2 Replies Latest reply on Jan 12, 2015 11:25 AM by patricktw

    Identifying the destination of traffic when top host is shown as ".:"

    patricktw

      I had a weird issue the other day and was hoping someone could explain how to dig in a bit deeper to find the destination of a flow.


      When I brought up the top Endpoints page and filtered for a certain time period, I got most of my normal high bandwidth hosts, but the top host was a period followed by a colon, ".:"  I'll call this the mystery host for now.

       

      Looking at the other hosts it is usually their DNS entry followed by the ip address in parenthesis and a colon, ie. "awesomewebsite.com (8.4.1.20):"

       

      Clicking on the mystery host brings up the same screen.  I'm wondering if this period is a DNS hostname or maybe a bug? How can I tell? Example pic below.

       

      periodhost.PNG

        • Re: Identifying the destination of traffic when top host is shown as ".:"
          choly

          Strange. I remember I actually saw an IP which returned '.' as a hostname if asked for reverse DNS some time ago...

          Could you try to click the plus button as line with the mystery host, and click one of devices which reported that traffic - this will lead you to endpoint details page, where you should get listing of IP addressed seen for that host (with option to manually edit the hostname for it), plus bunch of charts showing related traffic, to help you figure it out.

            • Re: Identifying the destination of traffic when top host is shown as ".:"
              patricktw

              Thank you, choly

               

              I checked our top Endpoints page again, looking for ingress hosts and found that the "." host was still present.  Opening up the plus button led to several devices, and it was apparent which interface the majority of the traffic was coming through (compared against the Ingress Bytes or Ingress Packets field).  After that, checking the interface brought up the ip address.

               

              It seems this can also show multiple hosts, so we'll have to play around with this until we can clearly identify which host is the source of the traffic.