Device name auto-discovery


#1

The ExtraHop appliance does a great job of learning names for devices based on what it sees on the wire, such as netbios name and DNS responses.

What is the device name ‘priority’ when it sees these? I have a server with a bunch of CNAMEs and it seems to change its name in the device list some times. Does the ExtraHop appliance prefer what it sees in PTR responses over A records, for example? Is Netbios higher in the list? Does it inspect HTTP Host: headers?

Yes, I know I can – and probably should – hard-code the names by clicking the edit icon next to “Name” on the device’s page, but I’m curious the way things work if I don’t nonetheless.


#2

Per ExtraHop Support, DNS has higher priority than Netbios.

ExtraHop devices discover names from what they sniff, as well as any manual change you make. Here’s a partial list in order from highest to lowest.

  • User-defined name
    • this always wins
  • CDP
    • Cisco discovery protocol, probably only routers.
  • DHCP
    • The name the machine provides as part of it’s DHCP Request, if present. This typically the name the machine thinks it is.
  • DNS
    • Any A record lookups on the wire
  • Netbios
    • fairly self explanatory
  • MAC Address
    • MAC address prefixes are ‘owned’ by vendors (e.g. Apple, Dell, Cisco) so ExtraHop appliances can use the vendor code to guess that it’s a particular piece of hardware.

This is for ExtraHop v3.5. I’m not sure if previous versions were exactly the same or not.