back caretBlog

See Who's Using (or Abusing) Your Network

Note: The ExtraHop Discovery Edition is no longer being actively maintained or updated, but all of the functions described in this post still apply to existing DE licenses and Enterprise Editions of ExtraHop.

In our previous post, we explored how network issues can impact web application performance, and how you can use the free ExtraHop Discovery Edition to see if the network caused a web application slowdown. What's even more interesting is to know why the network is performing so poorly. In other words, if the network switch died, who killed it?

One reason the network gets blamed so frequently for performance issues is because it is a shared resource. The bandwidth consumption of one activity leaves less bandwidth for others, and it is hard to police how well users and applications are behaving on the network just by looking at ports, bytes, and packets.

Whodunnit in the Datacenter

Continuing from the previous scenario, where we determined that a switch reboot caused a two-minute network outage, we saw that there was a spike in HTTP traffic before and after the loss of connectivity. In this post, we'll dig in using the Discovery Edition to see what caused that spike in traffic.

Drilling down from the Summary page to the Bytes by L7 Protocol chart (see below), we can see that HTTP traffic spikes up to 13Mbps, which is worrisome considering that we have only a 15Mbps link with our ISP. If this traffic passes over this ISP link, it would affect our locally hosted web application. The devices listed below represent the top talkers during the time period selected.

problem4_l7_screen 750px

Clicking on the second device in the list, we see incoming and outgoing traffic for this device alone. Most of the traffic is HTTP. Clicking HTTP in the chart narrows the list of servers below to only those that are communicating with this particular device using the HTTP protocol.

problem4_l7_device_http 750px

This view reveals that this particular user is browsing multiple content-heavy web sites. (With the full edition of the ExtraHop platform, we would have been able to dig deeper into the client device to see which web services the user was accessing.) We can also see that all this traffic goes through our HP networking switch, which is our main uplink switch to our ISP. Given this information, we can look into obtaining a dedicated link just for our web application or educating our users on our Internet usage policy.

Wire Data Answers Critical Questions

When troubleshooting network issues, you need to not only see which users and applications are using the network, but also how efficiently they are using it. In this case, we found a particular user was consuming too much bandwidth, leaving less bandwidth available for the locally hosted web application. But ExtraHop can help in similar situations where just counting bytes and monitoring ports won't cut it. By examining L2-L7 communications, you can answer these critical questions:
  • Are people downloading large files from your site?
  • Is there an ill-timed backup running?
  • Is a logging script behaving badly?
  • Is a search engine crawling the site?
Try the [free, interactive ExtraHop demo](/demo/) to get a taste of how wire data can help you tune your network and optimize your web performance.
ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed