Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > How-To Guide for GigaFlow > Conducting Searches in GigaFlow > Conduct a Search and Apply a Macro (or Script)

Conduct a Search and Apply a Macro (or Script)

See Reports > System Wide Reports > Device Connections and Reports > System Wide Reports > MAC Address Vendors in the Reference Manual to find out get a list of MAC addresses associated with your network.

Search for a MAC Address

See Search in the Reference Manual for more.

Search for a MAC address to see what device it is connected to and the VLAN it is in:

  • Enter the entire MAC address into the search box.
  • You must enter the full address.
  • GigaFlow's MAC address search works for any standard MAC address format.

For example, searching for the MAC address 10:bd:18:be:e5:77 on our demo network:

Searching for a MAC address using GigaFlow Search.

After searching the MAC address a number of key pieces of information will be displayed in the right panel, including:

  • IP address.
  • Hostname.
  • Mac vendor.
  • Layer-3 devices/interfaces/interface tools.

Click an interface displayed in the left had dialog box to access more information about the physical interface the device is connected to. The interface with the lowest MAC count is the connected interface.

  • Click Live View on the right to display the live in- and out- utilisation of the interface.
  • Live View also provides speed, duplex and error count information for the interface.
Live view of Interface-In and Interface-Out.
  • Click on Connections in the right-hand side panel to see what other devices are connected to the same port.
Device connections.

The Magnifying Glass icon Magnifying glass icon. appears beside any piece of information that allows you to conduct a follow-on search:

  • Click on the IP address follow-on search to find out if that address has been seen by any flow devices recently. The IP address search also shows any recent associated secflow data or events, i.e. blacklisted IP addresses and so on.
  • Click on the MAC address follow-on search link to find out where the device is physically connected.

The Treeview, or Graphical Flow Map, will automatically load at the bottom of the search page. This is a visual representation of the in- and out- traffic associated with a selected device.

To explore the Graphical Flow Map:

Graphical Flow Map.
  • Click on any icon to show more information.
  • Click on the Destination Apps icon or the Source Apps icon for a breakdown of the applications. You can click on these to expand the tree.
  • Move the pointer over icons to display the DNS Information of each device, showing how much traffic has been used.
  • Click + to see more devices in a tree of many branches.
  • The size of the line linking any two devices is proportional to the traffic volume between them.
  • Click on any line in the Treeview table to filter only inbound or only outbound traffic. This will open a report showing traffic for the past two hours.
Forensic Report: Application Flows.

Search for a Username

  • Enter a username, or part of a username, into the search box.
  • GigaFlow will tell you if that username, or any variation of it, has been seen on your network.
  • Click on any of the search results to display its associated information in the right-hand side panel.
  • Click the associated IP address.

Search for a Network Switch

To search for a specific network switch:

  • Enter the switch IP address into the search box.
  • Click the icon beside the displayed switch; this will open the Device Connections table.
  • The Device Connections table shows connections to any one port on any one VLAN.
  • You can filter information by entering an interface, or device etc., into the search bar at the top-right of the table.
Searching for a Switch.

To make a follow-on search from a specific device or switch:

  • Using switches from previously displayed tables, you can search for any switches of similar origin, e.g containing the same name elements.
  • Click on the desired switch; this reopens the Device Connections table.
  • You can also search by VLAN.

Apply a Macro (or Script) to a Switchport

Using GigaFlow Search, enter a known IP address associated with switch or the switch name and search:

Searching for a Switch.
  • Click on the the displayed switch name, in this case SG200-26(172.21.21.250).
  • Click on Int Tools in the Tools section of the right-hand side panel.
Interface tools.
  • Click on Interfaces next to Overview, at the top of the page.
Interface tools.
  • Find the interface that the script will run on.
  • On that interface click IF Script Test in the last column on the right.
  • Add the ticket number into the description field.
  • Select the script.
  • Click Submit.
  • GigaFlow will check that the interface is not an uplink to another switch.
  • The script will be applied to the switch.