Network analysis details

Detailed information about a selected node or edge is displayed below the blueprint graph. Depending on the selected item type, it will display information about the host, file downloads, network flows, and web requests.

Host tab

The Host tab presents information about the host corresponding to the selected host node. It contains the following sections:

  • Evidence Lists the evidence affecting the selected host.

  • Host bandwidth Shows the bandwidth for the selected host. The bandwidth is derived from the available flow records for the given host.

  • Host facts Shows network-analysis facts for the selected host. These include details about services, applications, and operating systems detected on the selected host. These data are obtained from examining DNS queries, the user agents in Web requests, and other heuristics.

  • Incidents Shows incidents affecting the selected host.

  • Events Shows events affecting the selected host.

  • Info events Shows INFO-type events affecting the selected host.

  • Captured traffic Shows traffic captures of interesting network activity affecting the selected host.

File downloads tab

The File download tab presents information about files that were downloaded by the host corresponding to the selected host node. It contains the following sections:

  • File downloads Lists the downloaded files. The format of the list is described in File downloads list.

Network flows tab

The Network flows tab presents information about flow records that were recorded as originating from the host corresponding to the selected host node or that were recorded as exchanged between the host and destination node linked by the selected edge. It provides the following details about each record:

  • Start time Start time of the activity recorded in the flow record.

  • End time End time of the activity recorded in the flow record.

  • Source host The source IP address and port number.

  • Contacted host The destination IP address and port number.

  • Transport protocol The protocol used to transport the activity recorded in the flow record.

  • Application protocol The protocol used by the application of the activity recorded in the flow record.

  • Sent Number of packets/bytes sent as recorded in the flow record.

  • Received Number of packets/bytes received as recorded in the flow record.

  • Tags Optional additional information about the destination of the flow record.

Web requests tab

The Web requests tab presents information about web requests/responses that were recorded as originating from the host corresponding to the selected host node. If you select a edge connecting two host nodes, the tab shows records for web requests from one host to the other. It provides the following details about each record:

  • Start time Start time of the request. Click plus to view the Request and Response headers.

  • End time End of time of the request.

  • Source IP The IP address and port number of the source system.

  • Contacted IP The IP address and port number of the contacted Web server.

  • Contacted Host The hostname of the contacted Web server.

  • Request The request type and path.

  • User agent The user agent specified in the request.

  • Response code The HTTP status code contained in the corresponding response.

  • Tags Optional additional information about the destination of the flow record.

Name resolutions tab

The Name resolutions tab presents information about DNS requests/responses that were recorded as originating from the host corresponding to the selected host node. It provides the following details about each record:

  • Timestamp The start timestamp of the DNS request.

  • Source IP The source IP address.

  • Nameserver The IP address of the DNS nameserver. If its geolocation is available, it is displayed by a flag icon.

  • Name The resource record name.

  • Type The resource record type. For example, A for address record, CNAME for canonical name, MX for mail exchange record, etc.

  • RDATA The response data.

  • Error The response error code, if any.

  • TTL The time-to-live of the response.

  • Tags List of tags associated to the DNS request/response.

TLS Data tab

The TLS Data tab presents information about the TLS session captured from the selected host node. It provides the following details about each record:

  • Start time The start timestamp of the TLS request.

  • End time The end timestamp of the TLS request.

  • Source host The IP address of the source host.

  • Contacted host The IP address of the destination host. If its geolocation is available, it is displayed by a flag icon.

  • Server name indication The SNI of the session.

  • Leaf certificate subject info Subject information extracted from the leaf certificate.

  • Leaf certificate issuer info Issuer information extracted from the leaf certificate.

  • JA3 hash The unhashed JA3 fingerprint.

  • Tags List of tags associated to the TLS request/response.