Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Reference Manual for GigaFlow > GigaFlow Search

GigaFlow Search

Overview

Search Scope

The system search is at the top of every GigaFlow page; it is a powerful and convenient way to access information directly, returning relevant matches and detailed summary information.

The left hand side of the search results screen displays summary information about that IP address, including:

  • Infrastructure device(s) that this IP address was seen on.
  • More information about the associated device.
  • Associated interfaces.
  • Detail about the IP address.
  • Associated traffic groups.
  • Associated ARP entries.
  • Associated LLDP entries.
  • Associated events, e.g. watchlist or profile alerts.

The Treeview, a kind of graphical flow mapping, will automatically load on the right hand side of the search results screen. This is a visual representation of the in- and out- traffic associated with a selected device.

See Search > Graphical Flow Mapping for more.

Searching by IP Address

  • Enter an IP address in the Search box.
  • Click Go.
  • Select a reporting period and click Submit Submit icon.

Figure: GigaFlow's search bar and results screen. In this screenshot, the user is searching for an IP address, 172.21.21.254.

Scrolling down reveals additional results:

Click to expand.The tabbed box on the left displays search results for that IP address, including any infrastructure device that it is associated with, the number of interfaces it was recently seen on, IP entry details, ARP entries and the number of secflow events associated with it.

Each item can be clicked to display more information and follow-on searches can be carried out for linked information, e.g. for associated MAC addresses.

Searching by MAC Address

GigaFlow can search by MAC address. This returns the name of the connected device and its VLAN.

To search by MAC address:

  • Enter the entire MAC address into the search box.
  • GigaFlow's MAC address search works for any standard MAC address format.

After searching the MAC address a number of key pieces of information will be displayed, including:

  • IP address.
  • Host name.
  • MAC vendor.
  • Layer-3 devices, interfaces or interface tools.

From here, some of the other actions you can take include:

  • Click the interface displayed in the left had dialog box to access more information about the physical interface the device is connected to. The interface with the lowest MAC count is the connected interface.
  • Click Live View on the right to display the live in- and out- utilisation of the interface.
  • Live View also provides speed, duplex and error count information for the interface.
  • Click on Connections to see what other devices are connected to the same port.

Searching by Username

To search by username:

  • Enter a username, or part of a username, into the search box.
  • GigaFlow will tell you if that username, or any variation of it, has been seen on your network.
  • Click on any of the search results to display its associated information in the right-hand side panel.

Searching for a Specific Network Switch

To search for a specific network switch:

  • Enter the switch IP address into the search box.
  • Click to expand the Device information and click, See all connections.
  • The Device Connections table shows connections to any one port on any one VLAN.
  • You can filter information by entering an interface, or device etc., into the search bar at the top-right of the table.

To make a follow-on search from a specific device or switch:

  • Using switches from previously displayed tables, you can search for any switches of similar origin, e.g containing the prefix of PATS-3560.
  • Click on the desired switch; this reopens the Device Connections table.
  • You can also search by VLAN.

Graphical Flow Mapping

GigaFlow Search provides access to the Graphical Flow Mapping feature. Searching for any IP address returns summary tables as well as a visualisation of flows during the reporting period selected.

To access this feature, search for an IP address. See Searching by IP Address above.

On the right hand side of the screen, you will see the Graphical Flow Map.

Figure: GigaFlow's Graphical Flow Map

GigaFlow search graphical flow mapping.

The Graphical Flow Map is an interactive visualisation of the flows associated with that IP address. The branches of the Graphical Flow Map can be expanded to show associated interfaces and destination and source devices. These in turn can be explored.

To explore the Graphical Flow Map:

  • Click on any icon to show more information.
  • Click on the Destination Apps icon or the Source Apps icon for a breakdown of the applications. You can click on these to expand the tree.
  • Click + to see more devices in a tree of many branches.
  • The size of the line linking any two devices is proportional to the traffic volume between them.
  • Click on any line in the Treeview table to filter only inbound or only outbound traffic. This will open a report showing traffic for the past two hours.

See also Profiling > Events > Flow Details