Why would some of my TCP traffic not show up in EXA when I have automatic flow records turned on?
Automatic Flow Records in an EXA may not able to see all communication when you filter by some IP addresses if there are no L3 devices to tie to this communication. Switches, Firewalls, and Virtual Routers are normally classified as L2 devices since they can represent an edge device communicating with a lot of IPs. While we do show some Flow information just between two L2 devices, TCP Flow information requires at least one of the sender or receiver devices to be discovered as an L3 device by the automatic ExtraHop discovery.
Now how do you get the visibility you want into these additional flows?
Make an L3 device container to tie the flow to!
- ExtraHop L3 device discovery uses arp packets to automatically detect local devices and create an ‘L3 device’ container to tie metrics to.
- You can also use custom devices to create L3 containers for specific objects. These containers can be more precise than normal device discovery
- Finally, if you know a subnet is always going to be remote, but want to discover L3 devices anyway, there is an option for remote device discovery. This option will require Admin Access to your ExtraHop Discover System and cannot be reversed without resetting all data on your EDA.
There is also additional information about flow records in the web ui guide that may help explain further: