Create report showing device mapping with port/protocols?

dkraut · May 31, 2016, 3:43am

Is there a way to create a report that shows a device and all its connections with associated ports/protocols in use? The activity map does this nicely in a graphical format, but I cannot figure out a way to do this via pdf report or maybe even a csv export?

Thanks!

lipsum · May 31, 2016, 5:10pm

Hi dkraut,

You can export a CSV, or XLSX from the “right click” menu. Try this from a Device’s L7 Protocols page. You an also “PDF” that page from the button in the top-right corner.

dkraut · May 31, 2016, 5:39pm

Hi lipsum, that provides a list of peer devices, but not any per device port/protocol information. There’s aggregate protocol information in the graph, but is it possible to include port/protocol for all peer devices?

We need this to perform Discovery. Who is talking to who and on what ports.

Thanks!

jared · May 31, 2016, 11:50pm

If you use the L7 details page, you can get protocol information in aggregate that you can easily shoot to Excel. Unfortunately, this page doesn’t have per peer per port packet information. You could use the API to grab all the device information you want and create a csv file.

dkraut · June 1, 2016, 4:13pm

bummer… seems like there should be a way to export the per peer port information since that information is in the activity map. Just need a way to output that same information to excel or pdf. Not sure where to really begin with the API…

jared · June 1, 2016, 5:15pm

dkruat,

Did you see my private message?

lipsum · June 2, 2016, 12:18am

dkraut,

Here’s a quick example using the ExtraHop PowerShell API Client:

$extraHop = New-ExtraHopAPIClient -Host extrahop.company.com -ApiKey #apikeyhere#
 
$searchStart = -86400000
$searchUtil = 0
 
$deviceGroupId = ($extraHop.GetDeviceGroups() |? {$_.name -eq 'DEVICE_GROUP_NAME'}).oid
 
$devices = $extraHop.GetDeviceGroupDevices($searchStart, $searchUtil, $deviceGroupId, @{}).devices
$peerTraffic = @()
 
foreach ($device in $devices |? {$_.ipaddr4.length -gt 0})
{
    $deviceIP = $device.ipaddr4
    $objectId = $device.oid
 
    $apiPayload = @{ cycle='auto'; from=$searchStart; until=$searchUtil; metric_category='app_detail'; metric_specs=@(@{name='pkts_in'}); object_ids=@($objectId); object_type='device' }
    $metrics = $extraHop.RestAPI('/metrics/totalbyobject', 'post', @{}, $apiPayload, @{})
 
    $metrics.stats.values |% { $proto=$_.key.str; $_.value |% { $peerTraffic += [PSCustomObject]@{'Host'=$deviceIP;'Protocol'=$proto; 'Peer'=$_.key.addr; 'Count'=$_.value } }}
}
 
$peerTraffic | Sort-Object Count -Descending | Out-GridView

Let me know if that is close to what you’re looking for.

dkraut · June 4, 2016, 9:46pm

Thanks lipsum, any idea where I get the API Key from?

lipsum · June 4, 2016, 10:21pm

Each user should generate their own API key.

When logged into your Extrahop Discover Appliance, you should be able to click the ‘user’ icon at the top right of the screen, then click API Access where you can generate an API key for yourself.

dkraut · June 6, 2016, 5:42pm

Hi lipsum, Got the APIKey, but now I’m getting the following error while trying to connect>

The underlying connection was closed: The connection was closed unexpectedly.
At C:\Users\xxxxxx\Documents\WindowsPowerShell\Modules\ExtraHopAPIClient\ExtraHopAPIClient.psm1:161 char:17

```
            Throw $_.Exception
```
```
            ~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : OperationStopped: ( [], WebException
- FullyQualifiedErrorId : The underlying connection was closed: The connection was closed unexpectedly.

lipsum · June 6, 2016, 5:50pm

I’ve seen cases where exceptions are thrown if IE is not present.

In the _Send_HTTP_Request() function in ExtraHopApiClient.psm1, the Invoke-WebRequest cmdlet is used to make REST API calls. This cmdlet uses the Internet Explorer engine to parse the response DOM content. One of the major problems with this is that this requires Internet Explorer to be installed (not valid on Server Core installations), cannot run in the SYSTEM context, and may have security or compatibility issues.

The -UseBasicParsing parameter can be used to bypass the Internet Explorer engine, as DOM parsing is not needed for JSON data. Alternatively, the Invoke-RestMethod cmdlet can be used, but would require rewriting the module to catch exceptions instead of checking the response code.

If -UseBasicParsing doesn’t help, you may want to reach out to Extrahop support for a more thorough look at your particular situation.

teddriggs · June 24, 2016, 12:04am

If you haven’t put a certificate on the ExtraHop, this could also be caused by PowerShell refusing to establish a connection due to a trust error. PowerShell doesn’t have an equivalent to the -k flag in curl, so if this is the cause of the issue you’ll need to download the public.cer file from your appliance and add it to the local user’s certificate store.

hutch235 · July 20, 2017, 12:07am

Hi Lipsum,
This script looks as though it will do just what we’d like. However, we don’t know PowerShell too well. Are you able to provide a Python or Curl version that does the same ?
Thanks you,
Kind regards, Ian

lipsum · July 21, 2017, 3:34am

Hello @hutch235 - I’ll see if I can dig up a python example. In the mean time, you should be able to find the relevant curl examples in the REST API Explorer on your EDA.