How to List Network Interfaces Across All Mac, Windows, and Linux Devices
Using Kolide, you can easily view and query Network Interfaces across your fleet.
Introduction
Network interfaces are the virtual (eg. lo) and physical (eg. en0/eth0) devices on your computer which facilitate network communication, for example, your ethernet or wireless controllers.
What Network Interface Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Network Interfaces from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Network Interfaces Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| address_type | Enum::Text |
Type of address. Can be one of the following:
|
|
| broadcast | Text |
The broadcast address associated with the interface. |
|
| collisions | Bigint |
Number of collisions during packet transmissions. Note on data collection: On Windows this value is not collected and is always |
|
| flag_value | Integer |
An integer representing flags set on the interface (see |
|
| flags | Text[] |
The human readable names of the flags set on the interface. |
|
| ibytes | Bigint |
Number of good received bytes. Note on data collection: On Windows this value represents the rate at which bytes are received on the interface, including framing characters. |
|
| idrops | Bigint |
Total number of bad packets received on this network device. |
|
| ierrors | Bigint |
Total number of bad packets received on this network device. |
|
| interface_type | Integer |
The interface type as defined by the Internet Assigned Names Authority (IANA). |
|
| ip_address | Text |
The IP address currently assigned to the interface (IPv4 or IPv6) |
|
| ipackets | Bigint |
Number of good packets received by the interface. For hardware interfaces counts all good packets received from the device by the host, including packets which host had to drop at various stages of processing (even in the driver). Note on data collection: On Windows this value represents the rate at which packets are received on the network interface. |
|
| last_changed_at | Timestamp |
The timestamp when the interface entered its current operational state. Data only available for: |
|
| link_speed | Bigint |
Interface speed in Mb/s. Data only available for: Note on data collection: Not collected on Windows, see |
|
| mac_address | Text |
MAC Address (format: |
|
| mask | Text |
The netmask currently associated with the interface. |
|
| metric | Integer |
A dimensionless metric interpreted by a user-mode routing process. See OSPF Routing Metrics. |
|
| mtu | Integer |
Maximum transmission unit (MTU) is a measurement in bytes of the largest data packets that an Internet-connected device can accept. |
|
| name | Text |
Interface Name (e.g., "en0") |
|
| obytes | Bigint |
Number of good transmitted bytes. Note on data collection: On Windows this value represents the rate at which bytes are sent on the interface, including framing characters. |
|
| odrops | Bigint |
Number of packets dropped on their way to transmission, e.g. due to lack of resources. |
|
| oerrors | Bigint |
Total number of transmit problems. |
|
| opackets | Bigint |
Number of packets successfully transmitted. For hardware interfaces counts packets which host was able to successfully hand over to the device, which does not necessarily mean that packets had been successfully transmitted out of the device, only that device acknowledged it copied them out of host memory. Note on data collection: On Windows this value represents the rate at which packets are sent on the network interface. |
|
| point_to_point | Text |
The PtP address associated with the interface. |
|
| windows_connection_id | Text |
Name of the network connection as it appears in the Network Connections Control Panel program. Data only available for: |
|
| windows_connection_status | Enum::Text |
State of the network adapter connection to the network. Data only available for: Can be one of the following:
|
|
| windows_description | Text |
A description for the adapter. Data only available for: |
|
| windows_dhcp_enabled | Boolean |
If Data only available for: |
|
| windows_dhcp_server | Text |
IP address of the dynamic host configuration protocol (DHCP) server. Data only available for: |
|
| windows_dns_domain | Text |
Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'. Data only available for: |
|
| windows_dns_domain_suffix_search_order | Text[] |
Array of DNS domain suffixes to be appended to the end of host names during name resolution. Data only available for: |
|
| windows_dns_host_name | Text |
Host name used to identify the local computer for authentication by some utilities. Data only available for: |
|
| windows_dns_server_search_order | Text |
Array of server IP addresses to be used in querying for DNS servers. Data only available for: |
|
| windows_enabled | Boolean |
Indicates whether the adapter is enabled or not. Data only available for: |
|
| windows_manufacturer | Text |
Name of the network adapter's manufacturer (e.g., 3COM). Data only available for: |
|
| windows_physical_adapter | Boolean |
Indicates whether the adapter is a physical or a logical adapter. Data only available for: |
|
| windows_service | Text |
The name of the service the network adapter uses. Data only available for: |
|
| windows_speed | Integer |
Estimate of the current bandwidth in bits per second. Data only available for: |
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT name, mac_address, ip_address, interface_type
FROM device_network_interfaces
WHERE 'PROMISC' = ANY(flags);| name | ip_address | mac_address | interface_type |
|---|---|---|---|
| en0 | 192.168.86.248 | b1:d3:70:31:d6:ef | 6 |
Why Should I Collect Network Interfaces?
Network interface information can be useful to Security and IT administrators attempting to diagnose or troubleshoot connectivity or network speed issues.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
Your MAC address, private (internal) IP address and gateway IP address will be visible to your administrator. This means if you were on a shared local network, your administrator could know the exact IP of your device for remote access or communication if those services were configured and enabled.
This inventory collects a count of the total number of inbound and outbound packets for each interface and could indicate excessive bandwidth utilization if you are on a limited or metered connection.
When you use Kolide to list Network Interface data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
