Find a device

The ExtraHop system automatically discovers devices such as clients, servers, routers, load balancers, and gateways that are actively communicating with other devices over the wire. If you want to see network activity associated with a specific device, you can search for your device in the Discover or Command appliance, and then view traffic and protocol metrics on a protocol page.

There are several ways to search for a device:

Search for a device by details

You can create a detailed search for a device based on information observed over the wire, such as IP address, MAC address, hostname, or protocol activity. You can also search by customized information such as device tag or custom names associated with the device.

This procedure shows you how to perform a detailed search from the device list page in the Metrics section of the ExtraHop Web UI.

  1. Log into the Web UI on the Discover or Command appliance and then click Metrics at the top of the page.
  2. Click Devices in the left pane.
  3. To filter devices by device details, click Any Column and select one of the following categories:
    Any Column
    Filters results by the exact string that matches any device detail.
    Name
    Filters results by the discovered or custom device name. For example, a discovered device name can include the IP address or hostname. For more information about device names and how to change them, see Add a custom device name.
    MAC address
    Filters results by the device MAC address. You might see two devices with the same MAC address in the results. During the device discovery process, an L2 parent device (MAC address only) and L3 child device (IP address) are created for every IP address observed on the wire. The L3 device has L2-L7 protocol metrics associated with it. For more information, see Device Discovery FAQ
    VLAN
    Filters results by the device Virtual Local Area Network (VLAN) tag.
    IP address
    Filters results by the device IP address. The IP address criteria can include CIDR notation in IP address or subnet prefix length format. For example, 10.10.0.0/16 for IPv4 networks or 2001:db8::/32 for IPv6 networks.
    Node (Command appliance only)
    Filters results by devices associated with a connected Discover appliance name.
    Tag
    Filters results by a user-defined device tag. For more information, see Add a device tag.
    Type
    Filters results by the following device attributes that you select from the drop-down list:

    Activity: Filters results by metric activity associated with the device. For example, selecting Activity: HTTP Server returns devices with HTTP server metrics, and any other device with a device role set to WWW Server.

    Device Type: Filters results by a device role, such as gateway, firewall, load balancer, and WWW Server. For more information about device roles and how to change them, see Change a device role.

    Class: Filters results by a device class, such as node, remote, and custom devices.

  4. To filter results by L2 or L3 device type, click All Devices to the right of the search field and then select one of the following categories:
    L2 device
    An L2 device in the ExtraHop system has a MAC address only. ExtraHop automatically creates an L2 device based on a MAC address, and all network throughput activity is tracked against that device. For more information about an L2 device, see Device Discovery FAQ in the Device Discovery FAQ.
    L3 device
    An L3 device in the ExtraHop system has an observed IP address that comes from local traffic or from traffic coming from a router. For more information, see Device Discovery FAQ in the Device Discovery FAQ.
  5. Click Search.
  6. Click the name of the device you are searching for from the list of results.
    A protocol page for the device opens, which displays an overview of network throughput and top protocol activity.

Next steps

Search for devices by protocol activity

Activity groups contain devices that are automatically grouped together based on observed protocol traffic over the wire. Searching for a device within an activity group helps you quickly locate a client or server that is associated with a protocol, or discover a decommissioned device that is still actively communicating over a protocol.

This procedure shows you how to find a device in an activity group., In the following example, we show you how to search for a web server within the HTTP Servers activity group.

  1. Log into the Web UI on the Discover or Command appliance and click Metrics at the top of the page.
  2. Click Activity Group in the left pane.
  3. Select an activity group, such as HTTP Servers. A protocol page for the device group appears.
  4. In the top right corner of the page, click Group Members. A table with all of the devices that sent HTTP responses over the wire appears.
  5. Click on a web server device name in the table. A protocol page for the web server appears. This page displays traffic and protocol metrics associated with that web server.
  6. In the left pane, click HTTP Server to view the total number of HTTP responses sent by this device.
    Note:If you do not see an activity group for a protocol that you were expecting to see, the ExtraHop system might not have observed that type of protocol traffic over the wire yet, or the protocol might require a module license. For more information, see the License FAQ section in the License FAQ.

Next steps

Search for peer devices

If you want to know which devices are actively talking to each other, you can drill down by Peer IPs from a device or device group protocol page.

When you drill down by Peer IP address, you can investigate a list of peer devices, view performance or throughput metrics associated with peer devices, and then click on a peer device name to view additional protocol metrics.

  1. Log into the Web UI on the Discover or Command appliance.
  2. Click Metrics and then select Device, Activity Group, or Device Group in the left pane.
  3. Search for a device or device group, and then click the name of a device or device group from the list of results. A protocol page for that selected device or device group opens.
  4. In the Details section near the upper right corner of the page, click Peer IPs.
    A list of peer devices appears, which are broken down by IP address. You can investigate network bytes and packets information for each peer device, as shown in the following figure.

  5. To view network latency (round trip time) metrics for each peer device, complete the following steps:
    1. Click Back to Overview or the back button to return to the original protocol page for the device or device group.
    2. Click TCP in the left pane.
    3. In the Details section near the upper right corner of the page, click Peer IPs.
Published 2017-08-14 22:08