Viewing web requests with Finder (classic)
Nexthink Finder is a Windows-only desktop application whose functionality is now available within the Nexthink web interface. Nexthink can now be used directly from a browser and most functions no longer require an additional desktop application.
If you added the Web & Cloud product to your installation of the Nexthink Platform, you can visualize web requests in a graphical way with the Web activity view. The Web activity view relates all the objects that participate in a web request in much the same way that the Network activity view displays network connections, since a web request is a special kind of connection.
To open the Web activity view:
Execute an investigation based on web requests or on any of the objects that participate directly or indirectly in a web request: device, user, application, executable, binary, port or destination.
From the list of results, click the Web button at the top of the list.
You can also open the Web activity view from other contexts such as the device view or the web services view. In any case, an underlying investigation is generated for you, displaying the Web activity that corresponds to that investigation.
Interpreting the Web activity view
The Web activity view arranges the objects that participate in a web request in six columns. The first five columns are the same columns of the Network activity view: device, user, binary, port and destination. The Web activity view adds a new column: domain. The domain column exposes the visited web domains and relates them to internal or external destinations. As in the Network activity view, straight lines link the objects of contiguous columns. The lines represent the kind of information selected in the Display choice list, found in the top left corner of the diagram, and their thickness is an indication of the amount of data displayed. You can choose to display incoming or outgoing web traffic, successful or failed HTTP or TLS connections and their duration and response times.
Grouping domains
The objects in the columns of the Web activity view can be collapsed into groups or expanded exactly in the same way as the objects in the Network activity view. In addition, there are some special groups of domains that are created when collapsing individual domains and that you can see when you hover the cursor over the icon of the domain group:
Aliases
Groups those domains whose names are not fully qualified domain names. Aliases usually appear when end-users configure automatic search for local domains. For example, the domain svn can be an alias for svn.intranet.example.com.
Unnamed
Groups domains that do not have a name. Individual unnamed domains are represented by their IP address.
Named
Fully qualified domain names are grouped by their top-level domain name (com, org, country code, etc).
If there are many domains and they do not fit in their column, you can reach all domains by scrolling with the arrows that appear above and below the column, exactly as you would do with any other column that is also in the Network activity view.
Navigating through paths and objects
The navigation in the Web activity view follows the same rules as in the Network activity view. You can select paths or objects and drill down or execute one-click investigations in the same way as in the Network activity view. The difference is that the Web activity view does not show information about connections in general, but rather information solely about web requests. On the other hand, you have additional information about domains.
When you click on a line of the Web activity joining two objects, a full path from device to destination is highlighted based on your selection. Right-click the path to drill down to related objects or activities or execute a related one-click investigation, as you would do from the list results of an executed investigation. You can select several paths at the same time by pressing the Ctrl key while you click the paths.
If the Web activity corresponds to an investigation based on objects and not directly based on web requests, a list of objects from the results of the investigation appears to the left of the diagram. For instance, if you execute an investigation on devices and then select the Web activity view, the left side of the diagram displays a list of the devices included in the results of the investigation. The list of objects interacts with the displayed lines of the Web activity diagram. If you select a path in the Web activity diagram, the objects that took part in the selected connections are highlighted in the list. The reverse is also true: if you select a specific object from the list, paths representing connections in which the object took part are highlighted in the Web activity diagram. Again, you can select several paths or several objects at the same time by pressing the Ctrl key while clicking the lines or the names of the objects. Right-click the name of an object to get the usual drill-down and one-click investigation options associated to the object.
The bar chart of time limited investigations
The functionality of the bar chart in the Web activity view is also very similar to that of the bar chart in the Network activity view. Thanks to the bar chart, you can see a timeline of the web activity and establish the correspondence between bars of activity and paths in the diagram.
If the Web activity view relates to an investigation limited in time (full period investigations and investigations specifying Between hours are excluded), a bar chart spanning the period of the investigation appears below the diagram of columns. The height of a bar represents a quantity that depends on the type of information selected in the Display choice list, in the same way as the thickness of a line in the diagram does. The value of a bar is valid within the time that corresponds to its width. Hover the cursor over a bar to display the numeric value represented and the time interval that the bar spans. Finder automatically computes the width of the bars and scales them to fit the time frame of the underlying investigation:
For a maximum time frame of 7 days, a bar represents 2 hours of data.
For a minimum time frame of 30 minutes, a bar represents 30 seconds of data.
The bars in the chart also interact with the path lines of the Web activity diagram. Click a bar and the associated paths will be highlighted in the diagram. Click a line of the Web activity diagram and the corresponding sections of the bars will be highlighted in the bar chart. Once again, you can select several lines or several bars by clicking them while you press the Ctrl key. Right-click a bar or a group of selected bars to drill down to related objects or activities or to execute one-click investigations.
Zooming in and out
Limit the number of web requests displayed in the diagram to those that you select using the zoom tool. You can equally limit them to the selected bars in the bar chart.
To limit the number of lines in a diagram to those that correspond to one or more bars in the bar chart, use the zoom in icon (the magnifying glass with a plus sign) in the top right corner of the Network activity diagram. Selecting one or more bars in the bar chart enables the zoom in icon. Click the zoom in icon and only the lines that relate to the bars selected will remain displayed in the diagram. After zooming in, return to the original time frame by clicking the zoom out icon that lies to the right of the zoom in icon.
Similarly, you can reduce the number of paths in a diagram to those selected using the zoom. Select one or more paths in the diagram and click the zoom in icon. Only the selected paths and their related objects remain displayed in the diagram. Click the zoom out icon to come back to the previous zoom level.
Limits of the diagram
The diagram is not able to show more than ten thousand paths. When the maximum number of paths is exceeded, a yellow warning icon shows up in the top right corner of the diagram to inform you that only partial results are displayed.
Last updated