Network view

Connection issues can occur across different devices, users, binaries and destinations. Network view accelerates troubleshooting and helps you identify the appropriate team or vendor to fix network-related issues by providing an interactive visualization of connection.events data.

Network_View_overview.png

Accessing Network view

Network view is available in various modules and features to simplify troubleshooting network-related issues.

Application module

This enables application owners to troubleshoot network connectivity issues for their desktop or network application.

To access Network view in Applications

  • Open up either a desktop or a network app in the Applications module.

  • For applications that are both web and desktop, click on the Desktop tab

  • View the Network tab

Refer to the Applications documentation page for more information.

Device view

Device view continues to allowing troubleshooting a particular device To access Network view in Device view, open the Network tab. Refer to the Device View documentation page for more information.

Investigations module

Investigations allows you to investigate issues by writing and updating a query and visualizing it in Network view. To see Network view in Investigations:

  • From the Visual editor on the Investigation page, select Connection Events in the Display dropdown.

  • From the NQL editor on the Investigation page, run a query with connection.events table.

Refer to the Investigations documentation page for more information.

Search enables you to quickly troubleshoot a particular binary, user, destination domain or port by getting to investigations prefiltered.

  • To troubleshoot a destination domain or port:

    • Type in a specific destination domain or port whether configured or not in Nexthink, click on Connections to the destination in the pop-up search window and open the Network tab on the loaded page.

  • To troubleshoot a binary, user or device:

    • select Retrieve all > (Connection) Events from the binary action menu in the pop-up search window and open the Network tab on the loaded page. See the image below.

The system will filter the Network view visualization based on the entry point you use. For instance, display Network view with pre-filtered connection events for a particular binary.

NetworkView-1709903355.png

Refer to the Search documentation page for more information.

Data privacy in Network view

To prevent users from seeing sensitive data in Network view or investigations, define Data privacy:

  • Destinations and domains: Set to Hidden to hide destinations and domains of connectivity events from the user.

  • Devices: Set to Hidden to hide device names from the user.

  • Users: Set to Hidden to hide user names from the user.

Data privacy restrictions apply to the connection.events data used by Network view.

Data privacy settings

Refer to the Roles documentation for more information.

Seeing Network view in Investigations

To see the Network view in Investigations, the query must use the Connection events table.

In the Visual editor, choose Connection Events in the Display dropdown.

In the NQL editor, ensure the query starts with connection.events.

To troubleshoot specific network-related issues using queries, refer to the Application Connectivity troubleshooting documentation.

Using Network view

Network view breaks down the selected metrics for connection.events into multiple properties and shows on the connection paths how properties relate. Nodes and lines represent these relationships.

The Network view connection paths display four columns by default, allowing you to click on nodes or lines to drill down lower levels of breakdowns.

To switch from the displayed metrics and begin troubleshooting issues:

  1. Click the Display dropdown above the Network view visualization.

  2. Select one of the available metrics for the particular connection data set.

Network_View_metrics.png

Transport protocols in Network view

Sort the connection.events data displayed in Network view according to the transport protocol.

Find the following options above the Network view visualization:

  • Click TCP only for Transmission Control Protocol (TCP) connections established by a device.

  • Click UDP only for User Datagram Packages (UDP).

  • Click Any for both TCP and UDP.

Line thickness for visual comparison

The thickness of a line, which connects two nodes, is proportional to the metric value between those respective nodes when compared to the same metric values between different nodes in the same two columns.

The screenshot below shows the metric value between the columns Application → name and Destination type, which in this case represents failed_connections_ratio values.

line_thickness1.png

The thin line between the Excel application node and the intranet destination, considering the metric value for this case, represents a smaller failed_connections_ratio when compared to the Microsoft Office application node.

line_thickness2.png

When viewing issue-related metrics, thick lines help you identify the most problematic areas.

Line coloring for issue detection

To identify issues quickly, lines are shown in red for the following issue-related metrics:

  • Failed connections ratio: failed_connections_ratio

  • Failed connections: number_of_failed_connections

  • Failed connections - no host: number_of_no_host_connections

  • Failed connections - no service: number_of_no_service_connections

  • Failed connections - no service: number_of_rejected_connections

For these issue-related metrics the system sets the transport protocol to TCP only as they exclusively apply to TCP connections.

Network_View_overview.png

For other metrics which are not issue-related, the lines are shown in blue.

non-negative_metric.png

Node sorting

The system sorts nodes in descending order within each column. This makes it likelier that thicker lines appear towards the top, but this is not always true.

Network view shows the top eight nodes in each column. If a column has more than eight nodes, the values are aggregated into the Others node at the bottom of the column:

  • Click on More to open another eight nodes in a column.

  • Click Less to hide additional nodes.

To facilitate data interpretation, each node is associated with all paths going through it.

Hovering over a node or line

Hover over a node or a line to highlight the connection metric value that goes through that node or line.

The example below highlights the ratios of failed connections involving users from Product department and the excel.exe application.

hovering_over.png

When hovering over a node or line, the tooltip also shows AI-generated insights about it to facilitate troubleshooting. Depending on the node or connection type, these can be helpful in the following ways:

  • Accelerate troubleshooting by showing what a specific node is and its purpose without having to search the web.

  • Help identify connections that are non-compliant and might be security risks by:

    • Enabling to diagnose whether a connection is normal or unusual.

    • Allowing to see whether the value is concerning for the following metrics:

      • Connection RTT

      • Number of failed connections considered together with Failed connection ratio

Node and line insights are only available for certain node types, such as Binaries, and the following metrics:

  • Failed connections

  • Failed connection ratio

  • Connection RTT

Drilling down to specific fields

Network view displays four columns by default. Each column is associated with a hierarchy of fields to reduce the number of nodes shown on the screen.

The table below lists the hierarchy of fields for each column, which goes from general to specific.

Column 1: Devices
Column 2: Users
Column 3: Binaries
Column 4: Destinations

Organization → Region

AD → Department

Application → Name

Destination → Type

Organization → Suborg

Username

Binary → Product name

Destination → Owner

Organization → Entity

Binary → Name

Destination → Country

Device → Name

Binary → Version

Destination → Data center region

Destination → Domain name

To drill down on a Network view field, you have the following options:

  • Click on a node in the Network view visualization

  • Click on a line between two nodes

After clicking on a node or line, you can navigate back up the hierarchy using the expandable dropdowns in each column heading in Network view.

Leaf count

Each node can have layers beyond it, which consist of nodes on the same level. When a node has one or more layers below it, the number of nodes on the bottommost layer is shown in brackets next to the node's name. For example:

  • In the Devices column, it is the count of devices

  • In the Users column, it is the count of users

When a node does not have child nodes, the node is called a leaf node. Therefore, the bracketed numbers show the leaf count for each node, helping you understand the scale of a possible issue at a glance.

In the Binaries column, the number is the count of binary MD5 hashes.

Node leaf count

The leaf count is also shown for each column next to the column name.

Clicking on a node

Click on the node to apply a filter for it and drill down one level in the column hierarchy.

In the example below, Network view applies a filter for the Zoom application.

node_click_start.png

Therefore, the third column levels down from Application → Name to Binary → Product name.

node_click_result.png

The visualization and breakdowns are now as follows:

Column 1: Devices
Column 2: Users
Column 3: Binaries
Column 4: Destinations

Organization → Region

AD → Department

Application → Name

Destination → Type

Organization → Suborg

Username

Binary → Product name

Destination → Owner

Organization → Entity

Binary → Name

Destination → Country

Device → Name

Binary → Version

Destination → Data center region

Destination → Domain name

Clicking on a line

Click on a line to:

  • Apply a filter for the selected line, which is equivalent to clicking on the two nodes it connects.

  • Drill down one level in the hierarchy of the connected columns.

line_click_start.png

Therefore, using the example from above, clicking the line between the nodes Zoom and internet results in:

  • The third column levels down from Application → Name to Binary → Product name

  • The fourth column levels down from Destination → Type to Destination → Owner.

line_click_result.png

The visualization and breakdowns are now as follows:

Column 1: Devices
Column 2: Users
Column 3: Binaries
Column 4: Destinations

Organization → Region

AD → Department

Application → Name

Destination → Type

Organization → Suborg

Username

Binary → Product name

Destination → Owner

Organization → Entity

Binary → Name

Destination → Country

Device → Name

Binary → Version

Destination → Data center region

Destination → Domain name

To navigate back up the hierarchy of the Network view fields after clicking on nodes or lines:

  1. Click on the dropdown in the Network view column heading.

  2. Click on any field names above the current level in the hierarchy.

navigating_back.png

When you access Network view specific to a binary or destination domain, the system applies filters to the column in Network view and sets the hierarchy to match the requested field.

The example below shows pre-filtered Alive connections data for the excel.exe binary. Click Clear filters to remove any field hierarchy filters.

| where binary.binary.name in ["excel.exe"]
clear filters.png

Displaying ports

Toggle the Show ports button to view an additional column with the ports that have network connection activity. This enables you to troubleshoot when ports are being incorrectly blocked by the firewall or to identify ports that have unexpected traffic.

Since there can be thousands of ports connected, the system only displays 20 ports with the top metric values within the existing filter and timeframe context.

Example

Let’s say that we are looking at the Network view with the following parameters:

  • Application: Microsoft 365: Outlook

  • Timeframe: Last 7 days

  • Metric: Failed connections

  • Filter: Binary name (we have clicked the outlook.exe binary node)

When the show ports toggle is enabled, it determines and displays the top 20 ports with the most failed connections for the Microsoft 365: Outlook application and the outlook.exe binary.

show_ports1.png

Since the system only displays the top 20 ports, nodes in other columns may change depending on whether they use those top 20 ports.

The system determines the top 20 ports each time you click on a node or line. Depending on the data, the exact ports displayed may change as you drilldown.

If you start from a query that is already filtered on one or more ports, for instance, by using search, the Network view automatically displays the ports column with specified ports.

Example

If you start with the following NQL query containing a filter on two ports and then navigate to the Network tab, the Ports column with the 3268 and 443 ports appears. In this case, the system does not limit the number of ports displayed in the Network view.

connection.events during past 7d
| where application.name == "*Outlook*"
| where destination.port in [3268, 443]
show_ports2.png

Failed connections and failed connection ratio

When looking at the failed connections, the failed connection ratio can be very important to consider as well.

For example, when looking at the ports column in this screenshot, port 443 is at the very top with the most failed connections.

image-20240419-120923.png

When we hover over this node, however, we see that there are a lot of attempted connections (410k) through the port. The percentage of connections that have failed is low: 0.82%

image-20240419-121022.png

If we look at the port with the next highest number of failed connections, 3268, we see a different story. 100% of the connections through this port are failing. Given the high absolute number of failed connections and the high failed connection ratio, this would be something to investigate.

image-20240419-121228.png

Connections timeline

The Connections timeline displays the selected metric’s development over time. For example, if you have selected Failed connections, it will show the number of failed connections across timeframe selected in the timeframe picker.

The timeline is synchronized with the connection paths. When you drill down or up on nodes, the timeline chart will update accordingly. If you are in the Investigations module and you have applied filters to your query, these filters will apply to both the connection paths and the timeline.

Zooming in on a time period using the timeline

The Connection timeline is interactive. To focus on a specific period of interest, click and drag your mouse cursor over that timeframe in the timeline.

This action will load both Network view chart and the timeline for that period, allowing you to analyze connections data during that time.

Currently, dragging to select a period on the timeline does NOT update the timeframe picker at the top of the page. To align the displayed data with the selection in the timeframe picker, click the Reset timeframe button located above the Connections timeline.

Network view capacities

Network data

Network view is tied to the Application connection data (connection.events), which are the connections as observed from the operating system level.

  • This does not join with device-level connectivity data (connectivity.events). For example, this does not give visibility into slow connection RTT time and their Wi-Fi access points or Wi-Fi strength.

  • This does not join with browser-level connectivity data (web.events, web.errors). For example, this does not give visibility into whether the employee is seeing certain HTTP errors or is connecting over https/http.

  • This does not join with application / service specific connection data (collaboration.sessions). For example, this does not give visibility into Teams call quality or Zoom call jitter.

  • Nexthink does not do any synthetic connections or traceroutes, so this does not provide insight into the intermediary hops via gateways.

NQL 10,000 row limit

Network view is restricted to a maximum of 10,000 unique connection paths.

A connection path is a distinct permutation of values in each of the four columns of Network view. The table below is an example of connection paths.

See Using Network view on this page for more information about Network view columns and field hierarchy.

Path
Column 1: Devices
Column 2: Users
Column 3: Binaries
Column 4: Destinations

Organization → Region

AD → Department

Application → Name

Destination → Type

1

United States

Null

Null

internet

2

United States

Null

Null

intranet

3

United States

Null

Null

data center

4

United States

Null

Null

unknown

5

United States

Null

Chrome

internet

…

…

…

…

…

10,000

Singapore

Engineering operations

Photoshop

unknown

Query time-out

Network view queries take time to load significant amounts of connection data. To expedite the loading time, reduce the amount of connection data by:

  • Decreasing the timeframe.

  • Applying filters.


RELATED TOPICS

RELATED TRAINING

Last updated

Was this helpful?