Extract and Transform

How do you transform unstructured packets into structured wire data at wire speed?

The ExtraHop platform makes sense of the data flowing through your network so you can get insights immediately. The real-time stream processor transforms unstructured packets into structured wire data—your richest and most valuable source of insight—at line rate so that you can discover, observe, and analyze every digital interaction as it happens.

Extract and Transform GraphicThe real-time stream processor transforms raw packet data to structured wire data.

Upon receiving a copy of network traffic from a tap or port mirror, the stream processor performs line-rate decryption, protocol decoding, and full-stream reassembly for every transaction, at up to a sustained 40 Gbps. The ExtraHop platform architecture is optimized for parallel processing. That means that the real-time stream processor efficiently splits the task of processing the streams across multiple computing cores, and it will scale as cores are added to new generations of server processors. The result: customers get deeper and more meaningful insight at a fraction of the cost per Gbps of analysis compared to other real-time analytics platforms.

TCP State Machine GraphicFull-stream reassembly is made possible by the creation of TCP state machines for every client and server communicating on the network.
1. Line-Rate SSL Decryption

If the traffic is encrypted, the platform performs bulk SSL decryption at up to a sustained 40 Gbps with native hardware acceleration. This bulk decryption can scale to 64,000 SSL TPS using 2048-bit keys. No other real-time analytics platform can scale to this level in a single unified appliance, further driving down cost and eliminating any complexity to extract the insights you require.

2. High-Performance TCP State Machines

Starting at the most fundamental level, the real-time stream processor recreates the TCP state machines for every sender and receiver communicating on the network. This is a prerequisite for deeper application-protocol and full-payload analysis, and it allows the platform to understand all TCP mechanisms and their impact. Because TCP is where the network and application meet, this approach helps you clearly identify whether problems are a network or an application issue.

3. Wire-Protocol Decoding and Full-Stream Reassembly

The real-time stream processor decodes IP-based protocols in order to understand, define, and act on that protocol's unique application boundaries. This allows the processor to construct complete flows, sessions, and transactions. This application fluency is a prerequisite for higher-order content analysis because it enables the reassembly of what was unstructured packet data into structured wire data (derived from the wire protocol itself). The platform also accommodates real-world traffic patterns such as IP fragments, out-of-order segments, and microbursts. If packet loss occurs from the tap or SPAN, the ExtraHop platform resynchronizes and recovers.

4. L2-L7 Content Analysis

After reassembling packets into full streams, the stream processor analyzes the payload and content from Layer 2 – 7, auto-discovering and classifying any device or client communicating on the network. The platform also continuously maps the relationships between all clients, applications, and infrastructure communicating on the network. Over 3,400 metrics are measured and recorded out-of-the-box and associated with these auto-discovered systems.

Full-content analysis supports dozens of protocols, providing key performance indicators such as all database methods used and their process time, file access by user, storage access time and errors, DNS response time and errors, web URI process time and status codes, SSL certificates with expiration, and load-balancer and firewall latency. The platform also gathers sophisticated network metrics such as receive-window throttles, retransmission timeouts, and Nagle delays.

The result is the most comprehensive set of KPIs out of the box and a near immediate time-to-value for our customers.

Modular Protocol Framework GraphicThe ExtraHop platform is fluent in dozens of application protocols, enabling it to extract detailed transaction metrics.

Rapid Programmability: Application Inspection Triggers

The ExtraHop platform is fully programmable, putting you in control of the richest and most objective source of IT and business insight. Application Inspection Triggers are the event-driven programmable interface to the real-time stream processor and all stream transactions. Triggers allow you to programmatically extract wire data events and correlated metrics that are specific to your business, infrastructure, network, clients, and applications.

With Application Inspection Triggers, you can be as surgical or as verbose as you want and extract nearly anything from a header to the full application payload. For example, with HTTP payloads, this data can include revenue, order IDs, unique user IDs found in cookies or URIs, and even titles for web pages or error descriptions embedded by a developer in a 500 status code. And it doesn't matter what is traversing HTTP—it could be SOAP / XML, REST, JSON, AJAX, JavaScript, or HTML5. The same principle and functionality holds true for all of our natively decoded protocols. You can also use triggers to extract, measure, and visualize data from defined fields, or to decode proprietary protocols based on TCP and UDP.

Start your ExtraHop demo See Next: Index and Store