ExtraHop Glossary

AAA (Authentication, Authorization, and Accounting) is a framework that contains protocols that control user access and resource tracking.

ActiveMQ is an open-source, message broker from Apache.

Activity groups contain devices that are automatically grouped together based on their network traffic. A device with multiple types of traffic might appear in more than one activity group.

An activity map is a dynamic visual representation of the L4-L7 protocol activity between devices in your network. You can view real-time information about which devices and services are talking to each other across your network.

Records, packets, activity maps, and charts with L2-L7 protocol metrics are available for devices receiving this analysis level. Prioritize a group or add a device to the watchlist to specify which critical assets should receive Advanced Analysis.

An alert is a condition that establishes baseline values for specified metrics. If those values are exceeded, the system logs the event and sends notifications through configured channels (such as email or SNMP). The Discover appliance includes built-in alerts and you can also create custom alerts.

Metric activity that deviates from what is standard, normal, or expected. Anomalies are detected by the ExtraHop Addy service.

AMF (Action Message Format) is a format for encoding data transported between Adobe Flash clients and servers.

The AppFlow protocol was developed by Citrix. This protocol is an extension of the IPFIX standard for monitoring network traffic. You can collect AppFlow traffic with the ExtraHop NetFlow module.

In the ExtraHop system, applications are user-defined containers that you can associate with multiple devices and protocols for a unified view of built-in metrics. These containers can represent distributed applications on your network environment. In the ExtraHop system, you can create a basic application through the Web UI or an advanced application through the Trigger API. A default application that is available to all ExtraHop users is the All Activity application.

This ExtraHop chart type displays metric values as a line that connects data points over time, with the area between the line and axis filled in with color.

Through this service, ExtraHop analysts can perform an unbiased analysis of your network data and report on areas in your IT infrastructure where improvements can be made.

The audit log on the Discover appliance provides data about the operations of the system, broken down by component. For example, when you log into an ExtraHop appliance, the successful or failed event is logged as an entry to the audit log.

This ExtraHop chart type displays the total value of metric data as horizontal bars.

The box plot chart displays variability for a distribution of metric data. Each box plot includes three or five data points. With five data points, the box plot contains a box, upper and lower whisker lines, and a tick mark. With three data points, the line contains upper and lower whisker lines, and a tick mark.

Berkeley Packet Filter (BPF) is a program for filtering network packets. The BPF syntax enables users to write filters that quickly drill down on specific packets to see the essential information.

This ExtraHop chart type displays data calculations for a distribution of metric values over time. A line at each time interval displays three or five data points. If the line has five data points, it contains a body, middle tick mark, an upper shadow line, and a lower shadow line. If the line has three data points, it contains a middle tick mark.

CIFS (Common Internet File System), also known as SMB (Server Message Block), is an application-level protocol that provides client access to files on a network attached storage (NAS) repository, typically in a Windows environment.

A client is an application or system that accesses a service made available by a server.

A group of the same ExtraHop appliances that are joined together.

This ExtraHop chart type displays metric values as vertical bars over a specified time period.

The ExtraHop Command appliance (ECA) provides centralized management of connected ExtraHop Discover appliances. The ECA provides a single view of data collected from multiple ExtraHop Discover, Explore, and Trace appliances, which can be distributed across data centers, branch offices, and the public cloud.

Cross-origin resource sharing (CORS) allows you to access the ExtraHop REST API across domain-boundaries and from specified web pages without requiring the request to travel through a proxy server. You can configure one or more allowed origins or you can allow access to the ExtraHop REST API from any origin. Only administrative users can view and edit CORS settings.

In the ExtraHop system, this top-level metric type represents the number of events that occurred over a specific time period. You can view count metrics as a rate or a total count.

A critical asset is a device that is important to your network or business, such as a database, a storage server, an AAA server, a DNS server, or an executive's laptop. You can prioritize critical assets for Advanced Analysis by adding a device to the watchlist or prioritizing a group on the Analysis Priorities page.

A dashboard is a customizable HTML page that displays different views of your network through widgets such as charts. In addition to custom dashboards, there are two built-in system dashboards that provide charts: the Activity dashboard and the Network dashboard.

A relational DB (database) stores, retrieves, and manages structured information through Structured Query Language (SQL).

In the ExtraHop system, this top-level metric type represents a distribution of data that can be calculated into percentiles values.

The ExtraHop system removes duplicate L2 and L3 frames and packets when metrics are collected and aggregated from your network activity by default. L2 deduplication removes identical Ethernet frames (where the Ethernet header and the entire IP packet must match); L3 deduplication removes TCP or UDP packets with identical IP ID fields on the same flow (where only the IP packet must match).

Detail metrics provide you with a value for a specific key, such as a client IP address, server IP address, URI, hostname, referrer, certificate, or method. When you drill down from a top-level metric in the ExtraHop system to a detail metric, you can gain insight into how a specific device, method, or resource is affecting the network.

Devices are objects on your network that have been automatically discovered and classified by the ExtraHop system. The ExtraHop system collects records and packets for every discovered device on your network. You can analyze metrics and activity maps for devices that are receiving Standard Analysis and Advanced Analysis.

Device discovery is the process by which ExtraHop builds and maintains a list of active devices associated with monitored network traffic. When the ExtraHop system detects a MAC address on the network, a L2 device entry is created in the ExtraHop system and associated with that address. When the ExtraHop system detects an ARP (Address Response Protocol) response, an L3 device entry is created in the ExtraHop system and associated with the MAC address and IP address. Based on the type of traffic, the ExtraHop system also classifies the device type and assigns a name to the device. For example, an L2 device can be a gateway device or router. L3 devices can be clients, servers, or databases. You can also create a custom device in the ExtraHop system to monitor traffic for a specific IP address.

Device groups, also known as custom groups, can be either static or dynamic. You must manually identify and assign individual devices to a static group. Alternatively, you can configure rules to automatically assign devices to a dynamic group.

DHCP (Dynamic Host Configuration Protocol) is a protocol for dynamically distributing network configuration parameters.

DICOM (Digital Imaging and Communications in Medicine) is a standard for storing biomedical images and transmitting those images over a network.

The ExtraHop Discover appliance (EDA) provides the ability to analyze and visualize all of your network, application, client, infrastructure, and business data. The EDA passively collects a copy of unstructured wire data—all of the transactions on your network—and transforms this data into structured wire data. EDAs can be connected to the ExtraHop Command appliance for centralized management and connected to ExtraHop Trace and Explore appliances for data collection and querying.

Records, packets, and information about protocol activity are available for devices in Discovery Mode. Adjust analysis priorities to elevate a device or endpoint from Discovery Mode to Standard or Advanced Analysis.

In the ExtraHop system, this top-level metric type represents the number of unique events that occurred during a selected time interval. The distinct count metric provides an estimate of the number of unique items placed into a HyperLogLog set during the selected time interval.

DNS (Domain Name System) is the naming system for network hosts and resources that are connected to the Internet. DNS servers map IP addresses to hostnames.

Dynamic baselines are trend lines on dashboards that help you distinguish between normal and abnormal activity. Discover appliances calculate dynamic baselines based on historical data. To generate data points on a dynamic baseline, an appliance calculates the median value for a specified period of time.

An endpoint is referred to as a device in the ExtraHop system. Devices are objects on your network that have been automatically discovered and classified by the ExtraHop system.

Encapsulated Remote SPAN (ERSPAN) enables you to send source traffic on one switch to a destination on another switch, while traversing a Layer 3 boundary.

An event represents activity detected from your network or from your ExtraHop system. Triggers can be written to collect the data associated with an event to create custom metrics.

The ExtraHop Explore appliance (EXA) connects to the ExtraHop Discover appliance to store transaction and flow records sent from the EDA. You can view, save, and search the structured flow and transaction information about events on your network with a simple, unified UI, with no modifications to your existing applications or infrastructure.

A fingerprint is a unique, alphanumeric identifier assigned to all Explore and Trace appliances.

FIX (Financial Information eXchange) is a protocol that provides information about the real-time exchange of financial transactions.

A flow is a set of packets that are part of a single transaction between two endpoints. Similar to how the ExtraHop system can identify flows from wire data, flows from machine data on remote networks can be sent to a Discover appliance for analysis. Flows are identified through their unique combination of IP protocol (TCP/UDP), source and destination IP addresses, and source and destination ports. This combination is called a 5-tuple.

A flow network device can have multiple interfaces. Instead of looking at flow information for the entire device, you can look at flow information for a specific interface on the device.

A flow network is a network device that sends information about flows seen across the device. Similar to how the ExtraHop system can identify flows from wire data, the ExtraHop system can receive flow information from remote network devices, also called flow exporters.

A Flow Stall is a TCP metric in the ExtraHop system that measures network congestion. A Flow Stall is counted when there are three consecutive retransmission timeouts (RTOs) observed on a single flow of data between devices. An RTO represents a 1-5 second delay as a device waits to resend data that might have been lost over a congested connection.

FTP (File Transfer Protocol) is a standard network protocol for transferring files between a client and a server.

This ExtraHop chart type displays a distribution of metric data over time, where color represents a concentration of data.

This ExtraHop chart type displays a distribution of metric data as vertical bars, or bins.

HL7 (Health Level-7) is a standard for exchanging electronic health information between software applications.

HTTP (Hypertext Transfer Protocol) is an application-level protocol that retrieves web pages.

IBM MQ (WebSphere MQ) is a message-queuing protocol for IBM enterprise and message middleware products.

ICA (Independent Computing Architecture) is a Citrix system protocol that transmits data between clients and servers.

The Internet Control Message Protocol (ICMP) is a protocol that network devices send error and query messages through.

The Integrated Dell Remote Access Controller (iDRAC) provides remote access to ExtraHop appliances. After you enable and configure iDRAC, you can power cycle the system, view console messages, and review hardware monitoring and boot logs.

iSCSI (Internet Small Computer Systems Interface) is an TCP-level protocol that allows SCSI commands to be sent over a local-area network (LAN) or wide-area network (WAN).

Kerberos is a network authentication protocol for client and server applications that applies secret-key cryptography.

The data link layer in the OSI model. In the ExtraHop system, L2 metrics provide information about the connection between two devices.

The network layer in the OSI model. In the ExtraHop system, L3 metrics provide IP address information for nodes that communicate over the monitored network.

The transport layer in the OSI model. In the ExtraHop system, L4 TCP (Transmission Control Protocol) metrics provide information about the reliable transfer of packets between a source and destination.

The application layer in the OSI model. In the ExtraHop system, L7 metrics provide information about interactivity with software applications.

A level-triggered alert is generated at specified intervals for as long as the metric value remains above the configured threshold.

This ExtraHop chart type displays metric values as a line, which connects a series of data points over time.

This ExtraHop chart type displays metric values as a line, which connects data points over time, with the option to display another metric as a column chart underneath.

This ExtraHop chart displays metric values in a list across multiple columns with optional sparklines.

The Link Layer Discovery Protocol (LLDP) is a protocol that network devices communicate their identity and capabilities through.

In the ExtraHop system, this top-level metric type is a single data point that represents the maximum value from a specified time period.

Memcache is a protocol that provides access to high-performance, distributed memory object caching systems over a TCP connection.

In the ExtraHop system, a metric is a measurement of observed network behavior. Metrics are generated from network traffic, and then each metric is associated with a source. The ExtraHop system provides builtin, or default, metrics based on observed network traffic from wire data. You can also create custom metrics in the ExtraHop system by writing a trigger to collect metrics based on a specific event.

The Metric Catalog is a tool for viewing information about built-in and custom metrics in the ExtraHop system. You also can delete and edit custom metrics through the Metric Catalog.

The Metric Explorer is a tool for configuring dashboard charts. In the Metric Explorer, you can add multiple sources and metrics to a chart and immediately preview how metric data will appear.

MongoDB is an open-source document database that provides performance, availability, and scalability.

Microsoft Message Queuing (MSMQ) is a protocol that enables applications to send messages and objects to each other.

Acronym for not a number. In the Trigger API, a property with a numeric data type displays NaN if the property value is undefined or cannot be represented as a number.

NAS (Network Attached Storage) is file-level storage repository. Clients access the repository through CIFS (Common Internet File System) or NFS (Network File System) protocols.

The NetFlow protocol was developed by Cisco for monitoring network traffic. You can send NetFlow traffic to the ExtraHop Discover appliance from remote flow networks to analyze data that is outside of your wire data feed.

In the ExtraHop system, a network is the entry point into the network capture, and metrics are collected for network capture attributes, network alerts, and network traffic details. These metrics provide a summary of all network activity retrieved in the capture.

A network byte is a metric that displays the throughput rate of the ExtraHop capture process.

NFS (Network File System) is a distributed file system protocol that provides client access to files on a network attached storage (NAS) repository, typically in a UNIX environment.

An indiviudal ExtraHop appliance within a cluster.

The open data stream (ODS) service enables you to send wire data to a remote third-party system, such as MongoDB or Kafka. You must write a trigger to identify and collect the data you want to export and configure settings in the ExtraHop Admin UI.

The Packets feature enables you to search for and download packets for selected transactions through a Discover or Command appliance. This feature requires an ExtraHop Trace appliance.

Perfect Forward Secrecy (PFS) is an encryption method that enables short-term, completely private key exchanges between clients and servers. You can license a Discover appliance to decrypt PFS SSL/TLS sessions from Windows servers where the ExtraHop PFS agent software is installed. Without PFS, those sessions could not be decrypted, and the data from those exchanges would be obscured.

PCAP (packet capture) consists of an application programming interface (API) for capturing network traffic and storing it to a database.

PCoIP (PC-over-IP) is protocol that transfers compressed and encrypted image pixels from a central server to a PCoIP device.

This ExtraHop chart displays metric data as a portion or percentage of a whole.

POP3 (Post Office Protocol) is a standard application-level protocol that transfers email messages between a server and a client application over a TCP connection.

Port mirroring occurs when a network switch sends a copy of network packets from one switch port (or an entire VLAN) to a network monitoring connection on another switch port.

A protocol defines the format and the order of messages exchanged between two or more devices, as well as the actions taken on the transmission and receipt of a message or other event.

A protocol page is a built-in page in the ExtraHop Web UI. You can access a protocol page in the by logging into the Web UI, clicking Metrics, and then clicking the name of a source or group; all protocol pages for the source or group are listed in the left column.

Records are structured flow and transaction information about events on your network. After you link an ExtraHop Discover appliance to an ExtraHop Explore appliance, you can generate and send records to the Explore appliance for storage and retrieval.

A record format is a schema on read that determines how each record displays in the Web UI. The Discover and Command appliances have built-in record formats for all built-in record types, and although you cannot modify a built-in record format, you can create a custom record format.

Record types link the records that are indexed and stored in the Explore appliance with the record format in the Web UI.

Redis is an open-source, data structure server.

A region is a dashboard component that contains widgets.

Remote packet capture (RPCAP) is a software implementation for packet forwarding that is similar to a physical tap. If you want to monitor network traffic for devices that are not directly connected to your wire data feed, you can forward packets through the cloud and analyze that data through the ExtraHop Discover appliance.

RPC (Microsoft Remote Procedure Call) is a communication mechanism for clients to call a procedure from a program located on another computer, server, or network.

Remote Switched Port Analyzer (RSPAN) provides remote monitoring of multiple switches across a switched network. RSPAN is a way to get traffic from a SPAN source on one switch to a SPAN destination on another switch that is connected via a trunk.

Note:

RSPAN requires that the source and destination chassis are in the same Layer 2 domain.

RTCP (Real-time Transport Control Protocol) is a protocol that monitors statistics for streaming audio and video data transferred by the RTP protocol.

RTP (Real-time Transport) is a protocol that defines the standardized packet format for the real-time transfer of streaming audio and video.

The runtime log is a component of the Trigger Editor in the ExtraHop Web UI. The runtime log displays exceptions and output from debug statements in trigger scripts.

In the ExtraHop system, this top-level metric type represents a summary of data that provides a mean (average) and standard deviation over a specified time period. Sampleset metrics typically summarize data about a detail metric.

The Session Description Protocol (SDP) is a protocol that defines multimedia streaming sessions.

A server is a hardware system dedicated to hosting one or more services for users or clients on the network. In the context of Internet Protocol (IP) networking, a server is a program that operates as a socket listener.

SIP (Session Initiation Protocol) is a signaling protocol that controls communication sessions, such as voice calls for IP-based telephony applications.

SMPP (short messaging peer-to-peer) is an application-level protocol that transfers Short Message Service (SMS) data between External Short Messaging Entities (ESME) and Short Message Service Centers (SMSC).

SMTP (Simple Mail Transfer Protocol) is a standard protocol that sends, receives, and relays email messages between servers, email transfer agents, and client applications.

In the ExtraHop system, this top-level metric type represents a data point that represents a single point in time. Snapshot metrics include ratios, current connections, and established TCP connections.

The Simple Network Management Protocol (SNMP) is a layer-7 protocol for collecting, organizing, exchanging, and modifying information about managed devices on IP networks.

In the ExtraHop system, a source provides access to collections of metrics. A source is an application, device (including device groups), or network (including VLANs).

Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN). SPAN copies traffic and sends it to a destination for network analysis.

Secure Shell (SSH) is a protocol that securely transmits information over a network.

SSL (Secure Sockets Layer) is a standard protocol for securing communication over the Internet. To establish an encrypted link between a web browser and a server, the server must have an SSL certificate.

Records, packets, activity maps, protocol activity, and charts with throughput and packet metrics are available for devices receiving Standard Analysis. Adjust analysis priorities to elevate a device or endpoint from Standard Analysis to Advanced Analysis.

This ExtraHop chart type displays metric values in a column chart, where the color of the columns represents the status and severity of an alert assigned to the source and metric selected in the chart.

This ExtraHop chart type displays metric values across rows and columns in a table.

In the ExtraHop system, TCP (Transmission Control Protocol) metrics provide information about the reliable transfer of packets between a source and destination. Through TCP metrics, ExtraHop provides visibility into which devices are connected to each other, when devices send data, if there are errors in the data, what protocols are communicated through, and so on.

A TCP RST packet is sent to prevent a TCP connection from being established or to forcibly terminate an existing connection. Sometimes resets are sent when the receiving device failed to ACK the SYN packet, or it failed to acknowledge another packet sent and retransmitted later in the transaction. In some cases, TRCP RSTs indicates that an error occurred. High volumes of outbound resets should be investigated to determine if they are expected behavior or indicative of a larger issue.

Telnet is an application-layer protocol for interactive text-oriented communications over a virtual terminal connection.

The Time Selector is a tool that enables you to specify a time interval for the collection and presentation of network data in the ExtraHop Web UI. There are two types of Time Selectors: a Global Time Selector for specifying global time intervals and a Region Time Selector for specifying region time intervals in a dashboard.

A timestamp is a digital record of the time a particular event occurred. In the ExtraHop system, you can select the default timestamp, or configure external timestamps such as Gigamon or Anue through the Running Configuration file.

A top-level, or base, metric gives you a sum of data for a specified time period. Top-level metrics provide you with a big-picture value to help identify what is happening on your network. You can then drill down on a top-level metric to view detail metrics. There are different types of top-level metrics that provide different information, which include count, dataset, maximum, sampleset, and snapshot metric types. Understanding metrics types is essential to writing triggers and configuring charts.

A topnset is the top 1,000 key-value pairs calculated for the time interval you specify in the Time Selector. A topnset is not a complete data set because a topnset only represents the key-values that are recorded for a specific aggregation roll up (based on a specified time interval), and is limited to up to 1,000 keys per topnset.

The ExtraHop Trace appliance (ETA) continuously collects network packets and connects to the ExtraHop Discover appliance to enable you to quickly retrieve all packets that match a set of search criteria within a given time interval.

This ExtraHop chart displays the total value for one or more metrics. Selecting more than one metric will display the metric values side-by-side.

Virtual packet loss (VPL) refers to a phenomenon that affects fully or partially virtualized applications. VPL creates symptoms that suggests network congestion and is often undetected by traditional network monitoring and application performance management (APM) tools. VPL occurs when a hypervisor schedules CPU time for an excessive number of virtual machines (VMs) and prevents those VMs from responding fast enough to TCP acknowledgements. VPL can be detected by a combination of application awareness and advanced TCP analysis.

A Virtual Local Area Network (VLAN) is a logical grouping of traffic or devices on a network. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves the tags on the mirror port.

Individual devices on the watchlist are guaranteed Advanced Analysis. Typically, critical assets are added to the watchlist. Advanced Analysis is an analysis level where records, packets, activity maps, and charts with L2-L7 protocol metrics are available for devices. You can remove devices from the watchlist at any time.

Widgets are configurable dashboard components that can be added to a region for different functions. Widget types are chart, text box, alert history, activity groups, and networks (Command appliance only).

Wire data is created when data in flight is analyzed as traffic is sent over the network. Through real-time full-stream processing, unstructured data is reassembled into structured wire data that can be analyzed in real time. Wire data encompasses L2-L7 data that spans the entire application delivery chain and provides the most comprehensive, wide-reaching visibility.

A Zero Window is a TCP metric in the ExtraHop system that measures application congestion. When a device advertises a Zero Window message to the sender device during data transfer, this means that the device can no longer accept data because the device's receive window (a buffer for incoming data) is full. The Zero Window message tells the sender to pause data transfer until further notice.