Probe Inventory
The Probe Inventory tab shows all endpoints (MAC addresses and IP addresses) discovered by your packet capture probes. Probes passively observe network traffic and build an inventory of every device communicating on the monitored network segment, including IoT devices, workstations, servers, printers, and any other networked equipment. This provides Layer 2 visibility that complements the Layer 3/4 flow data collected by NetFlow.
Summary Cards
The top of the page displays aggregate statistics across all probes:
| Card | Description |
|---|---|
| Total Probes | Number of registered packet capture probes. |
| Healthy (green) | Probes with a heartbeat received within the last 5 minutes. |
| Warning (yellow) | Probes with a heartbeat older than 5 minutes but within 10 minutes. |
| Critical (red) | Probes with no heartbeat in over 10 minutes. |
| Total MACs | Total unique MAC addresses observed across all probes within the selected time range. |
| Total IPs | Total unique IP addresses observed across all probes within the selected time range. |
Time Range and Refresh
- Time Range dropdown — Controls the lookback window for inventory data. Options include 1 Hour, 6 Hours, 24 Hours (default), 7 Days, and 30 Days. Shorter time ranges show only recently active endpoints; longer ranges provide a more complete inventory.
- Refresh — Re-fetches inventory data from ClickHouse.
Probe Cards
Each probe appears as an expandable card showing:
- Probe name — The device name as registered in the Devices table (e.g.,
probe-192-168-100-142). Probes are auto-registered when they first send a heartbeat to the backend. - Site — The site the probe is assigned to.
- IP address — The probe's management IP.
- MAC count — Total unique MAC addresses seen by this probe.
- IP count — Total unique IP addresses seen by this probe.
- Online status — Health badge showing connectivity status and time since last heartbeat (e.g., "Online (3m ago)").
Click the expand arrow (∨) to reveal the probe's full endpoint inventory table.
Endpoint Inventory Table
The expanded inventory table lists every MAC/IP pair observed by the selected probe within the configured time range.
Columns
| Column | Description |
|---|---|
| MAC Address | The Layer 2 hardware address of the endpoint. Displayed in colon-separated hex notation (e.g., 4c:43:41:5d:1c:20). |
| Vendor | The device manufacturer, resolved from the MAC address prefix (OUI) using the IEEE OUI database. Displayed as a color-coded badge (e.g., Calix, Apple, HP, ProxmoxServe). "Unknown" is shown when the OUI prefix is not in the database, typically for locally-administered or randomized MAC addresses. |
| IP Address | The most recently observed IP address associated with this MAC. If a single MAC has been seen with multiple IPs, the most recent is shown. Displayed as a clickable link for cross-referencing with flow data. |
| First Seen | The earliest timestamp this MAC was observed within the selected time range. |
| Last Seen | The most recent timestamp this MAC was observed. Sortable (default: most recent first). |
| Flows | Total number of flows involving this MAC address within the time range. Higher flow counts indicate more active endpoints. |
| Traffic | Total traffic volume (bytes in + bytes out) for this MAC, displayed in human-readable units (KB, MB, GB). |
Search and Filter
- Search MAC, IP, or vendor... — Free-text search across MAC addresses, IP addresses, and vendor names. Useful for locating a specific device.
- All Vendors dropdown — Filter the table to show only endpoints from a specific vendor (e.g., show only Apple devices, only Cisco devices).
Export
- CSV — Export the current inventory table to a CSV file for offline analysis, asset tracking, or compliance reporting.
- Refresh — Re-fetch the inventory data for this probe.
Vendor Resolution (OUI Lookup)
MAC address vendor identification uses the IEEE OUI (Organizationally Unique Identifier) database. The first three octets of a MAC address identify the manufacturer. Chompy loads the OUI database (sourced from Wireshark's maintained copy of the IEEE database, approximately 35,000 vendors) into a ClickHouse dictionary (oui_dict) for fast lookups during queries.
The OUI database can be updated periodically by re-running the setup script. The IEEE updates their database as new manufacturer registrations are processed.
Probe Health and Heartbeats
Probes send periodic heartbeats to the backend API to indicate they are alive and functioning. The heartbeat includes the probe's IP address and basic status information. Probe health is calculated from the time elapsed since the last heartbeat:
| Health | Last Heartbeat |
|---|---|
| Healthy (green) | Within the last 5 minutes. |
| Warning (yellow) | Between 5 and 10 minutes ago. |
| Critical (red) | More than 10 minutes ago. |
Probe health feeds into the site-level status calculation on the Site Cards tab — if a probe at a site is critical, the site itself shows as critical.
Use Cases
IoT Device Discovery
The probe inventory is particularly valuable for discovering unmanaged IoT devices on the network — security cameras, smart thermostats, printers, and industrial control systems that don't support SNMP and wouldn't be found by autodiscovery. The vendor identification helps classify unknown devices.
Asset Tracking
The first seen and last seen timestamps, combined with vendor identification, provide a passive asset tracking capability. Export the inventory to CSV periodically to build a historical record of what devices have been present on the network.
Rogue Device Detection
By establishing a baseline of known MAC addresses and vendors, new or unexpected devices appearing in the inventory can be investigated. Sorting by "First Seen" reveals recently appeared endpoints.