The True Cost of a Security Breach

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Arrow pointing leftBlog

See Who's Using (or Abusing) Your Network

Anna Brown

August 1, 2014

Note: The ExtraHop Discovery Edition is no longer being actively maintained or updated, but all of the functions described in this post still apply to existing DE licenses and Enterprise Editions of ExtraHop.

In our previous post, we explored how network issues can impact web application performance, and how you can use the free ExtraHop Discovery Edition to see if the network caused a web application slowdown. What's even more interesting is to know why the network is performing so poorly. In other words, if the network switch died, who killed it?

One reason the network gets blamed so frequently for performance issues is because it is a shared resource. The bandwidth consumption of one activity leaves less bandwidth for others, and it is hard to police how well users and applications are behaving on the network just by looking at ports, bytes, and packets.

Whodunnit in the Datacenter

the previous scenario

Drilling down from the Summary page to the Bytes by L7 Protocol chart (see below), we can see that HTTP traffic spikes up to 13Mbps, which is worrisome considering that we have only a 15Mbps link with our ISP. If this traffic passes over this ISP link, it would affect our locally hosted web application. The devices listed below represent the top talkers during the time period selected.

problem4_l7_screen 750px

Clicking on the second device in the list, we see incoming and outgoing traffic for this device alone. Most of the traffic is HTTP. Clicking HTTP in the chart narrows the list of servers below to only those that are communicating with this particular device using the HTTP protocol.

problem4_l7_device_http 750px

This view reveals that this particular user is browsing multiple content-heavy web sites. (With the full edition of the ExtraHop platform, we would have been able to dig deeper into the client device to see which web services the user was accessing.) We can also see that all this traffic goes through our HP networking switch, which is our main uplink switch to our ISP. Given this information, we can look into obtaining a dedicated link just for our web application or educating our users on our Internet usage policy.

Wire Data Answers Critical Questions

  • Are people downloading large files from your site?
  • Is there an ill-timed backup running?
  • Is a logging script behaving badly?
  • Is a search engine crawling the site?
Try the [free, interactive ExtraHop demo](/demo/) to get a taste of how wire data can help you tune your network and optimize your web performance.

Experience RevealX NDR for Yourself

Schedule a demo