AAA (Authentication, Authorization, and Accounting) is a framework that contains
protocols that control user access and resource tracking.
ActiveMQ is an open-source, message broker from Apache.
Activity groups contain devices that are automatically grouped together based on their
network traffic. A device with multiple types of traffic might appear in more than one
An alert is a condition that establishes baseline values for specified metrics. If
those values are exceeded, the system logs the event and sends notifications through
configured channels (such as email or SNMP). The Discover appliance includes built-in alerts
and you can also create custom alerts.
AMF (Action Message Format) is a format for encoding data transported between Adobe
Flash clients and servers.
The AppFlow protocol was developed by Citrix. This protocol is an extension of the
IPFIX standard for monitoring network traffic. You can collect AppFlow traffic with the
ExtraHop NetFlow module.
In the ExtraHop system, applications are user-defined containers for metrics that are
associated with multiple devices and protocols. These containers can represent distributed
applications on your network environment. In the ExtraHop system, applications are created
through the Trigger API. A default application that is available to all ExtraHop users is
the All Activity application.
Application Performance Monitoring
Application performance monitoring (APM) tools enable development and application
teams to observe the performance of applications. Data is collected through software agents
that run on application servers, databases, and other application components. The agents can
be configured to gather host-based ingress and egress transaction data, code-level stack
trace inputs, and resource usage metrics such as CPU, memory, and disk.
This ExtraHop chart type displays metric values as a line that connects data points
over time, with the area between the line and axis filled in with color.
Atlas Remote Analysis
Through this service, ExtraHop analysts can perform an unbiased analysis of your
network data and report on areas in your IT infrastructure where improvements can be
The audit log on the Discover appliance provides data about the operations of the
system, broken down by component. For example, when you log into an ExtraHop appliance, the
successful or failed event is logged as an entry to the audit log.
This ExtraHop chart type displays the total value of metric data as horizontal
The box plot chart displays variability for a distribution of metric data. Each box
plot includes three or five data points. With five data points, the box plot contains a box,
upper and lower whisker lines, and a tick mark. With three data points, the line contains
upper and lower whisker lines, and a tick mark.
Bundles are JSON-formatted documents that contain information about selected system
configuration, such as triggers, dashboards, applications, or alerts. You can create a bundle and then transfer those configurations to
another ExtraHop appliance, or save the bundle as a backup of your
This ExtraHop chart type displays data calculations for a distribution of metric
values over time. A line at each time interval displays three or five data points. If the
line has five data points, it contains a body, middle tick mark, an upper shadow line, and a
lower shadow line. If the line has three data points, it contains a middle tick
CIFS (Common Internet File System), also known as SMB (Server Message Block), is an
application-level protocol that provides client access to files on a network attached
storage (NAS) repository, typically in a Windows environment.
A client is an application or system that accesses a service made available by a
This ExtraHop chart type displays metric values as vertical bars over a specified time
The ExtraHop Command appliance (ECA) provides centralized management and reporting
across multiple ExtraHop Discover appliances that can be distributed across datacenters,
branch offices, and the public cloud.
Cross-origin resource sharing (CORS) allows you to access the ExtraHop REST API across
domain-boundaries and from specified web pages without requiring the request to travel
through a proxy server. You can configure one or more allowed origins or you can allow
access to the ExtraHop REST API from any origin. Only administrative users can view and edit
Count metric type
In the ExtraHop system, this top-level metric type represents the number of events
that occurred over a specific time period. You can view count metrics as a rate or a total
A dashboard is a customizable HTML page that displays different views of your network
through widgets such as charts. In addition to custom dashboards, there are two built-in
system dashboards that provide charts: the Activity dashboard and the Network
A relational DB (database) stores, retrieves, and manages structured information
through Structured Query Language (SQL).
Dataset metric type
In the ExtraHop system, this top-level metric type represents a distribution of data
that can be calculated into percentiles values.
Detail metrics provide you with a value for a specific key, such as a client IP
address, server IP address, URI, hostname, referrer, certificate, or method. When you drill
down from a top-level metric in the ExtraHop system to a detail metric, you can gain insight
into how a specific device, method, or resource is affecting the network.
Devices are objects on your network that have been automatically discovered and
classified by the ExtraHop system. Metrics are available for every discovered device on your
Device discovery is the process by which ExtraHop builds and maintains a list of
active devices associated with monitored network traffic. When the ExtraHop system detects a
MAC address on the network, a L2 device entry is created in the ExtraHop system and
associated with that address. When the ExtraHop system detects an ARP (Address Response
Protocol) response, an L3 device entry is created in the ExtraHop system and associated with
the MAC address and IP address. Based on the type of traffic, the ExtraHop system also
classifies the device type and assigns a name to the device. For example, an L2 device can
be a gateway device or router. L3 devices can be clients, servers, or databases. You can
also create a custom device in the ExtraHop system to monitor traffic for a specific IP
Device groups, also known as custom groups, can be either static or dynamic. You must
manually identify and assign individual devices to a static group. Alternatively, you can
configure rules to automatically assign devices to a dynamic group.
DHCP (Dynamic Host Configuration Protocol) is a protocol for dynamically distributing
network configuration parameters.
DICOM (Digital Imaging and Communications in Medicine) is a standard for storing
biomedical images and transmitting those images over a network.
The ExtraHop Discover appliance (EDA) provides the ability to analyze and visualize
all of your network, application, client, infrastructure, and business data. The EDA
passively collects a copy of unstructured wire data—all of the transactions on your
network—and transforms this data into structured wire data.
DNS (Domain Name System) is the naming system for network hosts and resources that are
connected to the Internet. DNS servers map IP addresses to hostnames.
Dynamic baselines are trend lines on dashboards that
help you distinguish between normal and abnormal activity. Discover appliances calculate
dynamic baselines based on historical data. To generate data points on a dynamic baseline,
an appliance calculates the median value for a specified period of time.
Encapsulated Remote SPAN (ERSPAN) enables you to send source traffic on one switch to
a destination on another switch, while traversing a Layer 3 boundary.
An event represents activity detected from your network or from your ExtraHop system.
Triggers can be written to collect the data associated with an event to create custom
The ExtraHop Explore appliance (EXA)
integrates with the ExtraHop Discover appliance
to store transaction and flow records sent from the EDA. You can view, save, and search the
structured flow and transaction information about events on your
network with a simple, unified UI, with no modifications to your existing applications or
A fingerprint is a unique, alphanumeric identifier assigned to all Explore and Trace
FIX (Financial Information eXchange) is a protocol that provides information about the
real-time exchange of financial transactions.
A flow is a set of packets that are part of a single transaction between two
endpoints. Similar to how the ExtraHop system can identify flows from wire data, flows from
machine data on remote networks can be sent to a Discover appliance for analysis. Flows are
identified through their unique combination of IP protocol (TCP/UDP), source and destination
IP addresses, and source and destination ports. This combination is called a
A flow network device can have multiple interfaces. Instead of looking at flow
information for the entire device, you can look at flow information for a specific interface
on the device.
A flow network is a network device that sends information about flows seen across the
device. Similar to how the ExtraHop system can identify flows from wire data, the ExtraHop
system can receive flow information from remote network devices, also called flow
FTP (File Transfer Protocol) is a standard network protocol for transferring files
between a client and a server.
This ExtraHop chart type displays a distribution of metric data over time, where color
represents a concentration of data.
This ExtraHop chart type displays a distribution of metric data as vertical bars, or
HL7 (Health Level-7) is a standard for exchanging electronic health information
between software applications.
HTTP (Hypertext Transfer Protocol) is an application-level protocol that retrieves web
IBM MQ (WebSphere MQ) is a message-queuing protocol for IBM enterprise and message
ICA (Independent Computing Architecture) is a Citrix system protocol that transmits
data between clients and servers.
The Internet Control Message Protocol (ICMP) is a protocol that network devices send
error and query messages through.
The Integrated Dell Remote Access Controller (iDRAC) provides remote access to
ExtraHop appliances. After you enable and configure iDRAC, you can power cycle the system,
view console messages, and review hardware monitoring and boot logs.
iSCSI (Internet Small Computer Systems Interface) is an TCP-level protocol that allows
SCSI commands to be sent over a local-area network (LAN) or wide-area network
Kerberos is a network authentication protocol for client and server applications that
applies secret-key cryptography.
The data link layer in the OSI model. In the ExtraHop system, L2 metrics provide
information about the connection between two devices.
The network layer in the OSI model. In the ExtraHop system, L3 metrics provide IP
address information for nodes that communicate over the monitored network.
The transport layer in the OSI model. In the ExtraHop system, L4 TCP (Transmission
Control Protocol) metrics provide information about the reliable transfer of packets between
a source and destination.
The application layer in the OSI model. In the ExtraHop system, L7 metrics provide
information about interactivity with software applications.
LDAP (Lightweight Directory Access Protocol) is a vendor-neutral protocol that
maintains and provides easy access to a distributed directory.
A level-triggered alert is issued at specified intervals for as long as the metric
value remains above the configured threshold.
This ExtraHop chart type displays metric values as a line, which connects a series of
data points over time.
Line & column chart
This ExtraHop chart type displays metric values as a line, which connects data points
over time, with the option to display another metric as a column chart
This ExtraHop chart displays metric values in a list across multiple columns with
The Link Layer Discovery Protocol (LLDP) is a protocol that network devices
communicate their identity and capabilities through.
Maximum metric type
In the ExtraHop system, this top-level metric type is a single data point that
represents the maximum value from a specified time period.
Memcache is a protocol that provides access to high-performance, distributed memory
object caching systems over a TCP connection.
In the ExtraHop system, a metric is a measurement of observed network behavior.
Metrics are generated from network traffic, and then each metric is associated with a
source. The ExtraHop system provides builtin, or default, metrics based on observed network
traffic from wire data. You can also create custom metrics in the ExtraHop system by writing
a trigger to collect metrics based on a specific event.
The Metric Catalog is a tool for viewing information about built-in and custom metrics
in the ExtraHop system. You also can delete and edit custom metrics through the Metric
The Metric Explorer is a tool for configuring dashboard charts. In the Metric
Explorer, you can add multiple sources and metrics to a chart and immediately preview how
metric data will appear.
MongoDB is an open-source document database that provides performance, availability,
Microsoft Message Queuing (MSMQ) is a protocol that enables applications to send
messages and objects to each other.
NAS (Network Attached Storage) is file-level storage repository. Clients access the
repository through CIFS (Common Internet File System) or NFS (Network File System)
The NetFlow protocol was developed by Cisco for monitoring network traffic. You can
send NetFlow traffic to the ExtraHop Discover appliance from remote flow networks to analyze
data that is outside of your wire data feed.
In the ExtraHop system, a network is the entry point into the network capture, and
metrics are collected for network capture attributes, network alerts, and network traffic
details. These metrics provide a summary of all network activity retrieved in the
A network byte is a metric that displays the throughput rate of the ExtraHop capture
NFS (Network File System) is a distributed file system protocol that provides client
access to files on a network attached storage (NAS) repository, typically in a UNIX
In the context of a Command or Explore cluster, a node is a single physical or virtual
ExtraHop Discover appliance that is a member of the cluster.
Open Data Stream
The Open Data Stream (ODS) service enables you to send wire data to a remote
third-party system, such as MongoDB or Kafka. You must write a trigger to identify and
collect the data you want to export and configure settings in the ExtraHop Admin
The Packets feature enables you to search for and download packets for selected
transactions through a Discover or Command appliance. This feature requires an ExtraHop
PCAP (packet capture) consists of an application programming interface (API) for
capturing network traffic and storing it to a database.
PCoIP (PC-over-IP) is protocol that transfers compressed and encrypted image pixels
from a central server to a PCoIP device.
This ExtraHop chart displays metric data as a portion or percentage of a
POP3 (Post Office Protocol) is a standard application-level protocol that transfers
email messages between a server and a client application over a TCP connection.
Port mirroring occurs when a network switch sends a copy of network packets from one
switch port (or an entire VLAN) to a network monitoring connection on another switch
A protocol defines the format and the order of messages exchanged between two or more
devices, as well as the actions taken on the transmission and receipt of a message or other
Records are structured flow and transaction information about events on your network.
After you link an ExtraHop Discover appliance to an ExtraHop Explore appliance, you can
generate and send records to the Explore appliance for storage and retrieval.
A record format is a schema on read that determines how each record displays in the
Web UI. The Discover and Command appliances have built-in record formats for all built-in
record types, and although you cannot modify a built-in record format, you can create a
custom record format.
Record types link the records that are indexed and stored in the Explore appliance
with the record format in the Web UI.
Redis is an open-source, data structure server.
A region is a dashboard component that contains
Retransmission timeouts (RTOs) is a TCP protocol metric for determining network
performance. TCP retransmissions occur on the network frequently. TCP starts a
retransmission timer when an outbound segment is handed down to an IP address. If there is
no acknowledgment (ACK) before the timer expires, the segment is retransmitted. An RTO
occurs when the sender begins missing too many acknowledgments and stops sending segments
for a period of time. RTOs can represent a 1-5 second delay on your network. Multiple RTOs
over time can represents significant delays on your network.
RPC (Microsoft Remote Procedure Call) is a communication mechanism for clients to call
a procedure from a program located on another computer, server, or network.
Remote packet capture (RPCAP)
Remote packet capture (RPCAP) is a software implementation for packet forwarding that
is similar to a physical tap. If you want to monitor network traffic for devices that are
not directly connected to your wire data feed, you can forward packets through the cloud and
analyze that data through the ExtraHop Discover appliance.
Remote Switched Port Analyzer (RSPAN) provides remote monitoring of multiple switches
across a switched network. RSPAN is a way to get traffic from a SPAN source on one switch to
a SPAN destination on another switch that is connected via a trunk.
that the source and destination chassis are in the same Layer 2
RTCP (Real-time Transport Control Protocol) is a protocol that monitors statistics for
streaming audio and video data transferred by the RTP protocol.
RTP (Real-time Transport) is a protocol that defines the standardized packet format
for the real-time transfer of streaming audio and video.
The runtime log is a component of the Trigger Editor in the ExtraHop Web UI. The
runtime log displays exceptions and output from debug statements in trigger
Sampleset metric type
In the ExtraHop system, this top-level metric type represents a summary of data that
provides a mean (average) and standard deviation over a specified time period. Sampleset
metrics typically summarize data about a detail metric.
The Session Description Protocol (SDP) is a protocol that defines multimedia streaming
A server is a hardware system dedicated to hosting one or more services for users or
clients on the network. In the context of Internet Protocol (IP) networking, a server is a
program that operates as a socket listener.
SIP (Session Initiation Protocol) is a signaling protocol that controls communication
sessions, such as voice calls for IP-based telephony applications.
SMPP (short messaging peer-to-peer) is an application-level protocol that transfers
Short Message Service (SMS) data between External Short Messaging Entities (ESME) and Short
Message Service Centers (SMSC).
SMTP (Simple Mail Transfer Protocol) is a standard protocol that sends, receives, and
relays email messages between servers, email transfer agents, and client
Snapshot metric type
In the ExtraHop system, this top-level metric type represents a data point that
represents a single point in time. Snapshot metrics include ratios, current connections, and
established TCP connections.
The Simple Network Management Protocol (SNMP) is a layer-7 protocol for collecting,
organizing, exchanging, and modifying information about managed devices on IP
In the ExtraHop system, a source provides access to collections of metrics. A source
is an application, device (including device groups), or network (including
Port mirroring on a Cisco Systems switch is generally referred to as Switched Port
Analyzer (SPAN). SPAN copies traffic and sends it to a destination for network
Secure Shell (SSH) is a protocol that securely transmits information over a
SSL (Secure Sockets Layer) is a standard protocol for securing communication over the
Internet. To establish an encrypted link between a web browser and a server, the server must
have an SSL certificate.
This ExtraHop chart type displays metric values in a column chart, where the color of
the columns represents the status and severity of an alert assigned to the source and metric
selected in the chart.
In the ExtraHop system, TCP (Transmission Control Protocol) metrics provide
information about the reliable transfer of packets between a source and destination. Through
TCP metrics, ExtraHop provides visibility into which devices are connected to each other,
when devices send data, if there are errors in the data, what protocols are communicated
through, and so on.
Telnet is an application-layer protocol for interactive text-oriented communications
over a virtual terminal connection.
The Time Selector is a tool that enables you to specify a time interval for the
collection and presentation of network data in the ExtraHop Web UI. There are two types of
Time Selectors: a Global Time Selector for specifying global time intervals and a Region
Time Selector for specifying region time intervals in a dashboard.
A tinygram is a small packet or TCP segment. A tinygram is a packet where the payload
is smaller than the frame header (L2-L4) data. In general, tinygrams lead to inefficient
ratios of frame header data to actual useful information going across the network. Tinygrams
can contribute to network congestion.
A top-level, or base, metric gives you a sum of data for a specified time period.
Top-level metrics provide you with a big-picture value to help identify what is happening on
your network. You can then drill down on a top-level metric to view detail metrics. There
are different types of top-level metrics that provide different information, which include
count, dataset, maximum, sampleset, and snapshot metric types. Understanding metrics types
is essential to writing triggers and configuring charts.
A topnset is the top 1,000 key-value pairs calculated for the time interval you
specify in the Time Selector. A topnset is not a complete data set because a topnset only
represents the key-values that are recorded for a specific aggregation roll up (based on a
specified time interval), and is limited to up to 1,000 keys per topnset.
The ExtraHop Trace appliance (ETA) continuously collects network packets and
integrates with the ExtraHop Discover and Command appliances to enable you to quickly
retrieve all packets that match a set of search criteria within a given time
Triggers are custom scripts that perform an action upon a pre-defined event. For
example, you can write a trigger to record a custom metric every time an HTTP request
occurs, or to classify traffic for a particular server as an application server.
This ExtraHop chart displays the total value for one or more metrics. Selecting more
than one metric will display the metric values side-by-side.
Virtual packet loss
Virtual packet loss (VPL) refers to a phenomenon that affects fully or partially
virtualized applications. VPL creates symptoms that suggests network congestion and is
often undetected by traditional network monitoring and application performance
management (APM) tools. VPL occurs when a hypervisor schedules CPU time for an excessive
number of virtual machines (VMs) and prevents those VMs from responding fast enough to
TCP acknowledgements. VPL can be detected by a combination of application awareness and
advanced TCP analysis.
A Virtual Local Area Network (VLAN) is a logical grouping of traffic or devices on a
network. VLAN information is extracted from VLAN tags, if the traffic mirroring process
preserves the tags on the mirror port.
Widgets are configurable dashboard components that can
be added to a region for different functions. Widget types are chart, text box, alert
history, activity groups, and networks (Command appliance only).
Wire data is created when data in flight is analyzed as traffic is sent over the
network. Through real-time full-stream processing, unstructured data is reassembled into
structured wire data that can be analyzed in real time. Wire data encompasses L2-L7 data
that spans the entire application delivery chain and provides the most comprehensive,