The ExtraHop system automatically discovers devices such as clients, servers, routers, load balancers, and gateways that are actively communicating with other devices over the wire. If you want to see network activity associated with a specific device, you can search for your device in the Discover or Command appliance, and then view traffic and protocol metrics on a protocol page.
- Perform a general search from the global search field at the top
- Perform a detailed search from the device
list page in the Metrics section of the ExtraHop Web UI, where you can
filter search results by device
- Perform a search by protocol activity from an activity group.
- Perform a search for peer devices talking to a device.
You can create a detailed search for a device based on information observed over the wire, such as IP address, MAC address, hostname, or protocol activity. You can also search by customized information such as device tag or custom names associated with the device.
This procedure shows you how to perform a detailed search from the device list page in the Metrics section of the ExtraHop Web UI.
- Log into the Web UI on the Discover or Command appliance and then click Metrics at the top of the page.
- Click Devices in the left pane.
To filter devices by device details, click Any Column
and select one of the following categories:
- Any Column
- Filters results by the exact string that matches any device detail.
- Filters results by the discovered or custom device name. For example, a discovered device name can include the IP address or hostname. For more information about device names and how to change them, see Change a device name.
- MAC address
- Filters results by the device MAC address. You might see two devices with the same MAC address in the results. During the device discovery process, an L2 parent device (MAC address only) and L3 child device (IP address) are created for every IP address observed on the wire. The L3 device has L2-L7 protocol metrics associated with it. For more information, see Device Discovery FAQ
- Filters results by the device Virtual Local Area Network (VLAN) tag.
- IP address
- Filters results by the device IP address. The IP address criteria can include CIDR notation in IP address or subnet prefix length format. For example, 10.10.0.0/16 for IPv4 networks or 2001:db8::/32 for IPv6 networks.
- Node (Command appliance only)
- Filters results by devices associated with a connected Discover appliance name.
- Filters results by a user-defined device tag. For more information, see Add a device tag.
- Filters results by the following device attributes that you select
from the drop-down list:
Activity: Filters results by metric activity associated with the device. For example, selecting Activity: HTTP Server returns devices with HTTP server metrics, and any other device with a device role set to WWW Server.
Device Type: Filters results by a device role, such as gateway, firewall, load balancer, and WWW Server. For more information about device roles and how to change them, see Change or add a device role.
Class: Filters results by a device class, such as node, remote, and custom devices.
To filter results by L2 or L3 device type, click All
Devices to the right of the search field and then select one of
the following categories:
- L2 device
- An L2 device in the ExtraHop system has a MAC address only. ExtraHop automatically creates an L2 device based on a MAC address, and all network throughput activity is tracked against that device. For more information about an L2 device, see Device Discovery FAQ in the Device Discovery FAQ.
- L3 device
- An L3 device in the ExtraHop system has an observed IP address that comes from local traffic or from traffic coming from a router. For more information, see Device Discovery FAQ in the Device Discovery FAQ.
- Click Search.
Click the name of the device you are searching for from the list of results.
A protocol page for the device opens, which displays an overview of network throughput and top protocol activity.
- Investigate additional metrics by protocol by selecting another protocol in the left pane
- Change a device name
Activity groups contain devices that are automatically grouped together based on observed protocol traffic over the wire. Searching for a device within an activity group helps you quickly locate a client or server that is associated with a protocol, or discover a decommissioned device that is still actively communicating over a protocol.
- Log into the Web UI on the Discover or Command appliance and click Metrics at the top of the page.
- Click Activity Group in the left pane.
- Select an activity group, such as HTTP Servers. A protocol page for the device group appears.
In the top right corner of the page, click Group
Members. A page appears that contains all of the devices that sent
HTTP responses over the wire.
Note: This page only displays devices within the group that have metrics associated with them for the selected time interval. To see all of the devices within the group, click Devices in the left pane of the protocol page, as shown in the following figure.
- Click on a web server device name in the table. A protocol page for the web server appears. This page displays traffic and protocol metrics associated with that web server.
In the left pane in the Server Activity section, click
HTTP to view the total number of HTTP responses sent
by this device.
Note: If you do not see an activity group for a protocol that you were expecting to see, the ExtraHop system might not have observed that type of protocol traffic over the wire yet, or the protocol might require a module license. For more information, see the I don't see the protocol traffic I was expecting? section in the License FAQ.
- Investigate additional metrics by selecting another protocol in the left pane
- Change a device name
If you want to know which devices are actively talking to each other, you can drill down by Peer IPs from a device or device group protocol page.
- Log into the Web UI on the Discover or Command appliance.
- Click Metrics and then select Device, Activity Group, or Device Group in the left pane.
Search for a
device or device group, and then click the name of a device or device
group from the list of results.
A protocol page for that selected device or device group appears.
In the Details section near the upper right corner of the page, click
A list of peer devices appears, which are broken down by IP address. You can investigate network bytes and packets information for each peer device, as shown in the following figure.
To view network latency (round trip time) metrics for each peer device,
complete the following steps:
- Click Back to Overview or the back button to return to the original protocol page for the device or device group.
- Click TCP in the left pane.
- In the Details section near the upper right corner of the page, click Peer IPs.