Tip of the week: Where to start with ExtraHop metrics


#1

One of the beautiful things about the ExtraHop platform is that you can get from installation to looking at data in about 15 minutes. When you download the Discovery Edition, this time can be even shorter. After you start up and apply the license, the question hits: what do I look at first?

In this post we will assume that you have Discovery Edition licensed and receiving traffic. Once you’re logged in and looking at traffic, the fun can start. If you don’t have everything set up, follow the deployment guide that came with your Discovery Edition and then come back. (Go on, we’ll wait.)

Let’s look out how you can use devices you are familiar with as a way learn about ExtraHop Platform and the available metrics really quickly.

Using device exploration can be a great way to learn ExtraHop metrics by using a device that you’re already familiar with. All you need to know is the name or IP address. To start with device exploration, click “Devices” in the left panel of the ExtraHop Discovery Edition, and search for your IP address (or a device you are interested in that’s part of your capture interfaces). Below you can see a snapshot of the results on my machine.

The wifi interface on my machine is 10.10.10.236. I could have also searched for this IP address.

Looking at this line I can see that this machine has been automatically classified as an Apple device, I can see the MAC address, the IP address, the VLAN tag (if I was on a tagged VLAN), and the time when the device was discovered.

Let’s go ahead and click on the computer icon (circled above), before clicking on the actual IP address.

This overview gives some more key information about the device such as throughput in terms of packets and byes in and out. Clicking on the protocol breakdown provides even more information.

Here I can see all of the protocols my device has been using.

The reason I like having new users start exploring ExtraHop using a device is that it contains data that users are already familiar with. On my computer I saw a number of spikes of SSL 5222 traffic, and after drilling down on it I found that this was jabber communicating with an XMPP server I use. This establishes patterns for analysis and troubleshooting for users in the future.

Going further

If you are a developer, another great starting point is the application view, which you can use to explore ExtraHop data through application metrics. In the Discovery Edition, select the “Overview” tab under “Applications” and you are then presented with all of the automatically classified application traffic you’ve been generating. On my machine, I have communication with DNS, Network File Servers, mail and web servers.

As an application developer, I might be interested in the status codes of my applications. I can drill down to “Web” under applications and track these responses in real time as I interact with my application.

Ultimately, using a known set of applications, devices or servers to start your ExtraHop exploration will allow you to familiarize yourself with ExtraHop metrics by using datasets that are already familiar to you.