IoT Topology
The IoT Topology view provides a passive inventory and visualization of all devices discovered on your network by WhiteOwl packet capture probes. Select the IoT tab on the Topology page to access this view. Each probe listens on its connected network segments and identifies unique devices by MAC address, resolving the device vendor using OUI (Organizationally Unique Identifier) lookup. The result is an automatically maintained inventory of every device on your network — from managed infrastructure to unmanaged IoT endpoints — without requiring any agents or active scanning.
How It Works
WhiteOwl probes deployed across your network passively capture traffic and extract unique MAC addresses from the packets they observe. Each discovered MAC address is resolved against the IEEE OUI database to identify the device manufacturer (e.g., Apple, Amazon, Google, Samsung, Cisco). Devices are then grouped by the probe that discovered them, giving you a per-segment view of what's connected to your network.
The IoT Topology map displays this data as a hierarchical layout: probes appear as parent nodes, with their discovered devices shown as child nodes beneath them, color-coded by vendor.
IoT discovery is entirely passive — probes observe traffic already on the wire. This means devices are discovered without sending any packets to them, making it safe for sensitive OT/IoT environments where active scanning could disrupt devices.
Toolbar Controls
Search
The search bar at the top allows you to search across all discovered devices by:
- MAC address — Full or partial MAC (e.g.,
AA:BB:CCoraa:bb:cc:dd:ee:ff). - IP address — The IP address observed for the device.
- Vendor name — The resolved manufacturer name (e.g.,
Apple,Amazon).
Filters
| Filter | Description |
|---|---|
| All Vendors | Filter the topology to show only devices from a specific vendor (e.g., Apple, Cisco, Amazon). Defaults to showing all vendors. |
| All Probes | Filter the topology to show devices discovered by a specific probe. Defaults to showing all probes. |
| Time Range | Controls the lookback window for device discovery (e.g., Last 24 Hours). Only devices seen within this time range are displayed. |
View Controls
| Control | Description |
|---|---|
| Refresh | Re-fetches the latest discovery data from all probes and redraws the map. |
| Fit | Automatically zooms and pans the map to fit all visible nodes within the viewport. |
| Lines | Toggles connection lines between probes and their discovered devices on or off. Useful for reducing visual clutter in dense environments. |
| Save | Persists the current layout positions so they are retained on future visits. |
| Reset | Reverts the layout to the default auto-arranged positions, discarding any saved layout. |
The summary bar displays the total count of active probes and unique MAC addresses (e.g., 4 probes • 48 unique MACs).
Topology Map
The map displays a hierarchical layout with two types of nodes:
Probe Nodes
Probe nodes represent WhiteOwl packet capture probes deployed on your network. Each probe appears as a parent node at the top of its device cluster. The probe icon and label identify which probe discovered the devices grouped beneath it.
Device Nodes
Each discovered device is displayed as a card beneath its discovering probe. Device cards are color-coded by vendor for quick visual identification. The card displays:
- MAC address — The unique hardware address of the device.
- IP address — The observed IP address (if available).
- Vendor — The manufacturer resolved from the MAC OUI prefix.
Viewing Flow Details
Click on any connection line between nodes to open the Link Flow Details panel on the right side of the screen. This works the same way as the Network and Cloud topology views, providing real-time traffic analysis for the selected connection:
- Traffic Summary — Total bytes, average rate, packet count, and flow count.
- Traffic Direction — Breakdown of traffic by source → destination IP pair, sorted by volume.
- Top Flows (by bytes) — Detailed table of individual flow records including source/destination IP, port, protocol, bytes, and packets.
This allows you to quickly investigate what traffic a specific IoT device is generating or receiving, which is valuable for identifying unexpected communication patterns such as IoT devices phoning home to unknown destinations.
Legend
The legend in the bottom-left corner of the map displays:
Node Types
| Icon | Type |
|---|---|
| Probe icon | Packet Probe — A WhiteOwl probe performing passive capture and device discovery. |
Device Vendors
Devices are color-coded by manufacturer. The vendor colors include:
| Color | Vendor |
|---|---|
| Cream | Apple |
| Green | |
| Orange | Amazon |
| Blue | Samsung |
| Light Blue | Cisco |
| Gray | Unknown |
The Unknown category includes devices whose MAC OUI prefix does not match a known manufacturer in the IEEE database, or devices using randomized MAC addresses.
Many modern devices (particularly Apple and Android phones) use randomized MAC addresses for Wi-Fi connections to improve privacy. These devices may appear as Unknown vendor or generate multiple entries if their randomized MAC changes between sessions. The actual count of physical devices may be lower than the unique MAC count in environments with significant MAC randomization.
Probe Status
The Probe Status indicator in the bottom-right corner shows the total number of active probes (e.g., Probe Status (4)). Click it to expand a summary of each probe's health and connectivity status.
Interacting with the Map
- Pan — Click and drag on the background to pan the view.
- Zoom — Use the scroll wheel to zoom in and out.
- Fit to View — Click Fit to auto-zoom to fit all nodes.
- Move Nodes — Click and drag any node to reposition it. Use Save to persist your arrangement.
- Click a Connection — Opens the Link Flow Details panel showing flow data for that connection.
- Click a Device — Opens device details showing full MAC address, vendor, IP, and traffic history.
Use Cases
- Shadow IT Discovery — Identify unmanaged or unauthorized devices connecting to your network segments.
- IoT Inventory — Maintain a passive, always-current inventory of IoT endpoints across all sites without deploying agents.
- Vendor Auditing — Filter by vendor to audit device diversity or identify devices from specific manufacturers (e.g., finding all Amazon or Google smart home devices on a corporate network).
- Anomaly Detection — Use the time range filter to spot new devices that appeared recently, then click into their flows to investigate what traffic they're generating.
- Segmentation Validation — Verify that IoT devices are isolated to their intended network segments by checking which probes discover them.