind that an appliance can begin building a dynamic baseline only if the necessary amount of data has been collected. For example, if you create an hour-of-day baseline, and the Discover appliance has only been collecting data for six days, the appliance will not begin drawing the baseline until four more days have passed because an hour-of-day baseline requires at least 10 days of data.

Dynamic baselines require a Discover appliance to calculate and store baseline data. Therefore, creating a baseline consumes system resources, and configuring too many baselines might degrade system performance.

If two identical dynamic baselines exist in separate dashboards, the dashboards reuse the baseline data; however, the baselines must be identical. If you select a new baseline type, the new dynamic baseline will not share data with the previous dynamic baseline.

Note:Dynamic baselines will not appear on a chart while comparing metric deltas.
Add a static threshold line in a chart

Displaying a static threshold line in a chart can help you determine which data points are either below or above a significant value.

For example, you can create a line chart for server processing time to help you monitor the performance of an important database in your network environment. By adding a threshold line that defines an service level agreement (SLA) boundary of acceptable processing time, you can see when database performance is slowing down and address the issue.

You can add one or more threshold lines as you edit a chart. These lines are local to the chart and not associated with other widgets or alerts. Threshold lines are only available for the following charts:

  • Area
  • Candlestick
  • Column
  • Line
  • Line & Column
  • Status

To add a static threshold line to an existing chart:

  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Click Analysis.
  3. In the Static Thresholds section, click Add Threshold Line.
  4. In the Value field, type a number that indicates the threshold value for the line. This value determines where the line appears on the y-axis of your chart.
    Note:For charts that display only count metrics (such as bytes, errors, and responses), the value of the threshold line automatically scales based on data calculations that are configured in the chart. When the Show as rate (per second) option is not selected, the line value automatically scales to the roll up period (either 30 seconds, 5 minutes, 1 hour, or 1 day). The roll up period is determined by the time interval you specified.
  5. In the Label field, type a name for your threshold line.
  6. In the Color field, select a color (options are gray, red, orange, or yellow) for your threshold line.
Display rates or counts in a chart

In a chart, count metric data can be calculated as an average rate per second or displayed as a total number of events over time. After configuring your initial selection, you can toggle between these data views in the chart. In addition, you can display the maximum rate, minimum rate, and average rate in a chart for high precision, or 1-second, Network Bytes and Network Packets metrics.

Note:Depending on the count metric you select, you will see the following default displays:
Count
For the majority of count metrics, such as errors, requests and responses, the total count is automatically displayed.
Average rate
For network and packet-related count metrics, the average rate per second is automatically displayed.
Rate summary
For specific 1-second throughput (Network Bytes) and packet (Network Packet) count metrics, the maximum, minimum, and average rates is automatically displayed.
Tip:For charts with more than one count metric selected, avoid displaying rates and counts together in the same chart. It can skew the scale of the y-axis. The y-axis will include a /s on tick labels only if all metrics are displaying rates.
  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Select a count metric.
    Note:A count metric is associated with specific number of events that occurred over time. For example, a byte is recorded as a count metric, and can either represent a throughput rate (as seen in a time series chart) or total traffic volume (as seen in a table). Errors, packets, requests, and responses are also recorded as count metrics.
  3. Select a chart type that is compatible with count metrics (includes line, value, column, bar, pie, and list charts).
  4. Select a data calculation to display in your chart:
    • To display the average rate per second, click the drop-down list underneath the metric name and select Average Rate.
    • To display the count, click the drop-down list underneath the metric name and select Count.
    • To display a maximum rate, minimum rate, and average per second, click the drop-down list underneath the metric name and select Rate Summary, Maximum Rate, or Minimum Rate. These types of rates are only available for the following sources and metrics:
      • Network source > Network Bytes (total throughput)
      • Network source > Network Packets (total packets)
      • Device source > Network Bytes (combined inbound and outbound throughput by device)
      • Device source > Network Bytes In (inbound throughput by device)
      • Device source > Network Bytes Out (outbound throughput by device)
      • Device source > Network Packets (combined inbound and outbound packets by device)
      • Device source > Network Packets In (inbound packets by device)
      • Device source > Network Packets Out (outbound packets by device)
    Note:Charts that were configured in a previous version of ExtraHop firmware, with the Show as rate option selected, now display the Average rate.
Display percentiles or a mean in a chart

You can configure a chart to display statistical calculations for metric data, such as percentiles or a mean. A percentile is a statistical measure to determine if a data point falls below or above a given percentage amongst all of the data in a dataset metric type. A mean is the calculated average of all of the data in a sampleset metric type. You can also view the standard deviation for a sampleset metric type only.

  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Select a source and then a dataset or sampleset metric. The median (50th percentile) automatically displays for dataset metrics in most charts. The mean automatically displays for sampleset metrics.
    Note:A dataset metric is usually associated with time, such as server processing time or round trip time. Sampleset metrics are often the detail metrics for dataset metrics. Only compatible metrics are displayed in metric search results when you select a percentile-based chart, such as a heatmap, candlestick, or histogram chart.
  3. Select a chart type that is compatible with dataset or sampleset metric (includes all chart types except for the pie chart).
  4. Select a statistical calculation to display in your chart:
    • To display a summary of percentiles (from the 5th to 95th percentiles), click the drop-down list underneath the metric name and select Summary.
    • To display a specific percentile, click the drop-down list underneath the metric name and select Percentile. In the Set Percentiles field, type numbers separated by a comma. For example, to view the 10th, 30th, and 80th percentiles, type 10, 30, 80.
    • To display the 100th percentile value, click the drop-down list underneath the metric name and select Maximum.
    • To display the 0th percentile value, click the drop-down list underneath the metric name and select Minimum.
    • To display the 50th percentile value, click the drop-down list underneath the metric name and select Median.
    Note:

    The median, percentile, maximum, and minimum displays are unavailable for heatmap and histogram charts.

Filter outliers

Histogram and heatmap charts display a distribution of data. However, outliers can skew how the distribution displays in your chart, making it difficult to notice patterns or average values. The default filter option for these charts excludes outliers from the data range and displays the 5th-95th percentiles. You can change the filter to view the full range of data (Min to Max), including outliers, in your chart through the following procedure.

  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Select the histogram or heatmap chart.
  3. Click Options.
  4. From the Default filter drop-down list in the Filters section, select Min to Max.
  5. Click Save.
Drill down to display detail metrics in a chart

After selecting metrics, you can drill down to display detail metrics. Detail metrics provide top key values for a specific time interval. A key can be a client IP address, hostname, method, URI, referrer, or more. For example, if your chart displays a total count for HTTP Requests you can drill down to view the top client IP addresses that sent the most requests to your web servers.

The keys that you drill down by display for all metrics within a metric set. If key values are only available for one metric in the metric set, you can also display a specific key value for that one metric.

  1. In the Details section, click Drill down by <None>, where <None> is the name of the detail metric currently displayed in your chart.
  2. Select a detail metric from the drop-down list.
    Note:If detail key metric data is available, detail metrics automatically appear in the drop-down list, as shown in the following figure. If a detail metric in the list is grayed out, data is unavailable for all of the metrics in that metric set. For example, client, server, and URI data are available for both HTTP Requests and HTTP Responses metrics in the metric set.

  3. Filter detail metric keys with an approximate match, regular expression (regex), or exact match through one of the following steps:
    1. In the Filter field, select the icon to display keys by an approximate match or with regex.
      Note:You must omit forward slashes with regex in the approximate match filter.
    2. In the Filter field, select the = icon to display keys by an exact match.
      Note:Regex is unsupported in the exact match filter.
  4. Optional: In the top results field, enter the number of keys that you want to display. These keys will have the highest values.
  5. To remove a drill-down selection, click the x icon.
    Note:You can display an exact key match per metric, as shown in the following figure. Click the detail metric name (for example, All Methods) to select a specific detail metric key (for example, GET) from the drop-down list. If a key appears gray (for example, PROPFIND), detail metric data is unavailable for that specific key. You can also type a key that is not in the drop-down list.

Regular expression filter examples

Regular expression (regex) is supported in the Metric Explorer when drilling down for detail metrics. The following examples will help you create simple and effective regex strings for filtering detail metrics keys, such as IP addresses.

Note:In the ExtraHop system, regex is most effective when you want to filter metric data by a parameter contained within the metric key, such as a number within any IP address. Regex is not effective for filtering for details by an exact match, such as filtering to specify an exact IP address.
Chart Scenario Regex filter How it works
Compare HTTP status codes 200 to 404. (200|404) Matches 200 and 404 codes where the | symbol serves as an OR function.
Display all HTTP 400 and 500 error codes occurring on your network. ^[45] Matches a 4 or 5 in the status code.
Display any IP address with a 187. 187. Matches 1, 8, and 7 characters in the IP address.
Review all IP addresses containing 187.18. 187\.18\. Matches 187 and the character . that follows the 187. For example, this filter returns results for 187.18.0.0.0, 180.187.0.0.0, or 187.180.0.0.0/16.
Display any IP address except 187.18.197.150. ^(.(?!187.18.197.150))*$ Matches anything except 187.18.197.150.
Change drill down chart labels

Each chart provides an option to display available detail metric key values by hostname or origin. If the hostname or origin value is unavailable, the IP address automatically displays.

Note:This option is not available for candlestick, histogram, heatmap, and status charts.
  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Click Options.
  3. In the Labels section, from the Display drill down by IP drop-down list, select Hostname if available or Origin if available.
  4. Click Save.
Change chart title

The default chart title is automatically determined by the source and metrics selected in your chart, which you can change to a custom title.

  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Click Options.
  3. In the Title field, select Rename chart title.
  4. Type a custom chart title.
  5. Click Save.
    Note:To display the automatic title again, delete the custom title text from the Title field.
Change chart appearance to grayscale

Charts display data in color by default, but all charts provide the option to display data in grayscale.

Note:If your chart contains an alert that is assigned to metric data, and that alert status is active, the chart data displays in color and will not display in grayscale. For example, data in the status chart will rarely be displayed in grayscale.
  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Click Options.
  3. From the Chart style drop-down list in the Appearance section, select Grayscale (except alert status).
Change chart units and scale

Each chart provides an option to specify the units and scale for data in your chart. You can convert bytes to bits, convert linear scale to log scale, and select the suffix notation from base 2 or base 10.

  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Click Options.
  3. Optional: In the Units section, select Convert bytes to bits.
  4. Optional: In the Units section, select Set log scale for y-axis.
    Note:This option is unavailable for histogram charts.
  5. Optional: In the Units section, from the Suffix notation drop-down list, select Base 2 (Ki = 1024) or Base 10 (K = 1000).
    Note:This option is unavailable for histogram and heatmap charts.
Hide chart legend

The area, column, line, line & column, and pie charts provide an option to hide a legend.

  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Click Options.
  3. In the Legend section, select Hide legend.
Sort chart data

The bar, list, and value charts provide a sorting option that sorts data by the order in which the metrics were added to your chart, by the detail metric key name, or by the data value (highest to lowest, for example).

  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Click Options.
  3. From the Sort metric by down-down list in the Sort field, select Order Added, Key Name, or Value.
  4. Click Save.
Change percentile precision

The pie chart provides a percentile precision option that specifies the decimal precision, or the number of digits, displayed in your chart. Percentile precision is useful for displaying ratios of data, especially for service-level agreements (SLA) that might require a precise data for reporting.

  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Select the pie chart.
  3. Click Options.
  4. In the Units section, select Show percents instead of counts.
  5. From the Percent precision drop-down list, select the decimal precision value, such as 0.00% or 0.000%.
  6. Click Save.
Include sparklines

The list and value charts provide an option to include a sparkline for each metric selected in the chart. The sparkline is a small, gray chart that looks similar to an area chart and shows how data changes over time.

  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Select the list or value chart.
  3. Click Options.
  4. In the Layout section, select Include sparklines.
  5. Click Save.
Display alert status in a chart

The list and value charts provide an option to display data with an alert status color. Different colors indicate the severity of the configured alert. For example, you can configure a value chart to display the metric data in red when an alert threshhold is crossed.

For more information about creating and configuring alerts, see the Alert settings section.
Note:Colors for the most severe alert assigned to the source and metric will display in the chart by default.
  1. On the Dashboards page, click the command menu in the upper right corner of a chart and click Edit.
  2. Click Options.
  3. In the Labels section, select Use color to show alert status.
  4. Click Save.
Edit a dashboard layout
  1. Click the command menu in the upper right corner of the screen, and select Edit Layout.
  2. Click and drag dashboard components, such as a region or widgets, from the bottom of the page to add them to your custom dashboard.
    Note:For more information, see the Add a region, Delete a region, Add a widget, and Remove a widget sections.
  3. Click and drag dashboard components to resize or place them into different locations.
    Note:If there is overlap of dashboard components, they will be outlined in red. You must click and drag the sides of the widgets and regions to make room.
  4. After making your changes, click Exit Layout Mode.
    Note:If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.
Add a region
  1. Click the command menu button in the upper right corner of the page and select Edit Layout.
  2. From the bottom of the page, click and drag a region onto the dashboard.
  3. Click Region in the upper left corner of the region and type a new name in the Title field.
  4. Click Save.
  5. Click the Exit Layout Mode button in the upper right corner of the dashboard to return to the Dashboards page.
Copy a region
You can copy an existing dashboard region to a new dashboard. All of the widgets in that region will also be copied to the new dashboard.
  1. Click the command menu in the upper right corner of the region.
  2. Hover over Copy to… to expand the menu and make one of the following selections:
    • If you are copying the region to a new dashboard, select New Dashboard. In the Dashboard Properties window, in the Title section, type a name for the new dashboard.
      Tip:You can edit dashboard properties at any time. For more information, see the Change dashboard properties section.
    • If you are copying the region to an existing dashboard, select the dashboard from the menu. The dashboard page opens and displays the location of the copied region.
  3. Click Save.
Delete a region
  1. Click the command menu in the upper right corner of the page and select Edit Layout.
  2. On the region you want to delete, click Delete.
  3. Click Exit Layout Mode in the upper right corner of the dashboard.
Rename a region
  1. Click the command menu in the upper right corner of the page and select Edit Layout.
  2. In the region toolbar, click Rename.
  3. Type the new name for your region.
  4. Click Save.
Modify sources

You can update charts and widgets with new sources in a region with the Modify Sources window.

  1. Do one of the following steps:
    • Click the command menu in the upper right corner of the region and select Modify Sources
    • When in layout mode, in the region toolbar, click Modify Sources.
  2. In the Modify Sources window, select the object that you want to change from the list on the right and choose a new metric source.
    Tip:You can also change the title of the region by clicking on the region name to the right.
  3. Click Save Dashboard.
Add a widget
  1. Click the command menu button in the upper right corner of the page and select Edit Layout.
  2. Drag-and-drop one of the following widget types onto the region.
    Chart
    This widget is user-defined. For information, see Edit a chart section.
    Alert History
    This widget displays the alert history information about the objects in the list. Click Add metric source to customize the alert history.
    Activity Groups
    This widget displays a list of all activity during the specified time interval and cannot be configured.
    Text Box
    This widget provides a space for typing and displaying custom text in a dashboard region. You can format text with the Markdown syntax. For more information, see the Edit a text box widget section.
    Note:If you place a widget on top of another widget, it will appear red, indicating that widgets are overlapping and will not display properly when you click Exit Layout Mode. To create more space in the region for the new widget, expand the region size and then move the widget to a new location until it is no longer red.
  3. Click Save.
    Note:If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.
  4. Click Exit Layout Mode in the upper right corner of the dashboard to return to Dashboards.
Copy a widget
To copy a widget to another dashboard:
  1. Right-click any table, chart, or tile on the widget.
  2. Select Copy to....
  3. Select the dashboard to place the widget or select New Dashboard to create a new dashboard.
    For more information, see the Create a dashboard topic.
Remove a widget
  1. Click the command menu in the upper right corner of the page and select Edit Layout.
  2. Click the command menu in the upper right corner of the widget and select Delete.
  3. Click Delete Widget.
  4. Click Exit Layout Mode in the upper right corner of the dashboard to return to the Dashboards page.
  1. Right-click any table, chart, or tile on the widget and select Print.
    The print preview appears in a new window.
  2. Click the Theme drop-down list and select a theme.
  3. Click Print Widget.
Edit a text box widget

The text box widget enables you to type and display custom text in a dashboard region. It is a helpful tool for adding notes about a chart or data in a dashboard.

The text box widget supports the Markdown syntax, which enables you to format text and add metric variables that display updated metric data dynamically. Markdown is a simple formatting syntax that converts plain text into HTML with non-alphabetic characters, such as “#” or “*”. A new text box widget contains sample text that is already formatted in Markdown.
  1. Open the Metric Explorer window by doing one of the following steps:
    • On the Dashboards page, click the command menu in the upper right corner of the page and select Edit Layout. Click anywhere within the text box widget.
    • Click the command menu in the upper right corner of the text box widget and select Edit.
  2. In the Metric Explorer: Edit Text Widget window, type and edit text in the left Editor pane.
    The HTML output text dynamically displays in the right Preview pane.
  3. Click Save.
Format text in Markdown syntax

The following table shows common Markdown formats that are supported in the text box widget.

Note:Additional Markdown format examples are provided in the GitHub Guides: Mastering Markdown. However, not all Markdown syntax formatting options are supported in the text box widget.
Format Description Example
Headings Place a number sign (#) before your text to format headings. The level of heading is determined by the amount of number signs. ####Example H4 heading
Unordered lists Place a single asterisk (*) before your text to format bulleted lists. * Example 1 * Example 2
Ordered lists Place a single number and period (1.) before your text to format numbered lists. 1. Example 1 2. Example 2
Bold Place double asterisks before and after your text to format bold. **bold text**
Italics Place an underscore before and after your text to format italics. _italicized text_
Hyperlinks Place link text in brackets before the URL in parentheses. Or type your URL.
Note: Links to external websites open in a new browser tab. Links within the ExtraHop Web UI,such as dashboards or custom pages, open in the current browser tab.

[Visit our home page](http://www.extrahop.com)

http://www.extrahop.com

Blockquotes Place a right angle bracket and a space before your text to format a blockquote.

On the ExtraHop website:

> Access the live demo and review case studies.

Monospace font Place a backtick (`) before and after your text to format in a monospace font. `example code block`
Note:Adding emojis in Markdown syntax is unsupported. However, copying and pasting a Unicode block emoji is supported in the text box widget. For more information, see Unicode Emoji Chart website.
Add images in Markdown syntax

You can add images to the text box widget by linking to them. Make sure your image is hosted on a network that is accessible to the Discover appliance.

Links to images must be specified in the following format:

![<alt_text>](<file_path>)

Where <alt_text> is the alternative text and <file_path> is the path of the image. For example:

![Graph](/images/graph_1.jpg)
Note:You also can add images by encoding them to Base64. For more information, see the following post on the ExtraHop customer forum, “Putting Images in Text Boxes.”
Add metrics in Markdown syntax

You can add metric variables to a text box widget by writing metric queries in Markdown.

The Markdown format for writing metric queries is:

%%metric:<definition>%%

Where <definition> is replaced with a JSON-defined structure that is based on the ExtraHop REST API query structure.

Note:The following metric queries are unsupported in the text box widget:
  • Time-series queries
  • Mean calculations
  • Multiple object_ids
  • Multiple metric_spec
  • Multiple percentiles

A metric query must contain the following parameters:

  • object_type
  • object_ids
  • metric_category
  • metric_spec

To retrieve the object_type, metric_spec, and metric_category values for a metric name:

  1. Click Settings
  2. Click Metric Catalog
  3. Type the metric name in the search field
  4. Select the metric, and look for the values in the REST API Parameters section.

For more information, see the Metric Catalog section.

You can retrieve object_ids from the URL that you are browsing.

Object Type URL Parameter
Application applicationOID=
Network networkOID=
Group deviceGroupOID=
Device deviceOID=
Metric variable examples

The following examples show you how to write top-level metric queries for application, device, and network objects, and detail metric queries.

Application queries

To specify the All Activity object, the object_ids is “0”.

This example query shows how you can retrieve HTTP metrics from the All Activity object, and displays the following output: “Getting [value] HTTP requests and [value] HTTP responses from All Activity.

Getting
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"req"}]
}%%HTTP requests and
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"rsp"}]
}%%
HTTP responses from All Activity.
Device queries

You must specify either a client (“_client”) or server (“_server”) in the metric_category. To retrieve metrics for a specific device, specify the device object ID number in object_ids. To retrieve the device object ID (deviceOid), search for the device object in the ExtraHop global search. Select the device from your search results. The “deviceOid=” value will be embedded in the URL query string.

This example query shows how to retrieve metrics from a device client object, and displays the following output: “Getting [value] CLIENT DNS response errors from a specific device.

Getting
%%metric:{"object_type": "device",
"object_ids": [8],
"metric_category": "dns_client",
"metric_specs": [{"name":"rsp_error"}]
}%%
CLIENT DNS response errors from a specific device.

This example query shows how to retrieve metrics from a device server object, and displays the following output: “Getting [value] SERVER DNS response errors from a specific device.

Getting
%%metric:{
"object_type": "device",
"object_ids": [156],
"metric_category": "dns_server",
"metric_specs": [{"name":"rsp_error"}]
}%%
SERVER DNS response errors from a specific device.
Network queries

To specify All Networks, the object_type is “capture” and the object_ids is “0.” To specify a specific VLAN, the object_type is “vlan” and the object_ids is the VLAN number.

This example query shows how to retrieve metrics for all networks, and displays the following output: “Getting [value] broadcast packets from all networks.

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "net","metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from all networks.

This example query shows how to retrieve metrics for a specific VLAN and displays the following output: “Getting [value] broadcast packets from VLAN 3.

Getting
%%metric:{
"object_type": "vlan",
"object_ids": [3],
"metric_category": "net",
"metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from VLAN 3.
Group queries

To specify a group, the object_type is “activity_group” or “custom_group.” You must specify either a client (“_client”) or server (“_server”) in the metric_category. The object_ids for the specific group must be retrieved from the REST API Explorer.

This example query shows how to retrieve metrics for all networks, and displays the following output: “Getting [value] HTTP responses from the HTTP Client Activity Group.

Getting
%%metric:{
"object_type": "activity_group",
"object_ids": [17],
"metric_category": "http_client",
"metric_specs": [{"name":"req"}]
}%%
HTTP responses from the HTTP Client Activity Group.
Detail metric queries

If you want to retrieve detail metrics, your metric query should contain additional key parameters, such as key1 and key2:

  • object_type
  • object_ids
  • metric_category
  • metric_spec
    • name
    • key1
    • key2
Note:The key parameters act as a filter for displaying detail metric results.
For built-in detail metrics, you can retrieve detail metric parameters from the Metric Catalog. For example, type HTTP Responses by URI, and then look at the parameter values in the REST API Parameters section.
Note:You must supply the object_ids in your query.

This example shows how to retrieve HTTP requests by URI for the All Activity application (object_ids is “0”):

%%metric:{ 
"object_type": "application", 
"object_ids": [0],  
"metric_category": "http_uri_detail", 
"metric_specs": [{"name":"req"}] 
}%%

This example query shows you how to retrieve HTTP requests by URIs that contain a key value for “pagead2” for the All Activity application (object_ids is “0”):

%%metric:{ 
"metric_category": "http_uri_detail", 
"object_type": "application",
"object_ids": [0], 
"metric_specs": [ 
{ 
"name": "req", 
"key1": "/pagead2/" 
} 
] 
}%%

This example query shows how to retrieve count metrics for all networks and displays the following output: “Getting [value] detail ICA metrics on all networks.

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "custom_detail",
"metric_specs": [{
"name":"custom_count",
"key1":"network-app-byte-detail-ICA"
}]
}%%
detail ICA metrics on all networks.

This example query shows how to retrieve a custom dataset statistic with topn keys and percentiles, and displays the following output: “The fifth percentile is: [value].

The fifth percentile is:
%%metric:{
"object_type": "vlan",
"object_ids": [1],
"metric_category": "custom_detail",
"metric_specs": [{
"name": "custom_dset",
"key1": "myCustomDatasetDetail",
"key2": "/10.10.7/",
"calc_type": "percentiles",
"percentiles": [5]
}]
}%%
.
Note:Sampleset metrics are unsupported in the text box widget. For example, adding the “calc_type”: “mean” parameter to your text box query is unsupported.

Share a dashboard

You can share custom dashboards with other ExtraHop users and decide whether to give them view or edit access.

  1. Click Dashboards.
  2. In the left pane, under My Dashboards, click the name of a dashboard.
  3. Click the command menu in the upper right corner of the dashboard page and select Share.
  4. Specify which users can view the dashboard.
    • To allow specific users to view the dashboard, click Only specified users can view or edit. In the Specify users area, type the name of a user and select the username from the drop-down list. Select Can view and click Add User. Repeat this process for additional users.
    • To allow all users to view the dashboard, select All users can view; only specified users can edit.
  5. Specify which users can edit the dashboard:
    1. In the Specify users area, type the name of a user.
    2. Select the username from the drop-down list.
    3. Select Can edit.
    4. Click Add User.
    5. Repeat the process for additional users.
    Note:Users that can edit a dashboard can also view the dashboard.
  6. To remove a specific user, click the x icon next to the username.
  7. To remove all users, click Remove All.
  8. Click Save.
    Note:You can change the view or edit access for users that you have shared your dashboard with at any time.

Remove access to a dashboard

You can modify user access settings for dashboards that you have created. You can either restrict the user from editing the dashboard or you can remove the user from being able to view the dashboard.
  1. Click Dashboards.
  2. In the left pane, under My Dashboards, click the name of a dashboard.
  3. Click the command menu button in the Navigation bar and select Share.
  4. Modify the user access by selecting from the following options:
    • Click the red delete icon next to the username if you want to remove all access.
    • Modify the access privileges by selecting either Edit or View from the drop-down list next to the username.
  5. Click Save.

View a dashboard

There are several ways to view information in a dashboard and present dashboard information to others. For example, you can opt to display hover-over descriptions of protocols and metrics in dashboards. You can also select between two presentation options to view dashboards: presentation mode or widget slideshow. Alert statuses can also be viewed in dashboards through widgets.

  1. Click Dashboards.
  2. To show or hide protocol and metric descriptions, do the following steps:
    1. Click the command menu in the upper right corner of the page.
    2. Select Show Descriptions. Protocols and metrics will be underlined with a dashed blue line if there is an available description.
    3. Hover your mouse over the underlined text to display the description.
      Note:You can also view descriptions in charts that display traffic from individual ports. Descriptions are provided for protocols that the Discover appliance parses.
  3. To present a full-screen display of your dashboard, do the following steps:
    1. Click the command menu in the upper right corner of the page.
    2. Select Presentation Mode.
    3. Click Exit Presentation Mode in the upper right corner to return to the previous display.
      Note:You can open a dashboard in presentation mode directly by appending /presentation to the URL. For example: https://<extrahop_ip>/extrahop/#/Dashboard/437/presentation.
  4. To view a dashboard as a widget slideshow, do the following steps:
    1. Click the command menu in the upper right corner of the page.
    2. Select Widget Slideshow.
    3. Select a time increment to view a slideshow of widgets within the current region.
    4. Click the x icon in the upper right corner of the screen to return to the previous display.
  5. To display alert statuses for metrics, you can configure the status chart or alert status display options in custom dashboard charts. For more information, see the Status chart and Display alert status in a chart sections.

Organize dashboards

To organize dashboards in the dashboard dock (left pane), you can create folders, copy dashboards, filter dashboards, and sort dashboards in ascending, descending, or custom order.

Create a folder for dashboards
  1. In the bottom corner of the dashboard dock, click the command menu.
  2. Click New Folder.
    Note:To add a new folder through a keyboard shortcut, type N then F.
  3. Type a name for the folder and click Save.
Add a dashboard to a folder
  1. In the bottom corner of the dashboard dock, click the command menu.
  2. Click Edit Dock.
    Tip:To add a new folder through a keyboard shortcut, type O then D.
  3. Drag-and-drop dashboards that you created into a folder.
    Note:If dashboards are sorted in ascending or descending order, the drag-and-drop functionality is disabled. To enable this functionality again, click the sort icon in the upper right header of the dashboard dock until the custom sort icon displays.
  4. Click the Exit Edit Mode icon in the bottom corner of the dashboard dock to save your changes and exit edit mode.
    Note:You cannot click-and-drag system dashboards or shared dashboards to a new folder.
Arrange dashboard folders
To change the location of folders in the dashboard dock:
  1. Click the command menu in the bottom corner of the dashboard dock.
  2. Click Edit Dock.
  3. Click and drag the folders to change their location.
Sort dashboards

You can reorganize the order in which dashboards appear in the dashboards dock.

In the top right corner of the dashboards dock, click the sort icon.
The dashboard will be reorganized according to one of the following sorting modes:
Ascending
Lists dashboards in ascending alphabetical order.
Descending
Lists dashboards in descending alphabetical order.
Custom Order
Lists dashboards according to a customized order.

To modify the order, in the bottom corner of the dashboard dock, click the command menu, and then click Edit Dock. Make sure that the sorting mode is set to Custom Order, and then click and drag to reorganize dashboards and folders. You can also move dashboards from one folder to another; however, you cannot move dashboards into or out of the System Dashboards folder.

Filter dashboards

You can filter the dashboards that are displayed in the dashboard dock to locate a specific dashboard.

In the dashboard dock, in the Type to filter field, type all or part of a dashboard name or folder.
Only dashboards or folders that contain the specified string will appear in the dashboard dock.

Export dashboard data

You can export data from any chart or table in your dashboard to a CSV or Excel file. You cannot export content from a text box widget.

  1. Right-click the chart or table that you want to export.
  2. Select Export to CSV or Export to Excel.
Your file will be downloaded to your local computer.

Delete a dashboard

  1. Click the command menu in the upper right corner of the page, and select Delete.
  2. Click Delete Dashboard in the Confirm delete dialog box.

Compare metric deltas

From the Dashboards page, you can compare a single metric data across two time intervals.

Delta comparison is only available for dashboards. If you save a comparison and navigate to another area of the Discover appliance, the comparison will be disabled temporarily. When you return to the Dashboards area, the delta comparison you saved will be enabled again.
Note:Dynamic baselines will not appear on a chart while comparing metric deltas.

To create a delta comparison for a dashboard region:

  1. Locate the dashboard region containing the metrics you want to compare.
  2. Click the time interval to open the Time Selector.
    Note:For more information, see the Time Selector section.
  3. In the Time Interval tab, click Compare.
  4. In the Delta Comparison tab, select the time interval to use for comparison to the original time interval.
  5. Click Save.
    A new chart with a delta comparison time interval will be placed on the original chart.
  6. To remove the delta comparison, complete the following steps:
    1. Click the time interval to open the Time Selector.
    2. Click Remove Delta.
    3. Click Save.

Metrics

The ExtraHop system provides a large number of protocol metrics. To search for a specific protocol metric, click Metrics, and then select metrics from the following sections:

Sources
View metrics for an application, device, or network. For more information, see the Sources section.
Groups
View metrics for a group of devices in activity groups or custom groups.
Records
View or query metrics associated with records. For more information, see the Records section.

You can also view metrics on the Dashboards page. For more information, see the Dashboards section.

Create an activity map

  1. Navigate to a metric page.
  2. Click Activity Map.
  3. Specify the output format, select an activity filter, which activities to display, and description for the map.
  4. Click OK.
On the activity map, devices labeled in red indicate the user-selected devices. Devices labeled in black indicate devices that were not selected, but have connections to the selected devices. A darker colored line between devices represents a connection with a high volume of traffic. A lighter colored line represents a connection with a low volume of traffic. Well-connected devices appear slightly larger and more central on the map.

Add a page to a report

  1. Navigate to a metric page.
  2. Click Add to Report.
  3. Select a report.
    • To add the page to an existing report, click the Add to Report drop-down list, select an existing report, and click OK.
    • To add the page to a new report, click New Report. In the Report Configuration window, enter a report name and click OK.

Export data to Excel

  1. Navigate to a metric page.
  2. Right-click any table, chart, or tile on the page and select Export to Excel.

Export data to CSV

  1. Navigate to a metric page.
  2. Right-click any table, chart, or tile on the page and select Export to CSV.

Create a PDF of a metric page

  1. Navigate to a metric page.
  2. Click PDF.

Create a chart

You can quickly add charts to a new or existing dashboard from a protocol page as you discover interesting metrics.

  1. Navigate to a protocol page for an application, device, network or device group.
  2. In the upper toolbar, click Create Chart.
  3. Edit the chart in the Metric Explorer.
    Note:The metric source is set to your selected protocol page.
  4. Click Add to Dashboard.
  5. Select an existing dashboard from the list or select New Dashboard.

Pin a metric page to a dashboard

  1. Navigate to a metric page.
  2. Click Pin to Dashboards.
    The confirmation dialog box displays the name of the dashboard that the page has been added to.
  3. Click Dashboards.
  4. In the left pane, under My Dashboards, click the name of the dashboard.

Sort metrics

If a metric contains a gear icon in the upper-right corner, the metric can be sorted by key or value.

  1. Navigate to a metric page.
  2. Click the gear icon on the upper-right corner of a metric.
  3. Select either Sort by Key or Sort by Value.

Protocols

ExtraHop Discover appliances enable you to view metrics about dozens of built-in protocols.

AAA

ExtraHop appliances collect metrics about Authentication, Authorization, and Accounting (AAA) activity.

AAA applications page

Application toolbar
The AAA application toolbar includes the following controls:
Errors
The chart displays the number of AAA errors. Mouse over the points to view a summary of a specific time or date. The table lists the AAA error messages and number of occurrences.
Clients
The chart displays the processing time for all clients. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client as well as total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers
The chart displays the processing time for all servers. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.
Application Details
Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear through routed traffic. IP addresses that appear through routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu with the following options in the drop-down list:
By Client IP
Displays application metrics by the client IP addresses.
By Server IP
Displays application metrics by the server IP addresses.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics
Contains the following metrics:
Request L2 Bytes
The number of L2 bytes associated with AAA requests.
Response L2 Bytes
The number of L2 bytes associated with AAA responses.
Request Packets
The number of packets associated with AAA requests.
Response Packets
The number of packets associated with AAA responses.
Request RTOs
The number of retransmission timeouts caused by congestion when clients were sending AAA requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
Response RTOs
The number of retransmission timeouts caused by congestion when servers were sending AAA responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
Request Zero Window
The number of zero window advertisements sent by AAA clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
Response Zero Window
The number of zero window advertisements sent by servers while receiving AAA requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
AAA Metrics
Contains the following metrics:
Requests
The number of AAA requests.
Responses
The number of AAA responses.
Errors
The number of AAA errors for the selected time interval.
Aborts
The number of aborted AAA sessions.
RADIUS Requests
The number of RADIUS requests.
Diameter Requests
The number of Diameter requests.
Methods
Displays the selected method types for the AAA client or server.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Response Time Breakdown
Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation might be masked by superficially healthy flows.

AAA devices page

AAA Device Toolbar
The AAA device toolbar includes the following controls:
AAA Metric Type
Display metrics for devices acting as an AAA client or AAA server.
Errors
Click the Errors button to display the list of error messages sent to or received by the current device over the time interval. Errors are formatted as follows: Results-Code-Description:Session-Id:Error-Reporting-Host:Subscription-ID-Data.
  • Session-Id frequently contains multiple semicolon-separated records.
  • Error-Reporting-Host is not always present.
Records
Displays results for records that match the selected metric source and protocol.
AAA Client
If you select Client for the AAA Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of total requests that the device sent when acting as an AAA client.
Responses
Number of responses that the device received when acting as an AAA client.
Errors
Number of AAA errors for the selected time interval.
Aborts
Number of aborted sessions that occurred when the device is acting as an AAA client.
AAA Server
If you select Server for the AAA Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of total requests that the device received when acting as an AAA server.
Responses
Number of responses that the device sent when acting as an AAA server.
Errors
Number of AAA errors for the selected time interval.
Aborts
Number of aborted sessions that occurred when the device is acting as an AAA server.
Messages
Selected message types for the AAA server.
Status Codes
The AAA status codes for the selected time interval.
Processing Time Distribution
Displays a histogram of times it took the server to process requests. Move the mouse pointer over each bar to display the time range it represents and the number of requests in this bin.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Response Time Breakdown
Displays the area chart containing median request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

AAA groups page

AAA Groups Toolbar
The AAA groups toolbar includes the following controls:
Metric Type
Click the Metric Type drop-down list and select either Client or Server to display metrics for devices in the current group acting as an AAA client or AAA server, respectively.
Errors
Click the Errors button to display the list of error messages sent to or received by the current member over the time interval. Errors are formatted as follows: Results-Code-Description:Session-Id:Error-Reporting-Host:Subscription-ID-Data.

Session-Id frequently contains multiple semicolon-separated records. Error-Reporting-Host is not always present.

Records
Displays results for records that match the selected metric source and protocol.
AAA Client
If you select Client for the AAA Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of AAA requests for the selected time interval.
Responses
Number of AAA responses for the selected time interval.
Errors
Number of AAA errors for the selected time interval.
Aborts
Number of AAA aborted requests for the selected time interval.
Diameter Requests
Number of Diameter requests for the selected time interval.
Radius Requests
Number of RADIUS requests for the selected time interval.
AAA Server
If you select Server for the AAA Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of AAA requests for the selected time interval.
Responses
Number of AAA responses for the selected time interval.
Errors
Number of AAA errors for the selected time interval.
Aborts
Number of AAA aborted requests for the selected time interval.
Diameter Requests
Number of Diameter requests for the selected time interval.
Radius Requests
Number of RADIUS requests for the selected time interval.
Messages
Selected message types for the AAA server.

CIFS

ExtraHop appliances collect metrics about Common Internet File System (CIFS)/Server Message Block (SMB) activity. ExtraHop appliances support SMB, SMB2 and SMB3.

CIFS devices page

CIFS Devices Toolbar
The CIFS device page toolbar includes the following controls:
CIFS Metric Type
Displays metrics for the current device acting as a CIFS client or CIFS server.
Errors
Displays the list of error messages sent to or received by the current device over the selected time interval.
Warnings
Displays the list of warning messages sent to or received by the current device over the selected time interval.
Methods
Displays the list of methods and associated bytes sent and received by the current device for the selected time interval. Methods are broken out by key parameters, such as the accessed file name and file access time.
Users
Displays the list of users accessing the file server and associated bytes sent and received for the selected time interval.
Files
Displays the list of files accessed and associated bytes sent and received for the selected time interval. The access time indicates the time to access a file on a CIFS partition and is measured by timing the first READ or WRITE on every flow.
Records
Displays results for records that match the selected metric source and protocol.

Where file name detail is presented, the Discover appliance displays both the file path and mount point, if available. The prefix '...' indicates that either the mount point or part of the path is not available. This might occur in instances when the capture process was restarted after the "mount" or a "cd" command was issued, or when the commands were lost due to desyncs.

Click the counters next to individual CIFS metrics to show the IP Address CIFS Metrics details for CIFS peer devices. For CIFS servers, the peer devices are CIFS clients. For CIFS clients, the peer devices are CIFS servers.

IP Address
Represents the IP address of the peer device.
Host
Represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
Device
Provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
CIFS Server
Displays additional IP address details.
Responses
Specifies the number of responses that the device sent when acting as a CIFS server.
Errors
Specifies the number of errors sent by the CIFS server.
Warnings
Displays the list of warning messages sent to or received by the CIFS server over the selected time interval.
Reads
Specifies the number of read operation requests that the device received when acting as a CIFS server.
Writes
Specifies the number of write operation requests that the device received when acting as a CIFS server.
Locks
Specifies the number of lock operation requests that the device received when acting as a CIFS server.
FSInfo
Specifies the number of file system metadata queries that the device received when acting as a CIFS server.
CIFS Client
Displays additional IP address details.
Responses
Specifies the number of responses that the device received when acting as a CIFS client.
Errors
Specifies the number of errors sent by the CIFS client.

CIFS groups page

CIFS Groups Toolbar
The CIFS groups toolbar includes the following controls:
CIFS Metric Type
Displays metrics for devices in the current group acting as a CIFS client or server, respectively.
Errors
Displays the list of error messages sent to or received by devices in the current group over the selected time interval.
Warnings
Displays the list of warning messages sent to or received by devices in the current group over the selected time interval.
Methods
Displays the list of methods and associated bytes sent and received by devices in the current group during the selected time interval. Methods are broken out by key parameters, such as the accessed file name.
Users
Displays the list of users accessing the file server and associated bytes sent and received for the selected time interval.
Files
Displays the list of files accessed and associated bytes sent and received for the selected time interval. Access Time indicates the time it took for the server to access a file on disk.
Records
Displays results for records that match the selected metric source and protocol.

Where file name detail is presented, the Discover appliance displays both the file path and mount point, if available. The prefix '...' indicates that either the mount point or part of the path is not available. This might occur in instances when the capture process was restarted after the "mount" or a "cd" command was issued, or when the commands were lost due to desyncs.

CIFS Server
Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
Responses
Specifies the number of responses sent by the CIFS server.
Errors
Specifies the number of errors sent by the CIFS server.
Warnings
Displays the list of warning messages sent to or received by devices in the CIFS server over the selected time interval.
Reads
Specifies the number of read operations requested from the CIFS server.
Writes
Specifies the number of write operations requested from the CIFS server.
Locks
Specifies the number of lock operations requested from the CIFS server.
CIFS Client
Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
Responses
Specifies the number of responses received by the CIFS client.
Errors
Specifies the number of errors sent by the CIFS client.
Warnings
Displays the list of warning messages sent to or received by the CIFS client over the selected time interval.
Reads
Specifies the number of read operations requested by the CIFS client.
Writes
Specifies the number of write operations requested by the CIFS client.
Locks
Specifies the number of lock operations requested by the CIFS client.
Methods
Displays the CIFS methods for the selected time interval.

Click the counter next to the method to break it down by group members in the table.

Database

ExtraHop appliances collect metrics about database activity.

Learn more by taking the Database Quick Peek training.

Database applications page

Database Application Toolbar
The Database application toolbar includes the following controls:
Errors
The chart displays the total count for DB errors. Mouse over the points to view a summary of a specific time or date. The table lists DB error messages and the number of occurrences.
Methods

The chart displays responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists methods, number of responses, total time, and processing time (ms) associated with each method. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Users
The chart displays the number of responses and errors for all users. Mouse over the chart to view a summary of a specific time or date. The table displays the list of users, and the number of responses and errors associated with each user.
Clients

The chart displays the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers

The chart displays the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details
Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
By Client IP
Displays application metrics by the client IP addresses.
By Server IP
Displays application metrics by the server IP addresses.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics
Contains the following metrics:
Request L2 Bytes
The number of L2 bytes associated with database requests.
Response L2 Bytes
The number of L2 bytes associated with database responses.
Request Packets
The number of packets associated with database requests.
Response Packets
The number of packets associated with database responses.
Request RTOs
The number of retransmission timeouts caused by congestion when clients were sending database requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
Response RTOs
The number of retransmission timeouts caused by congestion when servers were sending database responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
Request Zero Window
The number of zero window advertisements sent by database clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
Response Zero Window
The number of zero window advertisements sent by servers while receiving database requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
DB Metrics
Contains the following metrics:
Requests
The number of database requests.
Responses
The number of database responses.
Response Errors
The number of database response errors.
Transaction Metrics
Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.
ReqXfer
Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
RTT
TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Response Time Breakdown
Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation might be masked by superficially healthy flows.

Database devices page

Database Devices Toolbar
The Database device toolbar includes the following controls:
Database Metric Type
Displays statistics for the current device acting as a database client or database server.
Errors
Displays the list of error messages sent to or received by the current device over the time interval.
Methods
Displays the list of names and the associated number of responses and errors.
Users
Displays the list of users accessing the database server and associated bytes sent and received for the selected time interval.
Clients or Servers
Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.

Click the counters next to individual database metrics to show the IP Address Database Metrics for database peer devices. For database servers, the peer devices are database clients. For database clients, the peer devices are database servers.

Device Details
Click the counters next to individual database metrics to show the IP Address Database Metrics for database peer devices. For database servers, the peer devices are database clients. For database clients, the peer devices are database servers.
By IP
Displays database metrics by IP address.
By Database
Displays database metrics by database. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
Database Client
If you select Client for the Database Metric Type, the Discover appliance displays the following metrics:
Responses
Specifies the number of responses that the device received when acting as a database client. Click to display the list of servers from which responses were sent.
Errors
Specifies the number of database protocol errors for the selected time interval. Click to display the list of servers for which there were errors.
Requests Aborted
Specifies the number of requests that the device began to send but did not send completely when acting as a database client.
Responses Aborted
Specifies the number of responses that the device began to receive but did not receive completely when acting as a database client.
Database Server
If you select Server for the Database Metric Type, the Discover appliance displays the following metrics:
Responses
Specifies the number of responses that the device sent when acting as a database server. Click to display the list of clients to which responses were sent.
Errors
Specifies the number of database protocol errors for the selected time interval. Click to display the list of clients for which there were errors.
Requests Aborted
Specifies the number of requests that the device began to receive but did not receive completely when acting as a database server.
Responses Aborted
Specifies the number of responses that the device began to send but did not send completely when acting as a database server.
Methods
Displays the database methods for the selected time interval. Methods will vary for each specific device.
Transaction Metrics
Displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Move the mouse pointer over each component to display a five-number statistical summary.
ReqXfer
The request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
The server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
The response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
Request Size
Displays the range of request sizes for all transactions associated with the current device. Mouse over the chart to see the five-number summary. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device, database, or IP address.
Response Size
Displays the range of response sizes for all transactions associated with the current device. Mouse over the chart to see the five-number summary. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean response size for each peer device, database, or IP address.
Transactions Per Second
Displays the number of database protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region. Select a database from the Databases drop-down list and then click the red data points to display results associated with that database only. For detailed error information, click Errors.
Response Time Breakdown
Displays the area chart containing median request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.
Database devices timing page

The timing charts draw data from the Time Selector drop-down list on the navigation toolbar. The events observed during this interval are used to fill the bins of a histogram that displays a distribution of timing data. Timing charts use a logarithmic horizontal axis that simultaneously displays events that took milliseconds and those that took seconds.

Request Transfer Time
Displays a histogram of times it took to transfer requests from the client to the server. Mouse over each bar to display the time range it represents and the number of requests in this bin.
Processing Time
Displays a histogram of times it took the server to process requests. Mouse over each bar to display the time range it represents and the number of requests in this bin.
Response Transfer Time
Displays a histogram of times it took to transfer the response from the server to the client. Mouse over each bar to display the time range it represents and the number of requests in this bin.
Database devices all methods page
Database Devices Toolbar
The Database devices toolbar includes the following controls:
Database Metric Type
Displays metrics for the current devices acting as a database client or server, respectively.
Records
Displays results for records that match the selected metric source and protocol.
Methods
This section displays the database methods for the selected time interval. Click to display additional per-client or per-server details.

Database groups page

Database Groups Toolbar
The Database groups toolbar includes the following controls:
Database Metric Type
Displays metrics for members in the current group acting as a database client or server, respectively.
Errors
Displays the list of error messages sent to or received by members in the current group over the time interval.
Methods
Displays the list of names and the associated processing times for the stored procedures executed within the databases belonging to the current group during the selected time interval.
Users
Displays the list of users accessing the database servers in this group and associated bytes sent and received for the selected time interval.
Database Client
If you select Client for the Database Metric Type, the Discover appliance displays the following metrics. Click the counter to break down the responses by group members in the table at the bottom of the page.
Responses
Specifies the number of database protocol responses received by all members of the current group during the selected time interval.
Errors
Specifies the number of database protocol errors received by all members of the current group during the selected time interval.
Requests Aborted
Specifies the number of requests that members of the group began to send but did not send completely when acting as a database client.
Responses Aborted
Specifies the number of responses that members of the group began to receive but did not receive completely when acting as a database client.
Database Server
If you select Server for the Database Metric Type, the Discover appliance displays the following metrics. Click the counter to break down the responses by group members in the table at the bottom of the page.
Responses
Specifies the number of database protocol responses sent by all members of the current group during the selected time interval.
Errors
Specifies the number of database protocol errors sent by all members of the current group during the selected time interval.
Requests Aborted
Specifies the number of requests that members of the group began to receive but did not receive completely when acting as a database server.
Responses Aborted
Specifies the number of responses that members of the group began to send but did not send completely when acting as a database server.
Methods
Displays the database methods for the selected time interval.
Database groups all methods page
Database Groups Toolbar
The Database groups toolbar includes the following controls:
Database Metric Type
Displays metrics for members in the current group acting as a database client or server, respectively.
Records
Displays results for records that match the selected metric source and protocol.
Methods
This section displays the database methods for the selected time interval. Click to display additional per-client or per-server details.
Database Client
This table lists the peer members associated with the database client.
Database Server
This table lists the peer members associated with the database server.
Database groups processing time page
Database Groups Toolbar
The Database groups toolbar includes the following controls:
Database Metric Type
Displays metrics for members in the current group acting as a database client or server, respectively.
Records
Displays results for records that match the selected metric source and protocol.
Server Processing Time
Shows median server processing time over the selected time interval for each member in the group. The five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values, is displayed by hovering over a bar.

DHCP

ExtraHop appliances collect metrics about Dynamic Host Configuration Protocol (DHCP) activity.

DHCP applications page

DHCP Applications Toolbar
The DHCP applications toolbar includes the following controls:
Errors
Displays a chart of the number of DHCP errors.
Clients

Displays chart and table information about DHCP client activity. The chart displays the total number of client responses compared to processing time.

The table lists client IP addresses, the host and device associated with each client, the number of requests by each client, and total processing time.

Servers

Displays chart and table information about DHCP server activity. The chart displays the total number of server responses compared to processing time. The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

L2-L4 Metrics
Contains the following metrics:
Request L2 Bytes
The number of L2 bytes associated with DHCP requests.
Response L2 Bytes
The number of L2 bytes associated with DHCP responses.
Request Packets
The number of packets associated with DHCP requests.
Response Packets
The number of packets associated with DHCP responses.
DHCP Metrics
Contains the following metrics:
Requests
The number of DHCP requests.
Responses
The number of DHCP responses.
Errors
Displays the number of DHCP errors.
Requests by Message Type
Displays the number of DHCP requests broken out by the message type.
Responses by Message Type
Displays the number of DHCP requests broken out by the message type.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Processing Time
Displays the median processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics.

DHCP devices page

DHCP Devices Toolbar
The DHCP devices toolbar includes the following controls:
DHCP Metric Type
From the drop-down menu, select the type of metrics for the current device.
Errors
Displays the list of error messages sent or received by the current device over the selected time interval.
Clients or Servers
Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.
Records
Displays results for records that match the selected metric source and protocol.
DHCP Server
Requests
Displays the number of requests that the device received.
Responses
Displays the number of responses that the device sent.
Response Errors
Displays the number of response errors.
Requests by Message Type
Displays the number of requests that the device received for the message type.
Responses by Message Type
Displays the number of requests that the device received for the message type.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Server Processing Time
Displays the median server processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics.
Processing Time Distribution
Displays a histogram of the server time taken to process requests.
Requests by Record Type
Displays the categorization of all request types sent or received by the current device.
Responses by Record Type
Displays the categorization of all response types sent or received by the current device.

DHCP groups page

DHCP Groups Toolbar
The DHCP groups toolbar includes the following controls:
DHCP Metric Type
Displays metrics for members in the current group acting as a DHCP client or server, respectively.
Errors
Displays the list of error messages sent to or received by members in the current group over the time interval.
DHCP Client
If you select Client for the DHCP Metric Type, the Discover appliance displays the following metrics:
Requests
Specifies the number of requests that the device sent when acting as a DHCP client. Click the counter to display the list of servers to which requests were sent.
Responses
Specifies the number of responses that the device received when acting as a DHCP client. Click the counter to display the list of servers from which the responses were received.
Response Errors
Specifies the number of response errors for the selected time interval when acting as a DHCP client. Click the counter to display the list of servers associated with the errors.
DHCP Server
If you select Server for the DHCP Metric Type, the Discover appliance displays the following metrics:
Requests
Specifies the number of requests that the device sent when acting as a DHCP server. Click the counter to display the list of clients from which requests were received.
Responses
Specifies the number of responses that the device received when acting as a DHCP server. Click the counter to display the list of clients to which the responses were sent.
Response Errors
Specifies the number of response errors for the selected time interval when acting as a DHCP server. Click the counter to display the list of clients associated with the errors.
Requests by Message Type
Displays the number of DHCP requests broken out by the message type.
Responses by Message Type
Displays the number of DHCP requests broken out by the message type.
DHCP groups processing time page
Server Processing Time
Shows median server processing time over the selected time interval for each member in the group. The five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values, is displayed by hovering over a bar.

DICOM

ExtraHop appliances collect metrics about Digital Imaging and Communications in Medicine (DICOM) activity.

Note:ExtraHop appliances do not include any built-in metric pages for DICOM. However, you can view DICOM metrics by adding them to a custom page or dashboard.

DNS

ExtraHop appliances collect metrics about Domain Name System (DNS) activity.

Learn more by taking the DNS Quick Peek training.

DNS applications page

DNS Applications Toolbar
The DNS applications toolbar includes the following controls:
Errors
Displays a chart that shows the number of errors.
Host Queries
The chart displays the total number of host queries compared to processing time during the selected time interval. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists DNS hosts, number of host queries, and the processing time.

Clients
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details
Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
By Client IP
Displays application metrics by the client IP addresses.
By Server IP
Displays application metrics by the server IP addresses.
By Host Query
Displays application metrics by host query.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics
Contains the following metrics:
Request L2 Bytes
The number of L2 bytes associated with requests.
Response L2 Bytes
The number of L2 bytes associated with responses.
Request Packets
The number of packets associated with requests.
Response Packets
The number of packets associated with responses.
DNS Metrics
Contains the following metrics:
Requests
The number of requests received.
Request Timeouts
The number of request timeouts. A request timeout occurs when there is a repeated request without a response to the first request.
Truncated Requests
The number of requests that were sent but were truncated in transit. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
Responses
The number of responses received.
Response Errors
The number of response errors.
Truncated Responses
The number of responses that were sent but were truncated in transit. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Requests by Opcode
Displays all request opcode types sent or received by the current application. For each field, click to display the devices to or from which these requests were sent or received.
Query
Number of DNS QUERY Opcodes sent or received by the current application. DNS Queries are the most-frequently encountered DNS Opcode type.
Responses by Response Code
Displays all response codes broken down by request opcode and request record type sent (if server) or received (if client) by the current device. The format of the entry is ERROR/REQUEST_OPCODE:REQUEST_RECORD. For each field, click to display the devices to or from which these requests were sent or received.

The response code bar categories include the following:

NOERROR
Successful transaction; no error.
FORMERROR
Format Error.
SERVFAIL
DNS Server Failed.
NXDOMAIN
No such domain.
NOTIMPL
No handler implemented for this query type.
REFUSED
Query administratively refused.
UPDATEERR
Error in handling UPDATE request.
TSIGERR
Error in handling TSIG request.
OTHER
All other response code types.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Processing Time
Displays the mean processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics. Click and drag across the chart to select a particular region.

Click the graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

DNS devices page

DNS Devices Toolbar
The DNS devices toolbar includes the following controls:
DNS Metric Type
Displays metrics for the current device acting as a DNS client or DNS server.
Errors
Displays the list of DNS queries made to or from this device, sorted by Host Query frequency. Click the Query Errors header to sort the list by the number of DNS errors encountered.
Servers
When acting as a DNS client, displays a chart showing the total number of responses compared to processing time during the selected time interval.
Clients
When acting as a DNS client, displays a chart showing the total number of responses compared to processing time during the selected time interval.
Records
Displays results for records that match the selected metric source and protocol.
DNS Client
If you select Client for the DNS Metric Type, the Discover appliance displays the following metrics. For each field, click to display the devices to which these requests were made.
Requests
Specifies the number of requests that the device sent when acting as a DNS client.
Request Timeouts
Specifies the number of request timeouts when the device is acting as a DNS client. A request timeout occurs when there is a repeated request without a response to the first request. A high number here might indicate server unresponsiveness or a client misconfiguration.
Truncated Requests
Specifies the number of requests that were sent, but were truncated in transit, when the device is acting as a DNS client. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
Responses
Specifies the number of responses that the device received when acting as a DNS client.
Response Errors
Specifies the number of responses received with a code other than NOERROR, when the device is acting as a DNS client.
Truncated Responses
Specifies the number of truncated responses that the device received when acting as a DNS client. A truncated response is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
DNS Server
If you select Server for the DNS Metric Type, the Discover appliance displays the following metrics. For each field, click to display the devices from which these requests were received.
Requests
Specifies the number of requests that the device received when acting as a DNS server.
Request Timeouts
Specifies the number of request timeouts when the device is acting as a DNS server. A request timeout occurs when there is a repeated request without a response to the first request. A high number here might indicate a problem with this DNS server.
Truncated Requests
Specifies the number of requests that were received, but were truncated in transit, when the device is acting as a DNS server. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
Responses
Specifies the number of responses that the device sent when acting as a DNS server.
Response Errors
When the device is acting as a DNS server, specifies the number of responses sent with a code other than NOERROR.
Truncated Responses
Specifies the number of responses sent, but later truncated, when the device is acting as a DNS server. A truncated response is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
Requests by Opcode
Displays all request opcode types sent or received by the current device. For each field, click to display the devices to or from which these requests were sent or received.
Query
Specifies the number of DNS QUERY Opcodes sent or received by the current device. DNS Queries are the most-frequently encountered DNS Opcode type.
Notify
Specifies the number of DNS NOTIFY Opcodes sent or received by the current device. DNS Notify is used as a synchronization method between DNS servers.
Update
Specifies the number of DNS UPDATE Opcodes sent or received by the current device. DNS Update is used as a synchronization method between DNS servers.
Other
Specifies the number of other miscellaneous DNS Opcodes sent or received by the current device.
Responses by Response Code
Displays all response codes broken down by request opcode and request record type sent (if server) or received (if client) by the current device. The format of the entry is ERROR/REQUEST_OPCODE:REQUEST_RECORD. For each field, click to display the devices to or from which these requests were sent or received.

The response code bar categories include:

NOERROR
Successful transaction; no error.
FORMERROR
Format Error.
SERVFAIL
DNS Server Failed.
NXDOMAIN
No such domain.
NOTIMPL
No handler implemented for this query type.
REFUSED
Query administratively refused.
UPDATEERR
Error in handling UPDATE request.
TSIGERR
Error in handling TSIG request.
OTHER
All other response code types.
Transactions Per Second
Displays the number of DNS transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.
Server Processing Time
Displays the median server processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics. Click and drag across the chart to select a particular region.
Processing Time Distribution
Displays a histogram of times it took the server to process requests. Move the mouse pointer over each bar to display the time range it represents and the number of requests in this bin.
Requests by Record Type
Shows the categorization of all request types sent or received by the current device. Click a bar to display the device to which (if client) or from which (if server) the query was sent.

The request query bar categories displayed include:

  • A. Address
  • NS. Name Server
  • CNAME. Canonical Name
  • SOA. Start Of Authority
  • PTR. Pointer Record
  • MX. Mail Exchanger
  • TXT. Text
  • AAAA. IPv6 Address
  • SRV. Service
  • TSIG. Secured Signed Request class
  • IXFR. Incremental Zone Transfer
  • AXFR. Zone Transfer
  • ANY. Any available
  • Other. All other categories
Responses by Record Type
Shows the categorization of all response types sent or received by the current device. Click a bar to display the device from which (if client) or to which (if server) the response was sent.

The request query bar categories displayed include:

  • A. Address
  • NS. Name Server
  • CNAME. Canonical Name
  • SOA. Start Of Authority
  • PTR. Pointer Record
  • MX. Mail Exchanger
  • TXT. Text
  • AAAA. IPv6 Address
  • SRV. Service
  • TSIG. Secured Signed Request class
  • IXFR. Incremental Zone Transfer
  • AXFR. Zone Transfer
  • Other. All other categories

It is possible for multiple answers to be sent in response to a single query.

DNS groups page

DNS Groups Toolbar
The DNS groups toolbar includes the following controls:
DNS Metric Type
Displays metrics for members in the current group acting as a DNS client or DNS server, respectively.
Errors
Displays the number of query errors by host.
Host Queries
Displays the list of DNS queries made to or from any member in the current group. The list is sorted by Host Query frequency. Click the Query Errorsheader to sort the list by the number of DNS errors encountered.
Records
Displays results for records that match the selected metric source and protocol.
DNS Client
If you select Client for the DNS Metric Type, the Discover appliance displays the following metrics. Click the metric to break down DNS requests by group members in the table at the bottom of the page.
Requests
Specifies the number of DNS requests made by all members of the group.
Request Timeouts
Specifies the number of DNS requests made by any member of the group to which no response was received.
Truncated Requests
Specifies the number of malformed, truncated DNS requests sent by any member of the group.
Responses
Specifies the number of DNS responses received by all members of the group.
Response Errors
Specifies the number of DNS response errors received by all members of the group.
Truncated Responses
Specifies the number of malformed, truncated DNS responses received by all members of the group.
DNS Server
If you select Server for the DNS Metric Type, the Discover appliance displays the following metrics. Click the metric to break down DNS requests by group members in the table at the bottom of the page.
Requests
Specifies the number of DNS requests received by all members of the group.
Request Timteouts
Specifies the number of DNS requests received by any member of the group to which no response was sent.
Truncated Requests
Specifies the number of malformed, truncated DNS requests received by all members of the group.
Responses
Specifies the number of DNS responses sent by all members of the group.
Response Errors
Specifies the number of DNS response errors sent by all members of the group.
Truncated Responses
Specifies the number of malformed, truncated DNS responses sent by all members of the group.
Requests by Opcode
Shows the breakdown of all opcodes sent (if server) or received (if client) by members in the selected group. For each opcode, click to break down by group members in the table at the bottom of the page.
Query
Specifies the number of DNS QUERY Opcodes sent or received by all members of the group. DNS Queries are the most-frequently encountered DNS Opcode type.
Notify
Specifies the number of DNS NOTIFY Opcodes sent or received by all members of the group. DNS Notify is used as a synchronization method between DNS servers.
Update
Specifies the number of DNS UPDATE Opcodes sent or received by all members of the group. DNS Update is used as a synchronization method between DNS servers.
Other
Specifies the number of other miscellaneous DNS Opcodes sent or received by all members of the group.
Requests by Record Type
Shows the breakdown of all request types sent or received by members in the selected group. For each query type, click to break down by group members in the table at the bottom of the page.

The request query bar categories displayed include:

  • A. Address
  • NS. Name Server
  • CNAME. Canonical Name
  • SOA. Start Of Authority
  • PTR. Pointer Record
  • MX. Mail Exchanger
  • TXT. Text
  • AAAA. IPv6 Address
  • SRV. Service
  • TSIG. Secured Signed Request class
  • IXFR. Incremental Zone Transfer
  • AXFR. Zone Transfer
  • ANY. Any available
  • Other. All other categories
Responses by Record Type
Shows the breakdown of all record types sent (if server) or received (if client) by members in the selected group. For each query type, click to break down by group members in the table at the bottom of the page.

The request query bar categories displayed include:

  • A. Address
  • NS. Name Server
  • CNAME. Canonical Name
  • SOA. Start Of Authority
  • PTR. Pointer Record
  • MX. Mail Exchanger
  • TXT. Text
  • AAAA. IPv6 Address
  • SRV. Service
  • TSIG. Secured Signed Request class
  • IXFR. Incremental Zone Transfer
  • AXFR. Zone Transfer
  • ANY. Any available
  • Other. All other categories
Responses by Response Code
Shows the categorization of all response codes broken down by request opcode and request record type sent (if server) or received (if client) by members in the selected group. The format of the entry is ERROR/REQUEST_OPCODE:REQUEST_RECORD.

The response code bar categories include:

  • NOERROR. Successful transaction; no error.
  • FORMERROR. Format Error.
  • SERVFAIL. DNS Server Failed.
  • NXDOMAIN. No such domain.
  • NOTIMPL. No handler implemented for this query type.
  • REFUSED. Query administratively refused.
  • UPDATEERR. Error in handling UPDATE request.
  • TSIGERR. Error in handling TSIG request.
  • OTHER. All other response code types.

Click the counter next to the response code to break it down by group members in the table.

DNS groups processing time page
Server Processing Time
Shows median server processing time over the selected time interval for each member in the group. The five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values, is displayed by hovering over a bar.

FIX

ExtraHop appliances collect metrics about Financial Information Exchange (FIX) activity.

FIX applications page

FIX Applications Toolbar
The FIX applications toolbar includes the following controls:
Errors
The chart displays the number of FIX errors. Mouse over the points to view a summary of a specific time or date. The table lists FIX error messages and the number of times each occurred.
Senders
The chart displays showing the number of FIX senders. Mouse over the points to view a summary of a specific time or date. The table lists senders and the count associated with each sender.
Targets
The chart displays the number of FIX targets. Mouse over the points to view a summary of a specific time or date. The table lists targets and the count associated with each target.
Clients
The chart displays the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers
The chart displays the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details
Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
By Client IP
Displays application metrics by the client IP addresses.
By Server IP
Displays application metrics by the server IP addresses.
By Target
Displays application metrics by target.
By Sender
Displays application metrics by sender.
L2-L4 Metrics
Contains the following metrics:
Request L2 Bytes
The number of L2 bytes associated with DNS requests.
Response L2 Bytes
The number of L2 bytes associated with DNS responses.
Request Packets
The number of packets associated with DNS requests.
Response Packets
The number of packets associated with DNS responses.
Request RTOs
Specifies the number of times the client delayed TCP retransmissions and missed server acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Response RTOs
Specifies the number of times the server delayed TCP retransmissions and missed client acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Request Zero Window
Specifies the number of client-side zero window advertisements. A zero window indicates the connection has stalled because the client cannot handle the rate of data the server is sending.
Response Zero Window
Specifies the number of server-side zero window advertisements. A zero window indicates the connection has stalled because the server cannot handle the rate of data the client is sending.
FIX Metrics
Contains the following metrics:
Requests
Specifies the number of requests for the application.
Responses
Specifies the number of responses for the application.
Response Errors
Specifies the number of responses by error for the application.
Methods
Methods exchanged by device over the selected time interval. Click the counter to display additional per-client or per-server IP address details.
Transactions Metrics
Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.
ReqXfer
Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
RTT
TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Response Time Breakdown
Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

FIX devices page

FIX Devices Toolbar
The FIX device toolbar includes the following controls:
FIX Metric Type
Displays metrics for devices acting as a FIX client or FIX server.
Errors
Click the Errors button to display the list of FIX session-level reject reasons (error messages) sent to or received by the current device over the selected time interval. These metrics do not include the processing of order and trade errors.
Senders
Click the Senders button to display a list of institutions sending the FIX message as it appears in the SenderCompID field.
Targets
Click the Targets button to display a list of institutions receiving the FIX message as it appears in the TargetCompID field.
Records
Displays results for records that match the selected metric source and protocol.

FIX Details specifies the type of additional FIX information displayed. Moving the cursor over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

By IP
Displays FIX metrics by IP addresses.
By Sender
Displays FIX metrics by sender.
By Target
Displays FIX metrics by target.

For example, FIX Responses is a top-level metric showing how many responses were received by the FIX server during the selected time frame. Selecting By IP in the drop-down list while moving the cursor over the FIX Responses counter displays which IP addresses originated these responses. Selecting By IP from the drop-down list while moving the cursor over the FIX Responses counter displays the IP addresses of the responses.

FIX Metrics by IP Address
Click By IP in the drop-down list to display the following information in the details table.
IP Address
Represents the FIX server's IP address.
Host
Represents the DNS host name of the FIX server determined by passive analysis of the DNS traffic.
Device
Provides a link to the corresponding FIX server device.
<Metric value>
Displays the value for the selected metric.
FIX Metrics by Sender
Click By Sender in the drop-down list to display the following information in the details table.
Sender
Displays a list of senders.
<Metric value>
Displays the value for the selected metric.
FIX Metrics by Target
Click By Target in the drop-down list to display the following information in the details table.
Target
Displays a list of targets.
<Metric value>
Displays the value for the selected metric.
FIX Client
Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
Requests
The number of requests received.
Responses
The number of responses received.
Errors
Number of errors sent.
POS Duplicate
Number of POS duplicates recieved.
POS Resend
Number of POS resend received.
FIX Servers
Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
Requests
The number of requests received.
Responses
The number of responses received.
Errors
Number of errors sent.
POS Duplicate
Number of POS duplicates recieved.
POS Resend
Number of POS resend received.
Methods
Methods exchanged by device over the selected time interval. Click the counter to display additional per-client or per-server IP address details.
Versions
FIX versions used over the selected time interval. Click the counter to display additional per-client or per-server IP address details.
Transactions Metrics
Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.
ReqXfer
Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
RTT
TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

FIX groups page

FIX Groups Toolbar
The FIX groups toolbar includes the following controls:
FIX Metric Type
Displays metrics for groups acting as a FIX client or FIX server.
Errors
Click the Errors button to display the list of FIX session-level reject reasons (error messages) sent to or received by the current group over the selected time interval. These metrics do not include the processing of order and trade errors.
Senders
Click the Senders button to display a list of institutions sending the FIX message as it appears in the SenderCompID field.
Targets
Click the Targets button to display a list of institutions receiving the FIX message as it appears in the TargetCompID field.
Records
Displays results for records that match the selected metric source and protocol.
FIX Client
Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
Requests
The number of requests received.
Responses
The number of responses received.
Errors
Number of errors sent.
POS Duplicate
Number of POS duplicates recieved.
POS Resend
Number of POS resend received.
FIX Servers
Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
Requests
The number of requests received.
Responses
The number of responses received.
Errors
Number of errors sent.
POS Duplicate
Number of POS duplicates recieved.
POS Resend
Number of POS resend received.
Methods
Methods exchanged by device over the selected time interval. Click the counter to display additional per-client or per-server IP address details.

FTP

ExtraHop appliances collect metrics about File Transfer Protocol (FTP) activity.

Learn more by taking the FTP Quick Peek training.

FTP applications page

FTP Applications Toolbar
The FTP application toolbar includes the following controls:
Errors
The chart displays the number FTP errors. Mouse over the points to view a summary of a specific time or date. The table lists FTP error messages and the number of times each occurred.
Warnings
The chart displays the FTP warnings (4xx error messages) transferred. The table lists the FTP warning messages and the number of times each occurred.
Users
The chart displays the number of responses and errors for all users. Mouse over the chart to view a summary of a specific time or date. The table lists users and the number of responses and errors associated with each user.
Clients
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details
Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
By Client IP
Displays application metrics by the client IP addresses.
By Server IP
Displays application metrics by the server IP addresses.
By Users
Displays application metrics by user.
L2-L4 Metrics
Contains the following metrics:
Request L2 Bytes
The number of L2 bytes associated with requests.
Response L2 Bytes
The number of L2 bytes associated with responses.
Request Packets
The number of packets associated with requests.
Response Packets
The number of packets associated with responses.
Request RTOs
Specifies the number of times the client delayed TCP retransmissions and missed server acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Response RTOs
Specifies the number of times the server delayed TCP retransmissions and missed client acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Request Zero Window
Specifies the number of client-side zero window advertisements. A zero window indicates the connection has stalled because the client cannot handle the rate of data the server is sending.
Response Zero Window
Specifies the number of server-side zero window advertisements. A zero window indicates the connection has stalled because the server cannot handle the rate of data the client is sending.
FTP Metrics
Contains the following metrics:
Requests
The number of requests received.
Responses
The number of responses received.
Response Warnings
The number of responses with an FTP status code of 4xx.
Response Errors

The number of FTP response errors.

Methods
Displays the FTP commands for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Examples of FTP commands:

CWD
Allows the user to work with a different directory or dataset for file storage or retrieval without altering his log on or accounting information.
DELE
Causes the file specified in the path name to be deleted at the server site.
EPSV
Puts connection into extended passive mode.
LIST
Gets information for a specific working directory, if explicitly specified, or the current one if none is specified.
MDTM
Gets last-modified time of a file.
MLSD
Gets the contents of a directory.
PASS
Is a Telnet string specifying the user's password. This command must be immediately preceded by the user name command.
PASV
Requests the server-DTP to "listen" on a data port (which is not its default data port) and to wait for a connection rather than initiate one on receipt of a transfer command.
PORT
Is a HOST-PORT specification for the data port to be used in data connection.
PWD
Causes the name of the current working directory to be returned in the reply.
QUIT
Terminates a USER, and if file transfer is not in progress, the server closes the control connection. If file transfer is in progress, the connection will remain open for the result response, and the server will then close it.
RETR
Causes the server-DTP to transfer a copy of the file, specified in the path name, to the server.
SIZE
Gets the size of a file.
STOR
Causes the server-DTP to accept the data transferred via the data connection, and to store the data as a file at the server site.
SYST
Used to find out the type of operating system at the server.
TYPE
Puts the transfer mode into ASCII or Binary mode.
Status Codes
Displays the FTP reply codes for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Examples of FTP reply codes:

1xx
Positive Preliminary reply
2xx
Positive Completion reply
3xx
Positive Intermediate reply
4xx
Transient Negative Completion reply
5xx
Permanent Negative Completion reply
6xx
Protected reply

Examples of specific reply codes:

200
OK
221
Service closing control connection
225
Data connection open
226
Closing data connection
227
Entering passive mode
230
User logged in – proceed
250
Requested file action okay
500
Syntax error, command unrecognized. This might include errors such as command line too long.
501
Syntax error in parameters or arguments
502
Command not implemented
503
Bad sequence of commands
504
Command not implemented for that parameter
530
Not logged in
550
Requested action not taken – file not available
553
Requested action not taken – filename not allowed
Transactions Metrics
Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.
ReqXfer
Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
RTT
TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Response Time Breakdown
Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

FTP devices page

Note:Where file name detail is presented, the Discover appliance displays both the file path and mount point, if available. The prefix '...' indicates that either the mount point or part of the path is not available. This notation might occur in instances when the capture process was restarted after the "mount" or a "cd" command was issued, or when the commands were lost due to desyncs.
FTP Devices Toolbar
The FTP metrics toolbar includes the following controls:
FTP Metric Type
Displays metrics for the current device acting as an FTP client or server.
Errors
Displays the list of 5xx error messages sent to or received by the current device over the selected time interval.
Warnings
Displays the list of 4xx error messages sent to or received by the current device over the selected time interval.
Files
Displays the list of files accessed, associated bytes sent and received, and associated errors for the selected time interval.
Clients or Servers
Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.
Records
Displays results for records that match the selected metric source and protocol.
FTP Details
Specifies the type of additional FTP information displayed. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
By IP
Displays FTP metrics by IP addresses.
By User
Displays FTP metrics by user name.For example, FTP Requests is a top-level metric showing how many requests were received by the FTP server during the selected time frame. Selecting By IP in the drop-down list while mousing over the FTP Requests counter displays which IP addresses originated these requests. Selecting By User in the drop-down list while mousing over the FTP Requests counter displays which FTP user names originated these requests.
IP Address FTP Metrics
Click By IP in the drop-down list to display the following information in the details table.
IP Address
Represents the HTTP server's IP address.
Host
Represents the DNS host name of the FTP server determined by passive analysis of the DNS traffic.
Device
Provides a link to the corresponding FTP server device. For local FTP servers, the link leads to the FTP server device. For remote FTP servers, the link leads to the gateway device through which the requests were routed.
<Metric Value>
Displays the value of the selected metric
FTP Metrics by User
Click By User in the drop-down list to display the following information in the details table.
Users
Represents FTP user names that originated these requests.
<Metric Value>
Displays the value of the selected metric.
IP Address FTP Metrics
When you click the counters next to individual FTP metrics, the IP Address FTP Metrics table shows details about FTP peer devices. For FTP servers, the peer devices are FTP clients. For FTP clients, the peer devices are FTP servers.
IP Address
Represents the IP address of the peer device.
Host
Represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
Device
Provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
FTP Server
Displays additional IP address details.
Requests
Specifies the total number of FTP requests received on the command connection when the device is acting as an FTP server.
Responses
Specifies the number of responses that the device sent when acting as an FTP server.
Errors
Specifies the number of errors sent by the FTP server.
FTP Client
Displays additional IP address details.
Requests
Specifies the total number of FTP requests sent on the command connection when the device is acting as an FTP client.
Responses
Specifies the number of responses that the device received when acting as an FTP client.
Errors
Specifies the number of errors received by the FTP client.
Data Channel
Displays additional IP address details.
Requests
Specifies the number of data channel requests sent or received by the current device.
Connects
Specifies the number of responses sent or received by the current device.
Methods
Displays the FTP commands for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Examples of FTP commands:

CWD
Allows the user to work with a different directory or dataset for file storage or retrieval without altering his log on or accounting information.
DELE
Causes the file specified in the path name to be deleted at the server site.
EPSV
Puts connection into extended passive mode.
LIST
Gets information for a specific working directory, if explicitly specified, or the current one if none is specified.
MDTM
Gets last-modified time of a file.
MLSD
Gets the contents of a directory.
PASS
Is a Telnet string specifying the user's password. This command must be immediately preceded by the user name command.
PASV
Requests the server-DTP to "listen" on a data port (which is not its default data port) and to wait for a connection rather than initiate one on receipt of a transfer command.
PORT
Is a HOST-PORT specification for the data port to be used in data connection.
PWD
Causes the name of the current working directory to be returned in the reply.
QUIT
Terminates a USER, and if file transfer is not in progress, the server closes the control connection. If file transfer is in progress, the connection will remain open for the result response, and the server will then close it.
RETR
Causes the server-DTP to transfer a copy of the file, specified in the path name, to the server.
SIZE
Gets the size of a file.
STOR
Causes the server-DTP to accept the data transferred via the data connection, and to store the data as a file at the server site.
SYST
Used to find out the type of operating system at the server.
TYPE
Puts the transfer mode into ASCII or Binary mode.
Status Codes
Displays the FTP reply codes for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Examples of FTP reply codes:

1xx
Positive Preliminary reply
2xx
Positive Completion reply
3xx
Positive Intermediate reply
4xx
Transient Negative Completion reply
5xx
Permanent Negative Completion reply
6xx
Protected reply

Examples of specific reply codes:

200
OK
221
Service closing control connection
225
Data connection open
226
Closing data connection
227
Entering passive mode
230
User logged in – proceed
250
Requested file action okay
500
Syntax error, command unrecognized. Reasons might include errors such as command line too long.
501
Syntax error in parameters or arguments
502
Command not implemented
503
Bad sequence of commands
504
Command not implemented for that parameter
530
Not logged in
550
Requested action not taken – file not available
553
Requested action not taken – filename not allowed
Transactions Metrics
Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.
ReqXfer
Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
RTT
TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Request Size
Displays the range of request sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.
Response Size
Displays the range of response sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Response Time Breakdown
Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.
Read and Write Bytes
Displays the area chart containing the breakdown of bytes by reads and writes over time. Click and drag across the chart to select a particular region.
FTP devices timing page

The timing charts draw data from the Time Selector drop-down list on the navigation toolbar. The events observed during this interval are used to fill the bins of a histogram that displays a distribution of timing data. Timing charts use a logarithmic horizontal axis that simultaneously displays events that took milliseconds and those that took seconds.

Request Transfer Time
Displays a histogram of times it took to transfer requests from the client to the server. Mouse over each bar to display the time range it represents and the number of requests in this bin.
Processing Time
Displays a histogram of times it took the server to process requests. Mouse over each bar to display the time range it represents and the number of requests in this bin.
Response Transfer Time
Displays a histogram of times it took to transfer the response from the server to the client. Mouse over each bar to display the time range it represents and the number of requests in this bin.

FTP groups page

Note:Where file name detail is presented, the Discover appliance displays both the file path and mount point, if available. The prefix '...' indicates that either the mount point or part of the path is not available. This notation might occur in instances when the capture process was restarted after the "mount" or a "cd" command was issued, or when the commands were lost due to desyncs.
FTP Groups Toolbar
The FTP metrics toolbar includes the following controls:
FTP Metric Type
Display metrics for the current device acting as an FTP client or server, respectively.
Errors
Displays the list of 5xx error messages sent to or received by the current device over the selected time interval.
Warnings
Displays the list of 4xx error messages sent to or received by the current device over the selected time interval.
Files
Displays the list of files accessed, associated bytes sent and received, and associated errors for the selected time interval.
Records
Displays results for records that match the selected metric source and protocol.
FTP Client
Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Specifies the number of data requests sent by the FTP client.
Responses
Specifies the number of responses received by the FTP client.
Errors
Specifies the number of errors received by the FTP client.
Warnings
Specifies the number of warnings received by the FTP client.
FTP Server
Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Specifies the number of data requests received by the FTP server.
Responses
Specifies the number of responses sent by the FTP server.
Errors
Specifies the number of errors sent by the FTP server.
Warnings
Specifies the number of warnings received by the FTP server.
Data Channel
Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Specifies the number of data channel requests sent or received by the current device.
Connects
Specifies the number of responses sent or received by the current device.
Methods
Displays the FTP methods for the selected time interval. Commands include RETR (get), STOR (put), and more. Click the counter next to each method to break it down by group members in the table at the bottom of the page.
Status Codes
Displays the FTP status codes for the selected time interval. Click the counter next to each status code to break it down by group members in the table.
FTP groups processing time page

The Server Processing Time bar graph displays median server processing time over the selected time interval for each member in the group. The five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values, is displayed by hovering over a bar.

HTTP-AMF

ExtraHop appliances collect metrics about Hypertext Transfer Protocol (HTTP) Action Message Format (AMF) activity.

HTTP-AMF devices page

HTTP-AMF Devices Page
The HTTP-AMF device toolbar includes the following controls:
HTTP-AMF Metric Type
Displays metrics for the current device acting as an HTTP-AMF client or HTTP-AMF server.
Clients or Servers
Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.

HTTP-AMF Details specifies the type of additional HTTP-AMF information displayed. Moving the mouse pointer over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

By IP
Displays HTTP-AMF metrics by IP addresses.
By Target URI
Displays HTTP-AMF metrics by Target URI.

For example, HTTP-AMF Requests is a top-level metric showing how many requests were received by the HTTP server during the selected time frame. Selecting By IP in the drop-down list while moving the mouse pointer over the Requests counter displays which IP addresses originated these requests. Selecting By Target URI from the drop-down list while moving the mouse pointer over the HTTP-AMF Requests counter displays which URIs were accessed by the requesters.

IP Address HTTP-AMF Metrics
Click By IP in the drop-down list to display the following information in the details table.
IP Address
Represents the HTTP-AMF server's IP address.
Host
Represents the DNS host name of the HTTP-AMF server determined by passive analysis of the DNS traffic.
Device
Provides a link to the corresponding HTTP-AMF server device. For local HTTP-AMF servers, the link leads to the HTTP server device. For remote HTTP-AMF servers, the link leads to the gateway device through which the requests were routed.
<Metric value>
Displays the value for the selected metric.
Processing Time
Represents the time in milliseconds it took for HTTP servers to process requests for the currently selected HTTP client. Timing information is expressed as a confidence interval around the mean value bounded by one standard deviation. This metric is available for successful HTTP Responses only.
HTTP-AMF Metrics by Target URI
Click By Target URI in the drop-down list to display the following information in the details table.
Target URI
Represents the full HTTP target URI.
<Metric value>
Displays the value for the selected metric.
Processing Time
Represents the time in milliseconds it took to process URIs requested by the currently selected HTTP client. Timing information is expressed as a confidence interval around the mean value bounded by one standard deviation. This metric is available for successful HTTP Responses only.
HTTP-AMF Client
If you select Client for the HTTP-AMF Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of requests that the device sent when acting as an HTTP-AMF client.
Responses
Number of responses that the device received when acting as an HTTP-AMF client.
Errors
Number of HTTP-AMF errors for the selected time interval.
Requests w/o Length
Number of requests that had no length, that the device received when acting as an HTTP-AMF client.
Responses w/o Length
Number of responses that had no length, that the device sent when acting as an HTTP-AMF client.
HTTP-AMF Server
If you select Server for the HTTP-AMF Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of requests that the device received when acting as an HTTP-AMF server.
Responses
Number of responses that the device sent when acting as an HTTP-AMF server.
Errors
Number of HTTP-AMF errors for the selected time interval.
Requests w/o Length
Number of requests that had no length, that the device received when acting as an HTTP-AMFs server.
Responses w/o Length
Number of responses that had no length, that the device sent when acting as an HTTP-AMF server.

HTTP-AMF groups page

HTTP-AMF Client
If you select Client for the HTTP-AMF Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of HTTP-AMF requests for the selected time interval.
Responses
Number of HTTP-AMF responses for the selected time interval.
Errors
Number of HTTP-AMF errors for the selected time interval.
Requests w/o Length
Number of HTTP-AMF requests without length.
Responses w/o Length
Number of HTTP-AMF responses without length.
HTTP-AMF Server
If you select Server for the HTTP-AMF Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of HTTP-AMF requests for the selected time interval.
Responses
Number of HTTP-AMF responses for the selected time interval.
Errors
Number of HTTP-AMF errors for the selected time interval.
Requests w/o Length
Number of HTTP-AMF requests without length.
Responses w/o Length
Number of HTTP-AMF responses without length.

IBMMQ

ExtraHop appliances collect metrics about IBM message queue (IBMMQ) activity.

IBMMQ applications page

IBMMQ Applications Toobar
The IBMMQ application toolbar includes the following controls:
Errors
The chart displays the number of IBMMQ errors. Mouse over the chart to view a summary of a specific time or date. The table lists IBMMQ error messages and the number of times each occurred.
Warnings
The chart displays the IBMMQ warnings (4xx error messages) transferred. The table lists IBMMQ warning messages and the number of times each occurred.
PUT/GET Radio
The chart displays the total PUT and GET counts for all server IPs. Mouse-over the chart to view a summary of a specific time or date. The table lists server IP addresses, the host and device associated with each server, and PUT and GET count for each server.
Clients
The chart displays round-trip time for all clients. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client, and round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers
The chart displays round-trip time for all servers. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, and round-trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details
Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
By Client IP
Displays application metrics by the client IP addresses.
By Server IP
Displays application metrics by the server IP addresses.
By Queue
Displays application metrics by queue name.
By Channel
Displays application metrics by channel.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics
Contains the following metrics:
Request L2 Bytes
The number of L2 bytes associated with requests.
Response L2 Bytes
The number of L2 bytes associated with responses.
Request Packets
The number of packets associated with requests.
Response Packets
The number of packets associated with responses.
Request RTOs
Specifies the number of times the client delayed TCP retransmissions and missed server acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Response RTOs
Specifies the number of times the server delayed TCP retransmissions and missed client acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Request Zero Window
Specifies the number of client-side zero window advertisements. A zero window indicates the connection has stalled because the client cannot handle the rate of data the server is sending.
Response Zero Window
Specifies the number of server-side zero window advertisements. A zero window indicates the connection has stalled because the server cannot handle the rate of data the client is sending.
IBMMQ Metrics
Contains the following metrics:
Requests
The number of IBMMQ requests.
Responses
The number of IBMMQ responses.
Client Messages
The number of IBMMQ client messages sent or received.
Server Messages
The number of IBMMQ server messages transferred.
Errors
Number of IBMMQ errors for the selected time interval.
Warnings
Number of IBMMQ warnings for the selected time interval.
Server to Server
The number of IBMMQ server-to-server message types transferred.
Client to Server
The number of IBMMQ client-to-server message types transferred.
Methods
Displays the IBMMQ methods for the selected time interval.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
MQGET and MQPUT
Displays the GET and PUT count for the current device over the selected time interval.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Note:When the system detects only server-to-server traffic, the metrics that are gathered for client-to-server transactions only are zero or blank.

IBMMQ devices page

IBMMQ Devices Toolbar
The IBMMQ device toolbar includes the following controls:
IBMMQ Metric Type
Displays statistics for the current device acting as a IBMMQ client or server.
Errors
Displays the list of 5xx error messages sent to or received by the current device over the selected time interval.
Warnings
Displays the list of 4xx error messages sent to or received by the current device over the selected time interval.
PUT/GET Ratio
Displays the PUT and GET counts for each IBMMQ device.

IBMMQ details specify the type of additional IBMMQ information displayed. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

By IP
Displays IBMMQ metrics by IP addresses.
By Channel
Displays IBMMQ metrics by channel.
By Queue
Displays IBMMQ metrics by queue name.

For example, IBMMQ Requests is a top-level metric showing how many requests were received by the IBMMQ server during the selected time frame. Selecting By IP in the drop-down list while mousing over the IBMMQ Requests counter displays which IP addresses originated these requests.

IP Address IBMMQ Metrics
Move the mouse pointer over the counter, and click By IP in the drop-down list to display the following information in the details table.
IP Address
Represents the IBMMQ server's IP address.
Host
Represents the DNS hostname of the IBMMQ server determined by passive analysis of the DNS traffic.
Device
Provides a link to the corresponding IBMMQ server device. For local IBMMQ servers, the link leads to the IBMMQ server device. For remote IBMMQ servers, the link leads to the gateway device through which the requests were routed.
Counter Name
Identifies the metric name and count by device associated with the counter that was clicked to open this table.
Processing Time
Represents the time in milliseconds it took for IBMMQ servers to process requests for the currently selected IBMMQ client. Timing information is expressed as a confidence interval around the mean value bounded by one standard deviation. This metric is available for successful IBMMQ Responses only.
IBMMQ
Move the mouse pointer over the counter, and click By Channel in the drop-down list to display the following information in the details table.
IBMMQ
Represents the channel on which the IBM MQ communication is occurring.
Counter Name
Identifies the metric name and count by device associated with the counter that was clicked to open this table.
IBMMQ Metrics by Queue
Move the mouse pointer over the counter, and click By Queue in the drop-down list to display the following information in the details table.
IBMMQ Queue
Represents the queue name on which the IBM MQ communication is occurring.
Counter Name
Identifies the metric name and count by device associated with the counter that was clicked to open this table.
IBMMQ Client
If you select Client for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of requests that the device sent when acting as an IBM MQ client.
Responses
Number of responses that the device received when acting as an IBM MQ client.
Client Messages
Number of client messages that the device sent or received when acting as an IBM MQ client.
Server Messages
Number of server messages that the device sent or received when acting as an IBM MQ client.
Errors
When the device is acting as an IBM MQ client, the number of responses indicating an error, broken down by specific error.
Warnings
When the device is acting as an IBM MQ client, the number of responses received, broken down by IBM MQ warning message.
PCF Errors
When the device is acting as an IBM MQ client, the number of PCF error responses, broken down by specific error. Programmable command formats (PCFs) provide a way to manipulate queue manager objects, such as queues, namelists, and channels.
PCF Warnings
When the device is acting as an IBM MQ client, the number of responses received indicating a PCF warning, broken down by specific warning message. Programmable command formats (PCFs) provide a way to manipulate queue manager objects, such as queues, namelists, and channels.
IBMMQ Server
If you select Server for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table below.
Requests
Number of requests that the device received when acting as an IBM MQ server.
Responses
Number of responses that the device sent when acting as an IBM MQ server.
Client Messages
Number of client messages that the device sent or received while acting as an IBM MQ server.
Server Messages
Number of server messages that the device sent or received when acting as an IBM MQ server.
Errors
When the device is acting as an IBM MQ server, the number of responses indicating an error, broken down by specific error.
Warnings
Number of IBMMQ warnings for the selected time interval.
PCF Errors
Number of IBMMQ PCF errors sent or received within the selected time interval.
PCF Warnings
When the device is acting as an IBM MQ server, the number of responses sent indicating a PCF warning, broken down by specific warning message. Programmable command formats (PCFs) provide a way to manipulate queue manager objects, such as queues, namelists, and channels.
Methods
Displays the IBMMQ methods for the selected time interval.
Message Formats
Displays the IBMMQ message formats for the selected time interval.
Transactions Metrics
Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.
ReqXfer
Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
RTT
TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Request Size
Displays the range of request sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.
Response Size
Displays the range of response sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.
MQGET/MQPUT
Displays the GET and PUT count for the current device over the selected time interval. (Client-to-server transactions only.)
Note:When the system detects only server-to-server traffic, the metrics that are gathered for client-to-server transactions only are zero or blank.
IBMMQ devices PCF details page

Click the PCF Details node to display information specific to the administrative PCF channel.

IBMMQ Client
If you select Client for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of IBMMQ requests sent or received within the selected time interval.
Responses
Number of IBMMQ responses sent or received within the selected time interval.
Errors
Number of IBMMQ errors for the selected time interval.
Warnings
Number of IBMMQ warnings for the selected time interval.
IBMMQ Server
If you select Server for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table below.
Requests
Number of IBMMQ requests sent or received within the selected time interval.
Responses
Number of IBMMQ responses sent or received within the selected time interval.
Errors
Number of IBMMQ errors for the selected time interval.
Warnings
Number of IBMMQ warnings for the selected time interval.
PCF Methods
Displays the IBMMQ PCF methods for the selected time interval.
PCF Errors
Displays the IBMMQ PCF errors for the selected time interval.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
IBMMQ devices error details page

Click the Error Details node to display additional IBMMQ warnings and error details.

IBMMQ groups page

IBMMQ Groups Toolbar
The IBMMQ groups toolbar includes the following controls:
IBMMQ Metric Type
Displays metrics for members in the current group acting as an IBMMQ client or IBMMQ server, respectively.
Errors
Displays the list of 5xx error messages sent to or received by the current member over the selected time interval.
Warnings
Displays the list of 4xx error messages sent to or received by the current member over the selected time interval.
IBMMQ Client
If you select Client for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of IBMMQ requests sent or received within the selected time interval.
Responses
Number of IBMMQ responses sent or received within the selected time interval.
Client Messages
Number of IBMMQ client messages sent or received within the selected time interval.
Server Messages
Number of IBMMQ server messages sent or received within the selected time interval.
Errors
Number of IBMMQ errors for the selected time interval.
Warnings
Number of IBMMQ warnings for the selected time interval.
PCF Errors
Number of IBMMQ PCF errors sent or received within the selected time interval.
PCF Warnings
Number of IBMMQ PCF requests sent or received within the selected time interval.
IBMMQ Server
If you select Server for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Number of IBMMQ requests sent or received within the selected time interval. (Client-to-server transactions only.)
Responses
Number of IBMMQ responses sent or received within the selected time interval. (Client-to-server transactions only.)
Client Messages
Number of IBMMQ client messages sent or received within the selected time interval.
Server Messages
Number of IBMMQ server messages sent or received within the selected time interval.
Errors
Number of IBMMQ errors for the selected time interval.
Warnings
Number of IBMMQ warnings for the selected time interval.
PCF Errors
Number of IBMMQ PCF errors sent or received within the selected time interval.
PCF Warnings
Number of IBMMQ PCF requests sent or received within the selected time interval.
Methods
Displays the IBMMQ methods for the selected time interval.
Message Format
Displays the IBMMQ message formats for the selected time interval.
Note:When the system detects only server-to-server traffic, the metrics that are gathered for client-to-server transactions only are zero or blank.

ICA

ExtraHop appliances collect metrics about Independent Computing Architecture (ICA) activity.

ICA applications page

ICAP Application Toolbar
The ICA application toolbar includes the following controls:
Users
The chart displays the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists users, the number of launches by each user, and the login time, load time, network latency, and round-trip time for each user. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Programs
The chart displays the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists programs, the number of launches by each program, and the login time, load time, network latency, and round-trip time for each program. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Clients
The chart displays the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client, the number of launches by each client, and the login time, load time, network latency, and round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers
The chart displays the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, the number of launches by each server, and the login time, load time, network latency, and round trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Auth Domains
The chart displays the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists domains, the number of launches by each domain, and the login time, load time, network latency, and round-trip time for each domain. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details
Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
By Client IP
Displays application metrics by the client IP addresses.
By Server IP
Displays application metrics by the server IP addresses.
By User
Displays application metrics by user.
By Program
Displays application metrics by program. When a Citrix flow is opaque to analysis, whether because of lost segments or RC5 encryption, the reported program name is ICA or CGP.
By Auth Domain
Displays application metrics by auth domain.
L2-L4 Metrics
Contains the following metrics:
Client L2 Bytes
The number of L2 bytes transmitted by the Citrix ICA client.
Server L2 Bytes
The number of L2 bytes transmitted by the Citrix ICA server.
Client Packets
The number of packets transmitted by Citrix ICA clients.
Server Packets
The number of packets transmitted by the Citrix ICA server.
Client RTOs
The number of retransmission timeouts caused by congestion when clients were sending Citrix ICA messages. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
Server RTOs
The number of retransmission timeouts caused by congestion when servers were sending Citrix ICA messages. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
Client Nagle Delays
The number of connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
Server Nagle Delays
The number of connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
Client Zero Windows
The number of zero window advertisements sent by clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
Server Zero Window
The number of zero window advertisements sent by servers. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
ICA Metrics
Contains the following metrics:
Client Messages
The number of Citrix ICA client messages transmitted.
Server Messages
The number of Citrix ICA server messages transmitted.
Client CGP Messages
The number of CGP messages sent by the Citrix ICA client. The Client Gateway Protocol (CGP) encapsulates Citrix ICA traffic in support of Session Reliability.
Server CGP Messages
The number of CGP messages sent by the Citrix ICA server. The Client Gateway Protocol (CGP) encapsulates Citrix ICA traffic in support of Session Reliability.
Launches
The number of Citrix ICA sessions that were launched. This count includes encrypted sessions.
Aborts
The number of Citrix ICA sessions that were initiated but closed before a Citrix program finished loading.
Encrypted
The number of Citrix ICA sessions that used an encryption method other than Basic. Certain metrics are not available for these sessions.
Screen Updates Per Second
Displays the number of screen updates per second as a function of time over the selected time interval.
Load Time (ms)
The amount of time from the beginning of the flow until the Discover appliance detects traffic on one of the following virtual channels: Clipboard, Citrix Windows Multimedia Redirection, Citrix Control Virtual Channel, or Zero Latency Font and Keyboard. Subsequent program data launched over the same session is recorded as a launch but does not factor into the load time. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the load time metrics. Click the chart to display a statistical distribution of load time per program for the selected time interval.
Network Latency (ms)
Displays the detected network latency between the ICA client and server as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the network latency metrics. Click the chart to display a statistical distribution of client latency per program for the selected time interval.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Program Launches
Displays the number of ICA launches as a function of time over the selected time interval. The chart is annotated with red data points to indicate aborts. The volume of aborts is denoted by the height of red bars under the chart. Click the red dot to see per-server or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.
Program Client Bytes
Click the chart to display the total bytes per program transmitted within the selected time interval. Click the legend next to the program name to filter the information by program in the Bytes by Virtual Channels table below.
Program Server Bytes
Click the chart to display the total bytes per program transmitted within the selected time interval. Click the legend next to the program name to filter the information by program in the Bytes by Virtual Channels table below.
Bytes by Virtual Channel
Displays the breakdown of ICA throughput by virtual channel. If a specific program is selected in the App Client Bytes and App Server Bytes charts above, virtual channel information is displayed specific to the selected program.
Name
Name of the program.
Client Bytes
Represents the client byte count for the currently selected program in the above chart.
Server Bytes
Represents the server byte count for the currently selected program in the above chart.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

ICA devices page

The ICA device toolbar includes the following controls:

ICA Devices Toolbar
The ICA device toolbar includes the following controls:
ICA Metric Type
Displays metrics for devices acting as an ICA client or ICA server.
Users
Click the Users button to display the ICA Server or Client: Users information for that device.
All Names
The load time for each user over the selected time interval.
Name
The Citrix user ID.
Load Time (ms)
The amount of time to load the program, including the login time. Load time is measured only for the first program that is loaded. Subsequent program data launched over the same session is recorded as a launch but does not factor into the load time.
Login Time (ms)
The amount of time to log in to the program. Login time is a sub-component of the load time. When the user has gained access through a previous launch, there is no login, so login time for that user is 0.
Network Latency (ms)
Displays the detected network latency between the ICA client and server as a function of time over the selected time interval.
Session Duration (sec)
The duration of each user's session.
Sessions
Click the Sessions button to display the ICA Client or Server: Sessions table for the device.
Name
The program name.
Duration (s)
The session duration by program.
Client Types
Click the Client Types button to display the ICA Client or Server: Client Types information for the device.
All Names
The number of launches for Citrix receivers over the selected time interval.
Name
The name and version of the Citrix receiver.
Count
Number of launches from that particular version of the receiver.
Auth Domain
Click the Auth Domain button to display the ICA Server or Client: Auth. Domain information for that device.
All Names
The load time for each user over the selected time interval.
Name
The device name.
Load Time (ms)
The time from the beginning of the flow until the Discover appliance detects traffic on one of the following virtual channels:
  • Clipboard
  • Citrix Windows Multimedia Redirection
  • Citrix Control Virtual Channel
  • Zero Latency Font and Keyboard
Login Time (ms)
The time between the transmission of the Citrix ICA packet that the client sends to the server with its credentials and the Citrix ICA packet that the server sends back to the client with the user name.
Network Latency (ms)
Displays the detected network latency between the ICA client and server as a function of time over the selected time interval.
Session Duration (ms)
The duration of each authentication session.

ICA details specify the type of additional ICA information displayed. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

By User
Displays ICA device information by user.
By Program
Displays ICA device information by program. When a Citrix flow is opaque to analysis, whether because of lost segments or RC5 encryption, the reported program name is ICA or CGP.
By IP
Displays ICA device information by IP address.
By Auth Domain
Displays ICA device information by auth domain.

For example, ICA Requests is a top-level metric showing how many requests were received by the ICA server during the selected time frame. Selecting By IP in the drop-down list while mousing over the ICA Requests counter displays which IP addresses originated these requests.

Programs
Contains the following metrics:
Launches
Total number of Citrix ICA launch commands within the selected time interval.
Aborts
Total number of Citrix ICA sessions that were initiated but closed before a Citrix program finished loading within the selected time interval.
Encrypted Sessions
Number of encrypted sessions within the selected time interval.
ICA Client or Server
If you select Client or Server for the ICA Metric Type, the Discover appliance displays the following metrics:
Client Messages
Number of ICA client messages sent or received within the selected time interval.
Server Messages
Number of ICA server messages sent or received within the selected time interval.
Client CGP Messages
Number of client CGP messages sent by the client within the selected time interval. The Client Gateway Protocol (CGP) encapsulates ICA traffic.
Server CGP Messages
Number of CGP messages sent by the server within the selected time interval. The Client Gateway Protocol (CGP) encapsulates ICA traffic.

ICA groups page

ICA Groups Toolbar
The ICA groups toolbar includes the following controls:
ICA Metric Type
Click the Metric Type drop-down list, and select either Client or Server to display metrics for members in the current group acting as an ICA client or ICA server, respectively.
Programs
Click the Programs button to display the ICA Client or Server: Program table.
Name
The Citrix user ID.
Launches
Number of Citrix ICA launch commands within the selected time interval.
Aborts
Number of Citrix session aborts within the selected time interval.
Sessions
Click the Sessions button to display the ICA Client or Server: Sessions table.
Name
The Citrix user ID.
Duration (sec)
The session duration by program.
Client Types
Click the Client Types button to display the ICA Client or Server: Client Types table.
Name
The name and version of the Citrix receiver.
Count
Number of launches from that particular version of the receiver.
Launches
Total number of Citrix ICA launch commands within the selected time interval.
Aborts
Total number of Citrix session aborts within the selected time interval.
ICA Client or Server
If you select Client or Server for the ICA Metric Type, the Discover appliance displays the following metrics:
Client Messages
Number of ICA client messages sent or received within the selected time interval.
Server Messages
Number of ICA server messages sent or received within the selected time interval.
Client CGP Messages
Number of ICA client CGP messages sent or received within the selected time interval.
Server CGP Messages
Number of ICA server CGP messages sent or received within the selected time interval.

iSCSI

ExtraHop appliances collect metrics about Internet Small Computer System Interface (iSCSI) activity.

iSCSI devices page

iSCSI Device Toolbar
The iSCSI device toolbar includes the following controls:
iSCSI Metric Type
Displays metrics for the current device acting as an iSCSI client or iSCSI server.
Errors
Displays the list of error messages broken down by iSCSI initiator sent to or received by the current device over the selected time interval.
OpCodes
Displays the list of iSCSI operation codes broken down by iSCSI initiator sent to or received by the current device over the selected time interval.
Initiators
Displays the list of iSCSI initiators establishing connections to or from the current device over the selected time interval.
IP Address iSCSI Metrics
Click the counters next to individual iSCSI metrics to show the IP Address iSCSI Metrics for iSCSI peer devices. For iSCSI servers, the peer devices are iSCSI clients. For iSCSI clients, the peer devices are iSCSI servers.
IP Address
Represents the IP address of the peer device.
Host
Represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
Device
Provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
Target
Displays corresponding iSCSI targets.
iSCSI Server
Click the counter next to each metric to display additional IP address details.
Responses
Specifies the number of responses that the device sent when acting as an iSCSI target.
Errors
Specifies the number of errors sent by the iSCSI server.
Sessions
Specifies the number of iSCSI sessions that the device began when acting as an iSCSI target.
Reads (DataOut)
Specifies the number of read operation requests that the device received when acting as an iSCSI target.
Writes (DataIn)
Specifies the number of write operation requests that the device received when acting as an iSCSI target.
Header Digest
Specifies the number of operations that included optional header digests when the device is acting as an iSCSI target.
Data Digest
Specifies the number of operations that included optional data digests when the device is acting as an iSCSI target.
iSCSI Client
Click the counter next to each metric to display additional IP address details.
Responses
Specifies the number of responses that the device received when acting as an iSCSI initiator.
Errors
Specifies the number of errors sent by the iSCSI client.
Sessions
Specifies the number of iSCSI sessions that the device began when acting as an iSCSI initiator.
Reads (DataOut)
Specifies the number of read operation requests that the device sent when acting as an iSCSI initiator.
Writes (DataIn)
Specifies the number of write operation requests that the device sent when acting as an iSCSI initiator.
Header Digest
Specifies the number of operations that included optional header digests when the device is acting as an iSCSI initiator.
Data Digest
Specifies the number of operations that included optional data digests when the device is acting as an iSCSI initiator.
OpCodes
Displays the list of iSCSI OpCodes sent to or received by the current device over the selected time interval. Click the counter to display additional per-client or per-server IP address details. Click the OpCodes button to get OpCodes broken down by iSCSI initiator. OpCodes include:
  • Login Request
  • Login Response
  • Logout Request
  • Logout Response
  • SCSI Command
  • SCSI Response
  • Text Request
  • Text Response
  • SCSI Data-In
  • SCSI Data-Out
  • SCSI Task Management Response
  • SCSI Task Management Function Request
  • Ready To Transfer
  • Asynchronous Message
  • SNACK Request
  • Reject
  • Last
  • NOP-In
  • NOP-Out
  • Vendor-<hex>
Rejects
Displays the list of reject reasons sent to or received by the current device over the selected time interval. Click the counter to display additional per-client or per-server IP address details. Click the Errors button to get errors broken down by iSCSI initiator. Reject reasons include:
  • Zero
  • Reserved
  • Data Digest Error
  • SNACK Reject
  • Protocol Error
  • Command not supported
  • Protocol Error
  • Immediate Command Reject
  • Task in progress
  • Invalid Data ACK
  • Invalid PDU field
  • Long Operation Reject
  • Negotiation Reset
  • Waiting for Logout
Logins
Displays the iSCSI login errors for the selected time interval. Click the counter to display additional per-client or per-server IP address details. Click the Errors button to get errors broken down by iSCSI initiator.
  • Login failures
  • Target moved temporarily
  • Target moved permanently
  • Initiator error
  • Authentication failure
  • Authorization failure
  • Not found
  • Target removed
  • Unsupported version
  • Too many connections
  • Missing parameter
  • Can't include in session
  • Session type not supported
  • Session does not exist
  • Invalid request during login
  • Target errror
  • Service unavailable
  • Out of resources
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Read and Write Bytes
Displays the area chart containing the breakdown of bytes by reads and writes over time. Click and drag across the chart to select a particular region.

iSCSI groups page

iSCSI Groups Toolbar
The iSCSI groups toolbar includes the following controls:
iSCSI Metric Type
Displays metrics for members in the current group acting as an iSCSI client or server, respectively.
Errors
Displays the list of error messages sent to or received by members in the current group over the selected time interval.
OpCodes
Displays the list of iSCSI operation codes broken down by iSCSI initiator sent to or received by members in the current group over the selected time interval.
Initiators
Displays the list of iSCSI initiators establishing connections to or from members in the current group over the selected time interval.
iSCSI Server
Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
Responses
Specifies the number of responses sent by the iSCSI server.
Errors
Specifies the number of errors sent by the iSCSI server.
Sessions
Specifies the number of iSCSI sessions received by the iSCSI server.
Reads (DataOut)
Specifies the number of read operations requested from the iSCSI server.
Writes (DataIn)
Specifies the number of write operations requested from the iSCSI server.
Header Digest
Specifies the number of iSCSI operations with optional header digests included.
Data Digest
Specifies the number of iSCSI operations with optional data digests included.
iSCSI Client
Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
Responses
Specifies the number of responses received by the iSCSI client.
Errors
Specifies the number of errors sent by the iSCSI client.
Sessions
Specifies the number of iSCSI sessions received by the iSCSI server.
Reads (DataOut)
Specifies the number of read operations requested from the iSCSI server.
Writes (DataIn)
Specifies the number of write operations requested from the iSCSI server.
Header Digest
Specifies the number of iSCSI operations with optional header digests included.
Data Digest
Specifies the number of iSCSI operations with optional data digests included.
OpCodes
Displays the list of iSCSI OpCodes sent to or received by members in the current group over the selected time interval. Click the counter next to the metric to break it down by group members in the table at the bottom of the page. Click the OpCodes button to get OpCodes broken down by iSCSI initiator. OpCodes include:
  • Login Request
  • Login Response
  • Logout Request
  • Logout Response
  • SCSI Command
  • SCSI Response
  • Text Request
  • Text Response
  • SCSI Data-In
  • SCSI Data-Out
  • SCSI Task Management Response
  • SCSI Task Management Function Request
  • Ready To Transfer
  • Asynchronous Message
  • SNACK Request
  • Reject
  • Last
  • NOP-In
  • NOP-Out
  • Vendor-<hex>
Rejects
Displays the list of reject reasons sent to or received by the current member over the selected time interval. Click the counter next to the metric to break it down by group members in the table at the bottom of the page. Click the Errors button to get errors broken down by iSCSI initiator. Reject reasons include:
  • Zero
  • Reserved
  • Data Digest Error
  • SNACK Reject
  • Protocol Error
  • Command not supported
  • Protocol Error
  • Immediate Command Reject
  • Task in progress
  • Invalid Data ACK
  • Invalid PDU field
  • Long Operation Reject
  • Negotiation Reset
  • Waiting for Logout
Logins
Displays the iSCSI login errors for the selected time interval. Click the counter next to the metric to break it down by group members in the table at the bottom of the page. Click the Errors button to get errors broken down by iSCSI initiator.
  • Login failures
  • Target moved temporarily
  • Target moved permanently
  • Initiator error
  • Authentication failure
  • Authorization failure
  • Not found
  • Target removed
  • Unsupported version
  • Too many connections
  • Missing parameter
  • Can't include in session
  • Session type not supported
  • Session does not exist
  • Invalid request during login
  • Target errror
  • Service unavailable
  • Out of resources

Kerberos

ExtraHop appliances collect metrics about Kerberos activity.

Kerberos applications page

Kerberos Application Toolbar
The Kerberos application toolbar includes the following controls:
Errors
The chart displays the number of Kerberos errors. Mouse over the chart to view a summary of a specific time or date. The table lists Kerberos error messages and the number of times each occurred.
Clients
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Records
Displays results for records that match the selected metric source and protocol.
Application Details
Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
By Client IP
Displays application metrics by the client IP addresses.
By Server IP
Displays application metrics by the server IP addresses.
L2-L4 Metrics
Contains the following metrics:
Request L2 Bytes
The number of L2 bytes associated with requests.
Response L2 Bytes
The number of L2 bytes associated with responses.
Request Packets
The number of packets associated with requests.
Response Packets
The number of packets associated with responses.
Request RTOs
Specifies the number of times the client delayed TCP retransmissions and missed server acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Response RTOs
Specifies the number of times the server delayed TCP retransmissions and missed client acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Request Zero Window
Specifies the number of client-side zero window advertisements. A zero window indicates the connection has stalled because the client cannot handle the rate of data the server is sending.
Response Zero Window
Specifies the number of server-side zero window advertisements. A zero window indicates the connection has stalled because the server cannot handle the rate of data the client is sending.
Kerberos Metrics
Contains the following metrics:
Requests
The number of requests received.
Responses
The number of responses received.
Response Errors
The number of response errors.
Transactions Metrics
Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.
ReqXfer
Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
RTT
TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Response Time Breakdown
Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Kerberos devices page

Kerberos Device Toolbar
The Kerberos device toolbar includes the following controls:
Kerberos Metric Type
From the drop-down menu, select the type of metrics for the current device.
Errors
Displays the list of error messages sent or received by the current device over the selected time interval.
Clients or Servers
Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.
FTP Server
Displays additional IP address details.
Requests
The number of requests received.
Responses
The number of responses received.
Errors
Specifies the number of errors sent by the server.
FTP Client
Displays additional IP address details.
Requests
The number of requests received.
Responses
The number of responses received.
Errors
Specifies the number of errors sent by the client.
Requests by Message Type
Displays the number of requests that the device received for the message type.
Responses by Message Type
Displays the number of requests that the device received for the message type.
Transactions Metrics
Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.
ReqXfer
Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
RTT
TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Response Time Breakdown
Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Kerberos groups page

Kerberos Groups Toolbar
The Kerberos groups toolbar includes the following controls:
Kerberos Metric Type
Displays metrics for members in the current group acting as an Kerberos client or server, respectively.
Errors
Displays the list of error messages sent to or received by members in the current group over the selected time interval.
Kerberos Client
Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Specifies the number of data requests sent by the Kerberos client.
Responses
Specifies the number of responses received by the Kerberos client.
Errors
Specifies the number of errors received by the Kerberos client.
Warnings
Specifies the number of warnings received by the Kerberos client.
Kerberos Server
Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Specifies the number of data requests received by the Kerberos server.
Responses
Specifies the number of responses sent by the Kerberos server.
Errors
Specifies the number of errors sent by the Kerberos server.
Warnings
Specifies the number of warnings received by the Kerberos server.
Data Channel
Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
Requests
Specifies the number of data channel requests sent or received by the current device.
Connects
Specifies the number of responses sent or received by the current device.
Methods
Displays the Kerberos methods for the selected time interval. Commands include RETR (get), STOR (put), and more. Click the counter next to each method to break it down by group members in the table at the bottom of the page.
Status Codes
Displays the Kerberos status codes for the selected time interval. Click the counter next to each status code to break it down by group members in the table.

L2

ExtraHop appliances collect metrics about L2 activity.

L2 overlay metrics

ExtraHop appliances do not include any built-in metric pages for L2 overlays. However, you can view the following L2 overlay metrics in the metric explorer:

Decapsulated MPLS Frames Total
The number of Multiprotocol Label Switching (MPLS) frames decapsulated.
Decapsulated MPLS Frame Bytes Total
The number of bytes in MPLS decapsulated frames.
Decapsulated TRILL Frames Total
The number of Transparent Interconnection of Lots of Links (TRILL) frames decapsulated.
Decapsulated TRILL Frame Bytes Total
The number of bytes in TRILL decapsulated frames.
Decapsulated NVGRE Frames Total
The number of Network Virtualization using Generic Routing Encapsulation (NVGRE) frames decapsulated.
Decapsulated NVGRE Frame Bytes Total
The number of bytes in NVGRE decapsulated frames.
Decapsulated NVGRE Frame Bytes by VSID
The number of bytes in NVGRE decapsulated frames, broken down by Virtual Subnet ID (VSID).
Decapsulated NVGRE Frames by VSID
The number of NVGRE frames decapsulated, broken down by VSID.
Decapsulated VXLAN Frames Total
The number of Virtual Extensible LAN (VXLAN) frames decapsulated.
Decapsulated VXLAN Frame Bytes Total
The number of bytes in VXLAN decapsulated frames.
Decapsulated VXLAN Frames by VNI
The number of VXLAN frames decapsulated, broken down by VXLAN Network Identifier (VNI).
Decapsulated VXLAN Frame Bytes by VNI
The number of bytes in VXLAN decapsulated frames, broken down by VNI.
Decapsulated Cisco FabricPath Frames Total
The number of Cisco FabricPath frames decapsulated.
Decapsulated Cisco FabricPath Frame Bytes Total
The number of bytes in Cisco FabricPath decapsulated.
Decapsulated Cisco FabricPath Frames by FTAG
The number of Cisco FabricPath frames decapsulated, broken down by Forwarding Tag (FTAG).
Decapsulated Cisco FabricPath Frame Bytes by FTAG
The number of bytes in Cisco FabricPath decapsulated frames, broken down by FTAG.
Note:To view decapsulated NVGRE or VXLAN metrics, you must enable network overlay decapsulation through the Admin UI.

L2 devices page

VLAN Tagged
The number of frames containing VLAN tags observed over the selected time interval. In reflects number of VLAN tagged frames received by the device. Out reflects number of VLAN tagged frames sent by the device.
Packets
Displays the incoming and outgoing packet rate (packets per second) over the selected time interval. Current and Max identify the current and maximum packet rates for the given time period, respectively. Total identifies the total number of packets for the selected time interval. To view specific statistics for each data point, hover the mouse across the chart to see the packets per second value for each unit on the x-axis of the graph.
Throughput
Displays the incoming and outgoing throughput (bits per second) over the selected time interval. Current and Max identify the current and maximum throughputs. Total identifies the total number of bytes transferred over the selected time interval. To view specific statistics for each data point, move the mouse pointer across the chart to see the throughput in megabits per second for each unit on the x-axis of the graph.
Frame Count by Size
Displays a logarithmic-scale histogram of the distribution of incoming and outgoing Ethernet frame size.
Frame Count by Type
Displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (ipv4, ipv6, arp, ipx, mpls, lacp, stp, 802.1X, and other).
Frame Count by Distribution
Displays a logarithmic-scale histogram of the distribution of frames by L2 type (unicast, multicast, and broadcast).
Note:One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.
L2 devices packets page

The Packets In and Packets Out line charts display the packet rate (in packets per second) for the selected device over the given time interval.

Note:One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.
L2 devices throughput page

The Throughput In and Throughput Out line charts display the throughput (in bits per second) over the selected time interval.

Note:One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.

L2 networks page

The L2 network traffic page displays metrics for OSI Layer 2 traffic by packet rate (packets per second) and throughput (in bits per second). It also provides metrics on frame count by L2 Ethertype and by frame size.

Packets
Displays the packet rate (in packets per second) for the selected time interval. On the line chart, Current and Max identify the current and maximum packet rates for the given time period. Total identifies the total number of packets for the selected time interval. The gray bands represent the 5th to 95th percentile of the packet rate historically observed for the specific time of day and day of the week.
Throughput
Displays the throughput (in bits per second) over the selected time interval. In the chart, Current and Max identify the current and maximum throughputs. Total identifies the total number of bytes transferred over the selected time interval. The gray bands represent the 5th to 95th percentile of the throughput historically observed for this time of day and day of the week.
Frame Count by Size
Displays a logarithmic-scale histogram of the distribution of Ethernet frame size. The values on the x-axis (64, 128, 256, 512, 1024, 1513, 1518, and Jumbo) indicate the maximum size of the frame for the category. For example, 256 represents a frame size between 129 and 256 bytes, inclusive.
Frame Count by Type
Displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (IPv4, IPv6, ARP, IPX, MPLS, LACP, STP, 802.1X, and other).
Frame Count by Distribution
Displays a logarithmic-scale histogram of the distribution of frames by L2 type (Unicast, Multicast, and Broadcast).
Note:One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.
L2 networks packets page

The Packets line chart displays the packet rate (in packets per second) for the selected time interval.

Note:One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.
L2 networks throughput page

The Throughput line chart displays the throughput (in bits per second) over the selected time interval.

Note:One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.
L2 networks frame details page
Frame Count by Size
Displays a logarithmic-scale histogram of the distribution of Ethernet frame size. The values on the x-axis (64, 128, 256, 512, 1024, 1513, 1518, and Jumbo) indicate the maximum size of the frame for the category. For example, 256 represents a frame size between 129 and 256 bytes, inclusive.
Frame Count by Type
Displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (IPv4, IPv6, ARP, IPX, MPLS, LACP, STP, 802.1X, and other).
Frames
Displays a list of devices and the frame count in and out for a specified frame type. To select a frame type, click a bar in the Frame Count by Size orFrame Count by Type tables.

L2 groups page

VLAN Tagged
The number of frames containing VLAN tags observed over the selected time interval. In reflects number of VLAN tagged frames received by the device. Out reflects number of VLAN tagged frames sent by the device.
Packets
Displays the incoming and outgoing packet rate (packets per second) over the selected time interval. Current and Max identify the current and maximum packet rates for the given time period, respectively. Total identifies the total number of packets for the selected time interval. To view specific statistics for each data point, hover the mouse across the chart to see the packets per second value for each unit on the x-axis of the graph.
Throughput
Displays the incoming and outgoing throughput (bits per second) over the selected time interval. Current and Max identify the current and maximum throughputs. Total identifies the total number of bytes transferred over the selected time interval. To view specific statistics for each data point, move the mouse pointer across the chart to see the throughput in megabits per second for each unit on the x-axis of the graph.
Frame Count by Size
Displays a logarithmic-scale histogram of the distribution of incoming and outgoing Ethernet frame size.
Frame Count by Type
Displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (ipv4, ipv6, arp, ipx, mpls, lacp, stp, 802.1X, and other).
Frame Count by Distribution
Displays a logarithmic-scale histogram of the distribution of frames by L2 type (unicast, multicast, and broadcast).
L2 groups packets page
Packets In
Displays how members contribute to the total incoming packet count for the group.
Packets Out
Displays how members contribute to the total incoming packet count for the group.
L2 groups throughput page
Bytes In
Displays how members contribute to the total incoming byte count for the group.
Bytes Out
Displays how members contribute to the total incoming byte count for the group.

L3

ExtraHop appliances collect metrics about L3 activity.

L3 devices device page

Name
The primary name the device uses to communicate on the network. Names are discovered by passively monitoring a variety of naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol. If a device name is not discovered, a NIC manufacturer-based identifier is assigned to the device by looking at the MAC address. If the MAC address range is not registered, or if it belongs to a private MAC address space, the name includes the last six characters of the MAC address (for example, Device 00000c0789b1).

The device-type icon to the left of the device name identifies the activity primarily associated with this device. The device name and type can be edited by clicking on the name and using the edit tools on the Device page.

MAC Address
The MAC address is a unique identifier of the device network interface. For physical devices that have multiple interfaces, one entry per interface is maintained. The vendor icon displays to the left of MAC Address as determined by the MAC OID lookup.
VLAN
The VLAN tag of the device.
IP Address
The Primary IP address the device uses to communicate on the network. By default, Address Resolution Protocol (ARP) traffic is used to determine the mapping from MAC addresses to IP addresses. In the absence of such traffic, IP packet header information is used. If there is no ARP traffic, the IP address 0.0.0.0 is assigned to routing devices, such as gateways, firewalls, and load balancers, to indicate that it handles packets from many sources.
Discovery Time
The time when the device was first discovered. The day of the week, the calendar date, and time are displayed in the following format: Wed Feb 23 09:01.
Description
A user-defined description of the device. To edit the device description, click the device name and use the edit tools on the Device page.

L3 devices page

IP Fragments
Displays the IP fragments in and out for the device or group.
Packet Count by Protocol
Displays the incoming and outgoing packet count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol.
Byte Count by Protocol
Displays the incoming and outgoing byte count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol. IP types include TCP, UDP, ICMP, SCTP, IPSEC, GRE, ICMP6, VRRP, and OTHER.
Devices and Peer Devices
Displays IP addresses and host names with which the device or group communicates, packet in/out count, and byte in/out count for the currently selected L3 protocol. If no L3 protocol is selected, the packet count and byte count is the sum of all L3 protocol counts for the device or group. Click the device name to navigate to the device.
L3 devices DSCP page
Packets in by DSCP
Displays the number of incoming packets containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.
Packets out by DSCP
Displays the number of outgoing packets containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.
L3 devices ICMP details page
ICMP Packets In
Displays a list of ICMP response types and associated packet counts received by the current device in the selected time interval.
ICMP Packets Out
Displays a list of ICMP response types and associated packet counts sent by the current device in the selected time interval.
ICMPv6 Packets In
Displays a list of ICMPv6 response types and associated packet counts received by the current device in the selected time interval.
ICMPv6 Packets Out
Displays a list of ICMPv6 response types and associated packet counts sent by the current device in the selected time interval.
  • Destination Unreachable:
    • Dest Unreach - Network
    • Dest Unreach - Host
    • Dest Unreach - Protocol
    • Dest Unreach - Port
    • Dest Unreach - Fragmentation Needed
    • Dest Unreach - Source Route
  • Time Exceeded:
    • Redirect - Network
    • Redirect - Host
    • Redirect - ToS Network
    • Redirect - ToS Host
  • Miscellaneous:
    • Bad Param
    • Source Quench
    • Echo
    • Echo Reply
    • Timestamp
    • Timestamp Reply
    • Info Request
    • Info Reply
  • ICMPv6 Destination Unreachable:
    • Dest Unreach - No route
    • Dest Unreach - Prohibited
    • Dest Unreach - Bad scope
    • Dest Unreach - Host
    • Dest Unreach - Port
  • ICMPv6 Time Exceeded:
    • Time Exceeded - Transit
    • Time Exceeded - Fragment Reassembly
  • ICMPv6 Parameter Problem:
    • Bad Param - Header Error
    • Bad Param - Unknown Next Header
    • Bad Param - Unkown Option
  • ICMPv6 Miscellaneous:
    • Packet Too Big
    • Echo
    • Echo Reply
    • MLD Query
    • MLD Report
    • MLD Done
    • ND Router Solicit
    • ND Router Advert
    • ND Neighbor Solicit
    • ND Neighbor Advert
    • ND Redirect
    • Router renumber
    • FQDN Query
    • FQDN Reply
    • MLDv2 Listener Report
    • MLD Mtrace Rsp
    • MLD Mtrace

L3 networks page

The L3 network traffic sub-page displays metrics for OSI Layer 3 traffic by packet count per L3 network protocol and byte count per protocol.

IP Fragments
Displays the number of IP fragments identified in the network capture.
Packet Count by Protocol
Displays the packet count for each L3 protocol type. The values on the x-axis (ICMP6, TCP, UDP, and Other) identify the common L3 protocol types.
Byte Count by Protocol
Displays the byte count for each L3 protocol type. The values on the x-axis (ICMP6, TCP, UDP, and Other) identify the common L3 protocol types.
Devices
Displays the device name, packet in/out count, byte in/out count, and IP fragment in/out count for the currently selected L3 protocol. If no L3 protocol is selected, the packet count and byte count is the sum of all L3 protocol counts for the device. Click the device name to navigate to the device details page.
L3 networks DSCP page

The DSCP sub-page displays the number of packets containing differentiated services code point (DSCP) values.

Packets by DSCP
Displays the number of packets containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.
Bytes by DSCP
Displays the number of bytes containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.

L3 groups page

IP Fragments
Displays the IP fragments in and out for the device or group.
Packet Count by Protocol
Displays the incoming and outgoing packet count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol.
Byte Count by Protocol
Displays the incoming and outgoing byte count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol. IP types include TCP, UDP, ICMP, SCTP, IPSEC, GRE, ICMP6, VRRP, and OTHER.
Devices and Peer Devices
Displays IP addresses and host names with which the device or group communicates, packet in/out count, and byte in/out count for the currently selected L3 protocol. If no L3 protocol is selected, the packet count and byte count is the sum of all L3 protocol counts for the device or group. Click the device name to navigate to the device.

L4

ExtraHop appliances collect metrics about L4 activity.

Learn more about TCP by taking the TPC Quick Peek training.

L4 applications page

L4 Application Toolbar
The L4 application toolbar includes the following controls:
Clients
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Connections
Displays the TCP connection metrics for the selected time interval.
Connected
Specifies the number of connections initiated by the current device. Click to display the peer devices to which the connections were established and the associated round-trip time.
Closed
Specifies the number of connections closed to or from the current device. Closed connections are explicitly shut down by at least one of the endpoints. Click to display the peer devices for which the connections were closed.
Aborted
Specifies the number of connections aborted by the current device. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the peer devices to which the current device aborted the connections.
Expired
Specifies the number of connections to or from the current device no longer tracked due to inactivity. Click to display the peer devices with which the connections were associated.
Established
Number of connections currently open to or from the current application. Click to display the server IP addresses, hosts, and devices with which connections have been established.
Established
Maximum number of established connections observed at any point within the selected time interval.
Request Metrics
Displays the request metrics for the selected time interval.
L2 Bytes
Displays request bytes for the application within the selected time interval.
Packets
Displays request packets for the application within the selected time interval.
RTOs
Displays request RTOs for the application as a function of time within the selected time interval. Request RTOs are transmitted out of the client and into the server.
Nagle Delays
Indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
Rcv Wnd Throttles
Number of times the advertised receive window limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the current device to resolve this problem.
Zero Window
Number of zero window advertisements sent by the current device. A zero window indicates that the connection has stalled and the current device is unable to keep up with the rate of data sent. In some cases, the read socket buffer size can be increased on the current device to resolve this problem. On the BIG-IP Application Delivery Controller, the proxy_buffer_high setting in the TCP profile should be increased.
Response Metrics
Displays the response metrics for the specified time interval.
L2 Bytes
Displays response bytes for the application within the selected time interval.
Packets
Displays response packets for the application within the selected time interval.
RTOs
Displays response RTOs for the application as a function of time within the selected time interval. Response RTOs are transmitted out of the server and into the client.
Nagle Delays
Indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
Rcv Wnd Throttle
Number of times the advertised receive window limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the current device to resolve this problem.
Zero Window
Number of zero window advertisements sent by the current device. A zero window indicates that the connection has stalled and the current device is unable to keep up with the rate of data sent. In some cases, the read socket buffer size can be increased on the current device to resolve this problem. On the BIG-IP Application Delivery Controller, the proxy_buffer_high setting in the TCP profile should be increased.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

L4 TCP devices page

TCP Device Toolbar
The TCP device toolbar includes the following controls:
TCP Details
Specifies what type of additional TCP information is displayed when a counter is clicked next to each top-level metric. You can choose between the following options: By IP for IP addresses and By L7 Protocol. For example, the top-level metric, TCP Closed connections, displays how many connections were closed by the current device during the selected time frame. Selecting By IP and clicking on the closed counter will show which IP addresses originated these connections. Selecting By L7 Protocol and clicking on the closed counter will show which applications were accessed by the requester.
Connections
The TCP connection metrics for the specified time interval.
Accepted
Number of inbound connections accepted by the device. Click to display the peer devices from which the connections originated and the associated round-trip time.
Connected
Number of outbound connections initiated by the device. Click to display the peer devices to which the connections were established and the associated round-trip time.
Closed
Number of connections explicitly shut down by the device or its peer. Closed connections are explicitly shut down by at least one of the endpoints. Click to display the peer devices for which the connections were closed.
Aborted
The total number of TCP connections that were forcibly ended between the selected device and another device on the network. Aborted connections might indicate that an error occurred. For more information about the number of aborts for incoming and outgoing connections, click Details.
Expired
Number of connections involving the device for which tracking was stopped due to inactivity. Click to display the peer devices with which the connections were associated.
Established
For a given time interval, the number of open connections involving the device at end of the interval. Click to display the peer devices with which connections have been established.
Established Max
Maximum number of established connections observed at any point within the selected time interval.
Desync
Number of times synchronization was lost when processing TCP connections for the device. Large numbers might indicate dropped packets on the monitoring interface, SPAN, or network tap.
TCP Flow Stalls
Number of events in which the device was not responsive.
Connections Chart
Displays the number of accepted, connected, closed, and aborted connections as a function of time over the selected time interval. Click the chart to display a larger version. Date represents the date and time for the currently moused-over point on the graph. Connects, Accepts, Closes, and Abortsrepresent the number of outgoing, incoming, closed, and aborted connections respectively for the currently moused-over point in the graph. Click and drag across the chart to select a particular region.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Throttling In: Receive Windows and Zero Windows
Represents the incoming receive and zero windows of the current device as a function of time over the selected time interval. Click and drag across the chart to select a particular region.
Throttling Out: Receive Windows and Zero Windows
Represents the outgoing receive and zero windows of the current device as a function of time over the selected time interval. Click and drag across the chart to select a particular region.
L4 TCP devices details page

Specifies what type of additional TCP information is displayed, when a counter is clicked next to each top-level metric. You can choose between the following options: By IP for IP addresses and By L7 Protocol. For example, TCP Closed connections is a top-level metric showing how many connections were closed by the current device during the selected time frame. Selecting By IP and clicking on the closed counter displays which IP addresses originated these connections. Selecting By L7 Protocol and clicking on the closed counter will show which applications were accessed by the requester.

Connections
The TCP connection metrics for the current device.
Accepted
Number of inbound connections accepted by the device. Click to display the peer devices from which the connections originated and the associated round-trip time.
Connected
Number of outbound connections initiated by the device. Click to display the peer devices to which the connections were established and the associated round-trip time.
Closed
Number of connections explicitly shut down by the device or its peer. Closed connections are explicitly shut down by at least one of the endpoints. Click to display the peer devices for which the connections were closed.
Expired
Number of connections involving the device for which tracking was stopped due to inactivity. Click to display the peer devices with which the connections were associated.
Established
For a given time interval, the number of open connections involving the device at end of the interval. Click to display the peer devices with which connections have been established.
Established Max
Maximum number of established connections observed at any point within the selected time interval.
Desync
Number of times synchronization was lost when processing TCP connections for the device. Large numbers might indicate dropped packets on the monitoring interface, port mirror, or network tap.
In
The incoming connection metrics for the current device.
Aborts
Number of connections aborted by the peer of the current device. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the peer devices that aborted the connections.
Resets
Number of RSTs received by the current device. TCP resets indicate that a reset packet was sent to forcibly end the TCP connection, and can be used in a variety of situations. Sometimes resets are sent when the receiving device failed to ACK the SYN packet, or it failed to acknowledge another packet sent and retransmitted later in the transaction. Other times, resets might be sent to quickly and efficiently end an existing connection to free up resources for more traffic. High volumes of outbound resets should be investigated to determine if they are expected behavior or indicative of a larger issue.
SYNs Received
Number of SYNs received by the current device.
SYNs Unanswered
Number of SYNs received by the device for which there were no corresponding ACKs.
Stray Segments
Number of unexpected TCP packets received by the current device. Stray segments are likely to be recorded when the Discover appliance is first started. Continued large numbers of stray segments could indicate a misconfiguration or deployment problem.
Dropped Segments
Number of episodes in which a segment or a series of segments were lost on the way to the current device and required retransmission. Large values of this counter might indicate network congestion or link reliability problems.
Zero Window
Number of zero window advertisements received by the current device. A zero window indicates that the connection has stalled and the peer device is unable to keep up with the rate of data sent. In some cases, the read socket buffer size can be increased on the peer device to resolve this problem. On the BIG-IP Application Delivery Controller, the proxy_buffer_high setting in the TCP profile should be increased.
Rcv Wnd Throttles
Number of times the advertised receive window of the peer device limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the peer device to resolve this problem.
Snd Wnd Throttles
Number of send window throttles. This indicates that the TCP congestion avoidance on the peer device might be too conservative. In some cases, a different congestion avoidance algorithm can be selected or send window scaling can be enabled on the peer device.
SYNs w/o Timestamps
Number of SYNs without the TCP timestamp option received by the current device.
SYNs w/o SACK
Number of SYNs without the TCP SackOK option received by the current device. This option is necessary to use selective acknowledgments.
RTOs
Number of retransmission timeouts caused by congestion as peers were sending data to the current device. This indicates a relatively long stall in the connection due to packet loss. Enabling selective acknowledgments and fast recovery might reduce such stalls.

Learn more about RTOs on ExtraHop.com

PAWS-Dropped SYNs
Number of PAWS-dropped SYNs. This indicates that a connection failed to initiate because the current device interpreted the SYN as belonging to a previous connection. This problem is often due to network address translation and specifically the timestamp affixed to packets that traverse a network address translation device. PAWS-dropped SYNs might cause a stall in connection setup since the dropped SYN is typically retransmitted after a three-second timer expires. In some cases, increasing the connection linger time on the NAT device or decreasing connection linger time on the current device can mitigate this problem.

Learn more about PAWS-dropped SYNs on ExtraHop.com

Bad Congestion Control
Number of events with bad congestion control, which occurs when the system receives RTOs with in-flight data greater than twice the prior congestion window. This indicates that the peer device is sending too much data, resulting in network congestion and dropped packets.
TCP Flow Stalls
Number of events in which a peer device was not responsive.
Out
The outgoing connection metrics for the current device.
Aborts
Number of connections aborted by the current device. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the peer devices to which the current device aborted the connections.
Resets
Number of RSTs sent by the current device. TCP resets indicate that a reset packet was sent to forcibly end the TCP connection, and can be used in a variety of situations. Sometimes resets are sent when the receiving device failed to ACK the SYN packet, or it failed to acknowledge another packet sent and retransmitted later in the transaction. Other times, resets might be sent to quickly and efficiently end an existing connection to free up resources for more traffic. High volumes of outbound resets should be investigated to determine if they are expected behavior or indicative of a larger issue.
SYNs Sent
Number of SYNs sent by the current device.
SYNs Unanswered
Number of SYNs sent by the device for which there were no corresponding ACKs.
Dropped Segments
Number of episodes in which a segment or a series of segments were lost on the way to the current device and required retransmission. Large values of this counter might indicate network congestion or link reliability problems.
Tinygrams
Number of tinygrams sent by the current device. A tinygram is a packet where the payload is smaller than the frame header (L2-L4) data. This indicates that the TCP payload is being segmented inefficiently, resulting in more packets on the network.

Learn more about tinygrams on the ExtraHop Blog

Nagle Delays
Number of Nagle delays sent by the current device. This indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs.

Learn more about Nagle delays on the ExtraHop Forum

Zero Window
Number of zero window advertisements sent by the current device. A zero window indicates the connection has stalled because the current device cannot handle the rate of data sent.
Slow Starts
Number of slow starts sent by the current device. This indicates that TCP slow start congestion avoidance has reduced connection throughput. The application on the current device might benefit from connection pooling or persistent connections.
Rcv Wnd Throttle
Number of times the advertised receive window of the current device limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the current device to resolve this problem.
Snd Wnd Throttle
Number of send window throttles. This indicates that the TCP congestion avoidance on the current device might be too conservative. In some cases, a different congestion avoidance algorithm can be selected or send window scaling can be enabled on the current device.
SYNs w/o Timestamps
Number of SYNs without the TCP timestamp option sent by the current device.SYNs
SYNs w/o SACK
Number of SYNs without the TCP SackOK option sent by the current device. This option is necessary to use selective acknowledgments.
RTOs
Number of retransmission timeouts caused by congestion as the current device was sending data to a peer. This indicates a relatively long stall in the connection due to packet loss. Enabling selective acknowledgments and fast recovery might reduce such stalls.
Retransmissions
Number of times data is resent by the current device.
Out of Order
Number of packets sent by the device where the TCP sequence number did not match the sequence number that the Discover appliance was expecting. The reordering might have been introduced at the device itself or by an intermediate device. This can result in reduced connection throughput, increased processing load on the peer device, and additional ACK packets on the network.
Bad Congestion Control
Number of events with bad congestion control, which occurs when the system receives RTOs with in-flight data greater than twice the prior congestion window. This indicates that the current device is sending too much data, resulting in network congestion and dropped packets.
TCP Flow Stalls
Number of events in which the current device was not responsive.

L4 TCP groups page

Connections
The TCP connection metrics for all members in the current group.
Accepted
Number of connections accepted by all members in the current group. Click to break down the number of outgoing connections by each group member in the table at the bottom of the page.
Connected
Number of connections initiated by all members in the current group. Click to break down the number of incoming connections by each group member in the table at the bottom of the page.
Closed
Number of connections closed to or from any member in the current group. Closed connections are explicitly shutdown by at least one of the endpoints. Click to break down the number of closed connections by each group member in the table at the bottom of the page.
Expired
Number of connections to or from any member in the current group no longer tracked due to inactivity. Click to break down the number of expired connections by each group member in the table at the bottom of the page.
Desync
Number of times synchronization was lost when processing TCP connections from or to any member in the current group. Click to break down the number of desyncs by each group member in the table at the bottom of the page.
In
The incoming connection metrics for all members in the current group.
Aborts
Number of connections aborted by the peer of any member in the current group. Click to break down the number of aborts received by each group member in the table at the bottom of the page.
Resets
Number of RSTs received by all members in the current group. Click to break down the number of RSTs received by each group member in the table at the bottom of the page.

TCP resets indicate that a reset packet was sent to forcibly end the TCP connection, and can be used in a variety of situations. Sometimes resets are sent when the receiving member failed to ACK the SYN packet, or it failed to acknowledge another packet sent and retransmitted later in the transaction. Other times, resets might be sent to quickly and efficiently end an existing connection to free up resources for more traffic. High volumes of outbound resets should be investigated to determine if they are expected behavior or indicative of a larger issue

SYNs Received
Number of SYNs received by all members in the current group. Click to break down the number of SYNs received by each group member in the table at the bottom of the page.
SYNs Unanswered
Number of SYNs received by all members in the current group for which there were no corresponding ACKs. Click to break down the number of SYNs sent by each group member in the table at the bottom of the page.
Stray Segments
Number of unexpected TCP packets received by all members in the current group. Click to break down the number of stray segments received by each group member in the table at the bottom of the page.
Dropped Segments
Number of episodes in which a segment or a series of segments were lost on the way to the current member and required retransmission. Large values of this counter might indicate network congestion or link reliability problems. Click to break down the number of inbound dropped segments by each group member in the table at the bottom of the page.
Zero Window
Number of zero window advertisements received by all members in the current group. A zero window indicates the connection has stalled because the peer member cannot handle the rate of data sent. Click to break down the number of inbound zero window advertisements by each group member in the table at the bottom of the page.
Rcv Wnd Throttles
Number of times the advertised receive window of the peer member limits the throughput of the connection. Click to break down the number of inbound receive window throttles by each group member in the table at the bottom of the page.
Snd Wnd Throttles
Number of send window throttles. This indicates that the TCP congestion avoidance on the peer member might be too conservative. Click to break down the number of inbound send window throttles by each group member in the table at the bottom of the page.
SYNs w/o Timestamps
Number of SYNs without the TCP timestamp option received by all members of the current group. Click to break down the number of inbound SYNs without timestamps by each group member in the table at the bottom of the page.
SYNs w/o SACK
Number of SYNs without the TCP SackOK option received by all members of the current group. Click to break down the number of inbound SYNs without the TCP SackOK option by each group member in the table at the bottom of the page.
RTOs
Number of retransmission timeouts caused by congestion as peers were sending data to the members of the current group. Click to break down the number of inbound RTOs by each group member in the table at the bottom of the page.

Learn more about RTOs on ExtraHop.com

PAWS-Dropped SYNs
Number of PAWS-dropped SYNs. This indicates that a connection failed to initiate because the current member interpreted the SYN as belonging to a previous connection. Click to break down the number of inbound PAWS-Dropped SYNs by each group member in the table at the bottom of the page.

Learn more about PAWS-dropped SYNs on ExtraHop.com

Bad Congestion Control
Number of events with bad congestion control, which occurs when the system receives RTOs with in-flight data greater than twice the prior congestion window. This indicates that the peer member is sending too much data, resulting in network congestion and dropped packets. Click to break down the number of bad congestion control events by each group member in the table at the bottom of the page.
TCP Flow Stalls
Number of events in which the group was not responsive. Click to break down the number of non-responsive events by each group member in the table at the bottom of the page.
Out
The outgoing connection metrics for all members in the current group.
Aborts
Number of connections aborted by any member in the current group. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the number of aborts each group member initiated in the table at the bottom of the page.
Resets
Number of RSTs sent by all members in the current group. Click to break down the number of RSTs sent by each group member in the table at the bottom of the page.

TCP resets indicate that a reset packet was sent to forcibly end the TCP connection, and can be used in a variety of situations. Sometimes resets are sent when the receiving member failed to ACK the SYN packet, or it failed to acknowledge another packet sent and retransmitted later in the transaction. Other times, resets might be sent to quickly and efficiently end an existing connection to free up resources for more traffic. High volumes of outbound resets should be investigated to determine if they are expected behavior or indicative of a larger issue.

SYNs Sent
Number of SYNs sent by all members in the current group. Click to break down the number of SYNs sent by each group member in the table at the bottom of the page.
SYNs Unanswered
Number of SYNs sent by all members in the current group for which there were no corresponding ACKs. Click to break down the number of SYNs received by each group member in the table at the bottom of the page.
Dropped Segments
Number of episodes in which a segment or a series of segments were lost on the way to the current member and required retransmission. Large values of this counter might indicate network congestion or link reliability problems. Click to break down the number of outbound dropped segments by each group member in the table at the bottom of the page.
Tinygrams
Number of tinygrams sent by the current member. A tinygram is a packet where the payload is smaller than the frame header (L2-L4) data. This indicates that the TCP payload is being segmented inefficiently, resulting in more packets on the network. Click to break down the number of outbound tinygrams by each group member in the table at the bottom of the page.

Learn more about tinygrams on the ExtraHop Blog

Nagle Delays
Number of Nagle delays sent by the current member. This indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. Click to break down the number of outbound Nagle's delays by each group member in the table at the bottom of the page.

Learn more about Nagle delays on the ExtraHop Forum

Zero Window
Number of zero window advertisements sent by all members in the current group. A zero window indicates the connection has stalled because the peer member cannot handle the rate of data sent. Click to break down the number of outbound zero window advertisements by each group member in the table at the bottom of the page.
Slow Starts
Number of slow starts sent by the current member. This indicates that TCP slow start congestion avoidance has reduced connection throughput. Click to break down the number of outbound slow starts by each group member in the table at the bottom of the page.
Rcv Wnd Throttles
Number of times the advertised receive window of the current member limits the throughput of the connection. Click to break down the number of outbound received window throttles by each group member in the table at the bottom of the page.
Snd Wnd Throttles
Number of send window throttles. This indicates that the TCP congestion avoidance on the current member might be too conservative. Click to break down the number of outbound send window throttles by each group member in the table at the bottom of the page.
SYNs w/o Timestamps
Number of SYNs without the TCP timestamp option sent by all members of the current group. Click to break down the number of outbound SYNs without timestamps by each group member in the table at the bottom of the page.
SYNs w/o SACK
Number of SYNs without the TCP SackOK option sent by all members of the current group. Click to break down the number of outbound SYNs without the TCP SackOK option by each group member in the table at the bottom of the page.
RTOs
Number of retransmission timeouts caused by congestion as members of the current group were sending data to their peers. Click to break down the number of outbound RTOs by each group member in the table at the bottom of the page.
Retransmissions
Number of times data is resent by the current member. Click to break down the number of outbound retransmissions by each group member in the table at the bottom of the page.
Out of Order
Number of packets sent by the member where the TCP sequence number did not match the sequence number that the Discover appliance was expecting. The reordering might have been introduced at the member itself or by an intermediate member. This can result in reduced connection throughput, increased processing load on the peer member, and additional ACK packets on the network. Click to break down the number of outbound retransmissions by each group member in the table at the bottom of the page.
Bad Congestion Control
Number of events with bad congestion control, which occurs when the system receives RTOs with in-flight data greater than twice the prior congestion window. This indicates that the current member is sending too much data, resulting in network congestion and dropped packets. Click to break down the number of outbound bad congestion control events by each group member in the table at the bottom of the page.
TCP Flow Stalls
Number of events in which the group was not responsive. Click to break down the number of non-responsive events by each group member in the table at the bottom of the page.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

L7

ExtraHop appliances collect metrics about L7 activity.

L7 devices page

Packets In
Displays how applications contribute to the total incoming packet count for the device. Click the chart to display a larger version. Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. Click the chart to zoom into and select a particular region.
Packets Out
Displays how applications contribute to the total outgoing packet count for the device. Click the chart to display a larger version. Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. Click the chart to zoom into and select a particular region.
Bytes In
Displays how applications contribute to the total incoming byte count for the device. Click the chart to display a larger version. Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. Click the chart to zoom into and select a particular region.
Bytes Out
Displays how applications contribute to the total outgoing byte count for the device. Click the chart to display a larger version. Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. Click the chart to zoom into and select a particular region.
Peer Devices
Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. The protocol metrics appear in a table with the following headings:
IP Address
The IP address of the corresponding device.
Host
The host of the corresponding device.
Device
A link to the corresponding device. For local devices, the link leads to that device. For remote devices, the link leads to the gateway device through which the requests were routed.
Packets In
The number of packets sent from the peer device to the current device for the selected protocol in the area chart.
Packets Out
The number of packets sent from the current device to the peer device for the selected protocol in the area chart.
Bytes In
The number of bytes sent from the peer device to the current device for the selected protocol in the area chart.
Bytes Out
The number of bytes sent from the current device to the peer device for the selected protocol in the area chart.
Note:A category labeled OTHER might appear in the legend to represent traffic that is not TCP/UDP and fails to classify as an L7 protocol. The OTHER category might also represent TCP/UDP traffic that fails to classify as an L7 protocol and fails to add an L4 p:port identifier.

The Bytes In and Bytes Out charts display activity for the top 10 protocols. To view information about other protocols, click the Details node in the page navigation panel.

To isolate a single protocol, mouse over the protocol in the legend or click the protocol to select it. When you select a protocol, the table displays a list of devices with activity from that protocol. Click a device in the table to view detailed L7 protocol metrics for that device.

To deselect the protocol and view all the top protocols in the chart again, click the selection in the legend again or click the table title below the charts.

L7 devices packets page

The Packets In and Packets Out area charts display the packet rate (in packets per second) for the selected device over the given time interval.

L7 devices throughput page

The Bytes In and Bytes Out area chart displays the throughput rate (in bits per second) over the selected time interval.

L7 devices turn timing page

A TCP turn is a complete change in direction of TCP payload data being delivered. In order to clearly detect this, the change in data direction must occur only after the TCP ACK is received for all the data in the prior direction, either by a bare TCP ACK or by a TCP ACK within returned data (a "piggybacked" ACK)

If the TCP ACK is not received for all the data, it is less likely to be a true application-level turn and is not counted as a turn. This means if a turn does not appear in the Discover appliance, data sent and received is likely to be overlapping.

The Protocols table displays the timing components for all application turns associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

Protocol
Auto-classified L7 protocol or a TCP/UDP port.
Turns
Number of TCP turns observed due to this protocol in the selected time period. Click the number of turns to display turn timing information over time for a specific protocol.
Network In (ms)
The time in milliseconds before the payload was received by the server. A large Network In value relative to the average application turn time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Processing Time (ms)
The time in milliseconds between the time the payload was received by the server and the time the payload was sent back. A large server processing time relative to the average application turn time indicates application delay.
Network Out (ms)
The time in milliseconds before the server finished sending the payload back. A large Network Out value relative to the average application turn time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
Breakdown

Click a value in the Turns column. If the Response Time drop-down list is set to Breakdown, the dialog box displays the overtime view of the following components:

Network In
The time in milliseconds before the payload was received by the server.
Processing Time
The time in milliseconds between the time the payload was received by the server and the time the payload was sent back.
Network Out
The time in milliseconds before the server finished sending the payload back.
Distribution

Click a value in the Turns column. If the Response Time drop-down list is set to Distribution, the dialog box displays the overtime view of the following components:

Network In
The time in milliseconds before the payload was received by the server.
Process
The time in milliseconds between the time the payload was received by the server and the time the payload was sent back.
Network Out
The time in milliseconds before the server finished sending the payload back.
Payload Size In
Displays the range of request sizes for all application turns associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values.
Payload Size Out
Displays the range of response sizes for all application turns associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values.
Turns
Number of TCP turns observed due to this protocol in the selected time period. Click the number of turns to display turn timing information over time for a specific protocol.

Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

L7 devices details page

The Protocols table lists all the protocols detected on this device and associated packet and byte counts. Click a protocol in the table to see the list of devices associated with that protocol.

To filter the list of protocols visible in the table, enter a search string in the Filter text box. The list filters automatically as search characters are entered.

L7 networks page

The L7 Protocols sub-page displays metrics for OSI Layer 7 traffic by packet count and throughput (total bytes). It also provides metrics on the top devices sending or receiving network traffic. The page includes the following information:

Packets by Protocol
Displays the packet rates for the top 10 protocols on the network.
Bytes by Protocol
Displays the throughput for the top 10 protocols on the network.
Protocols
Displays the devices sending and receiving traffic for the specified protocol.
L7 networks packets page

The Packets area chart displays how applications contribute to the total packet count on the network. In the chart, Date identifies the date and time for the data point on the graph that is currently being viewed. Packets displays the packet rate for the protocol at the given data point on the area chart, and the color block identifies the associated protocol name.

L7 networks throughput page

The Bytes by Application area chart displays how applications contribute to the total byte count on the network. In the chart, Date identifies the date and time for the data point on the graph that is currently being viewed. Bytes identifies the throughput for the data point that is currently being viewed in the area chart, and the color block identifies the associated protocol name.

L7 networks details page

The L7 Protocols Details page provides a complete list of protocols, and the packet and byte count for each.

L7 groups page

Protocol
The name of the protocol present in the group.
Packets In
The total incoming packet count for the protocol.
Packets Out
The total outgoing packet count for the protocol.
Bytes In
The total incoming byte count for the protocol.
Bytes Out
The total outgoing byte count for the protocol.

LDAP

ExtraHop appliances collect metrics about L7 activity.

LDAP applications page

LDAP Applications Tooblar
The LDAP application toolbar includes the following controls:
Errors
The chart displays the number of LDAP errors. Mouse over the chart to view a summary of a specific time or date. The table lists LDAP error messages and the number of times each occurred.
DNs
The chart displays the number of Distinguished Name (DN) messages transferred. The table displays the list of DN messages and the count associated with each DN message.
Users
The chart displays the number of requests from all users. Mouse over the chart to view a summary of a specific time or date. The table lists users and the request count associated with each user.
Clients
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Servers
Displays a chart with the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details
Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
By Client IP
Displays application metrics by the client IP addresses.
By Server IP
Displays application metrics by the server IP addresses.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics
Contains the following metrics:
Request L2 Bytes
The number of L2 bytes associated with requests.
Response L2 Bytes
The number of L2 bytes associated with responses.
Request Packets
The number of packets associated with requests.
Response Packets
The number of packets associated with responses.
Request RTOs
Specifies the number of times the client delayed TCP retransmissions and missed server acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Response RTOs
Specifies the number of times the server delayed TCP retransmissions and missed client acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
Request Zero Window
Specifies the number of client-side zero window advertisements. A zero window indicates the connection has stalled because the client cannot handle the rate of data the server is sending.
Response Zero Window
Specifies the number of server-side zero window advertisements. A zero window indicates the connection has stalled because the server cannot handle the rate of data the client is sending.
LDAP Metrics
Contains the following metrics:
Requests
The number of requests received.
Responses
The number of responses received.
Errors
The number of LDAP errors for the selected time interval.
Plain
The number of plain-text LDAP messages exchanged.
SASL
The number of encrypted LDAP messages exchanged.
Messages
Displays the LDAP messages for the selected time interval, such as BindRequest, BindResponse, UnbindRequest, SearchRequest, SearchResultDone and others. In the LDAP Server view, click the message counter to display clients that issued these messages. In the LDAP Client view, click the message counter to display servers that returned these messages.
Error Codes
Displays the LDAP errors for each LDAP error code within the selected time interval, such as invalidCredentials for LDAP error 49. Click the error counter to display devices that experienced these errors. For detailed error information, click Errors.
Transactions Metrics
Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.
ReqXfer
Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
Process
Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
RspXfer
Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
RTT
TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Response Time Breakdown
Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.
Round-Trip Time (ms)
Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.
Congestion Requests: Goodput (bps) and RTOs
Displays goodput and RTOs into the object as a function of time over the selected time interval.
Congestion Responses: Goodput (bps) and RTOs
Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

LDAP devices page

LDAP Device Toolbar
The LDAP device toolbar includes the following controls:
LDAP Metric Type
Displays metrics for the current device acting as a LDAP client or LDAP server.
Errors
Displays a detailed list of error messages sent to or received by the current device over the specified time interval.
Servers
When acting as a LDAP client, displays a chart showing the total number of responses compared to processing time during the selected time interval.
Clients
When acting as a LDAP server, displays a chart showing the total number of requests compared to processing time during the selected time interval.
Records
Displays results for records that match the selected metric source and protocol.
LDAP Client
If you select Client for the LDAP Metric Type, the Discover appliance displays the following metrics. Click to display the list of servers from which responses were sent.
Requests
Specifies the number of LDAP requests for the selected time interval.
Responses
Specifies the number of responses that the device received when acting as an LDAP client.
Errors
Specifies the number of LDAP errors for the selected time interval.
Plain
Specifies the number of plain-text messages exchanged when the device is acting as an LDAP client.
SASL
Specifies the number of encrypted messages exchanged when the device is acting as an LDAP client.
LDAP Server
If you select Server for the LDAP Metric Type, the Discover appliance displays the following metrics. Click to display the list of servers from which responses were sent.
Requests
Specifies the number of requests that the device received when acting as an LDAP server.
Responses
Specifies the number of responses that the device sent when acting as an LDAP server.
Errors
Specifies the number of LDAP errors for the selected time interval.
Plain
Specifies the number of plain-text messages exchanged when the device is acting as an LDAP server.
SASL
Specifies the number of encrypted messages exchanged when the device is acting as an LDAP server.
Messages
Displays the LDAP messages for the selected time interval, such as BindRequest, BindResponse, UnbindRequest, SearchRequest, SearchResultDone and others. In the LDAP Server view, click the message counter to display clients that issued these messages. In the LDAP Client view, click the message counter to display servers that returned these messages.
Error Codes
Displays the LDAP errors for each LDAP error code within the selected time interval, such as invalidCredentials for LDAP error 49. Click the error counter to display devices that experienced these errors. For detailed error information, click Errors.
Transactions Per Second
Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.
Server Processing Time
Displays the number of LDAP protocol transactions per second as a function of time over the selected time interval. The chart is annotated with