Find a device

The ExtraHop system automatically discovers devices such as clients, servers, routers, load balancers, and gateways that are actively communicating with other devices over the wire. If you want to see network activity associated with a specific device, you can search for your device in the Discover or Command appliance, and then view traffic and protocol metrics on a protocol page.

There are several ways to search for a device:

Search for a device by details

You can create a detailed search for a device based on information observed over the wire, such as IP address, MAC address, hostname, or protocol activity. You can also search by customized information such as device tag or custom names associated with the device.

This procedure shows you how to perform a detailed search from the device list page in the Metrics section of the ExtraHop Web UI.

  1. Log into the Web UI on the Discover or Command appliance and then click Metrics at the top of the page.
  2. Click Devices in the left pane.
  3. To filter devices by device details, click Any Field and select one of the following categories:
    Any Field
    Filters results by the exact string that matches any device detail.
    Name
    Filters results by the discovered or custom device name. For example, a discovered device name can include the IP address or hostname. For more information about device names and how to change them, see Change a device name.
    MAC address
    Filters results by the device MAC address. You might see two devices with the same MAC address in the results. During the device discovery process, an L2 parent device (MAC address only) and L3 child device (IP address) are created for every IP address observed on the wire. The L3 device has L2-L7 protocol metrics associated with it. For more information, see Device Discovery FAQ
    VLAN
    Filters results by the device Virtual Local Area Network (VLAN) tag.
    IP address
    Filters results by the device IP address. The IP address criteria can include CIDR notation in IP address or subnet prefix length format. For example, 10.10.0.0/16 for IPv4 networks or 2001:db8::/32 for IPv6 networks.
    Node (Command appliance only)
    Filters results by devices associated with a connected Discover appliance name.
    Tag
    Filters results by a user-defined device tag. For more information, see Add a tag to a device.
    Type
    Filters results by the following device attributes that you select from the drop-down list:

    Activity: Filters results by protocol activity associated with the device. For example, selecting Activity: HTTP Server returns devices with HTTP server metrics, and any other device with a device role set to WWW Server.

    Device Type: Filters results by a device role, such as gateway, firewall, load balancer, and WWW Server. For more information about device roles and how to change them, see Change a device role.

    Class: Filters results by a device class, such as node, remote, and custom devices.

  4. To filter results by L2 or L3 device type, click All Devices to the right of the search field and then select one of the following categories:
    L2 device
    An L2 device in the ExtraHop system has a MAC address only. ExtraHop automatically creates an L2 device based on a MAC address, and all network throughput activity is tracked against that device. For more information about an L2 device, see Device Discovery FAQ in the Device Discovery FAQ.
    L3 device
    An L3 device in the ExtraHop system has an observed IP address that comes from local traffic or from traffic coming from a router. For more information, see Device Discovery FAQ in the Device Discovery FAQ.
  5. Click Search.
    Note:You can download the list of devices to a CSV file. In the upper right corner of the page, click the command menu and then select CSV.
  6. Click the name of the device you are searching for from the list of results.
    A protocol page for the device opens, which displays an overview of network throughput and top protocol activity.

Next steps

  • Investigate additional metrics by protocol by selecting another protocol in the left pane
  • Change a device name

Search for devices by protocol activity

The Activity page displays all protocols that are actively communicating over the wire during the selected time interval. You can quickly locate a device that is associated with a protocol, or discover a decommissioned device that is still actively communicating over a protocol.

In the following example, we show you how to search for a web server within the group of HTTP servers.
  1. Log into the Web UI on the Discover or Command appliance and click Metrics at the top of the page.
    The Activity page appears, which lists all the protocols with traffic in the selected time interval.

    If you do not see the protocol you want, the ExtraHop system might not have observed that type of protocol traffic over the wire yet, or the protocol might require a module license. For more information, see the I don't see the protocol traffic I was expecting? section in the License FAQ.

  2. Click the number of HTTP servers, as shown in the following figure.
    The page displays traffic and protocol metrics associated with the group of HTTP servers.
  3. In the top of the page, click Group Members, as shown in the following figure.
    The page displays all of the devices that sent HTTP responses over the wire during the selected time interval.
  4. Click a device name in the table.
    The page displays traffic and protocol metrics associated with that device, similar to the following image.

Next steps

  • Investigate additional metrics by selecting another protocol in the Server Activity or Client Activity sections in the left pane.
  • Change a device name.

Search for peer devices

If you want to know which devices are actively talking to each other, you can drill down by Peer IPs from a device or device group protocol page.

When you drill down by Peer IP address, you can investigate a list of peer devices, view performance or throughput metrics associated with peer devices, and then click on a peer device name to view additional protocol metrics.
  1. Log into the Web UI on the Discover or Command appliance.
  2. Click Metrics and then select Device or Device Group in the left pane.
  3. Search for a device or device group, and then click the name of a device or device group from the list of results.
    A protocol page for that selected device or device group appears.
  4. In the Details section near the upper right corner of the page, click Peer IPs.
    A list of peer devices appears, which are broken down by IP address. You can investigate network bytes and packets information for each peer device, as shown in the following figure.
  5. To view network latency (round trip time) metrics for each peer device, complete the following steps:
    1. Click Back to Overview or the back button to return to the original protocol page for the device or device group.
    2. Click TCP in the left pane.
    3. In the Details section near the upper right corner of the page, click Peer IPs.
Published 2018-12-14 15:36