March 21, 2012

Visualizing Packet Captures For Fun and Profit

Filed under: Log Analysis,Visualization — Raffael Marty @ 1:26 pm


Have you ever collected a packet capture and you needed to know what the collected traffic is about? Here is a quick tutorial on how to use AfterGlow to generate link graphs from your packet captures (PCAP).

I am sitting at the 2012 Honeynet Project Security Workshop. One of the trainers of a workshop tomorrow just approached me and asked me to help him visualize some PCAP files. I thought it might be useful for other people as well. So here is a quick tutorial.

Installation

To start with, make sure you have AfterGlow installed. This means you also need to install GraphViz on your machine!

First Visualization Attempt

The first attempt of visualizing tcpdump traffic is the following:

tcpdump -vttttnnelr file.pcap | parsers/tcpdump2csv.pl "sip dip" | perl graph/afterglow.pl -t | neato -Tgif -o test.gif

I am using the tcpdump2csv parser to deal with the source/destination confusion. The problem with this approach is that if your output format is slightly different to the regular expression used in the tcpdump2csv.pl script, the parsing will fail [In fact, this happened to us when we tried it here on someone else's computer].
It is more elegant to use something like Argus to do this. They do a much better job at protocol parsing:

argus -r file.pcap -w - | ra -r - -nn -s saddr daddr -c, | perl graph/afterglow.pl -t | neato -Tgif -o test.gif

When you do this, make sure that you are using Argus 3.0 or newer. If you do not, ragator does not have the -c option!

From here you can go in all kinds of directions.

Using other data fields

argus -r file.pcap -w - | ra -r - -nn -s saddr daddr dport -c, | perl graph/afterglow.pl | neato -Tgif -o test.gif

Here I added the dport to the parameters. Also note that I had to remove the -t parameter from the afterglow command. This tells AfterGlow that there are not two, but three columns in the CSV file.

Or use this:

argus -r file.pcap -w - | ra -r - -nn -s daddr dport ttl -c, | perl graph/afterglow.pl | neato -Tgif -o test.gif

This uses the destination address, the destination port and the TTL to plot your graph. Pretty neat …

AfterGlow Properties

You can define your own property file to define the colors for the nodes, configure clustering, change the size of the nodes, etc.

argus -r file.pcap -w - | ra -r - -nn -s daddr dport ttl -c, | perl graph/afterglow.pl -c graph/color.properties | neato -Tgif -o test.gif

Here is an example config file that is not as straight forward as the default one that is included in the AfterGlow distribution:

color="white" if ($fields[2] =~ /foo/)
color="gray50"
size.target=$targetCount{$targetName};
size=0.5
maxnodesize=1

The config uses the number of times the target shows up as the size of the target node.

Comments / Examples / Questions?

Obviously comments and questions are more than welcome. Also make sure that you post your example graphs on secviz.org!

4 Comments »

  1. [...] perl program. Once I had the file converted, I loaded it up to HDFS via HUE. I also found this PCAP visualization blog entry by Raffael Marty.  My original analysis was with HIVE and PIG. It was very simple. Name the [...]

    Pingback by Solutions for BigData ingest of network traffic – Analyzing PCAP traffic with Hadoop « BigSnarf blog — March 28, 2012 @ 10:55 am

  2. v useful – have just added some of this to my properties file

    an example using wireshark’s tshark on windows (for reading new wireshark pcap format):

    tshark -r sniffer_10-Property.pcap -n -T fields -E separator=, -e ip.src -e ip.dst -e tcp.dstport | afterglow.pl -p2 -v -c parsers\color.properties -e 2 | neato -Tgif -o sniffer_10-Property.gif

    all works with the exception of labels in gif file (still looking at why this might be broken on windoze)

    Comment by pinhead — January 1, 2014 @ 2:38 pm

  3. everybody relax – old version of neato – labels now OK

    Comment by pinhead — January 1, 2014 @ 2:54 pm

  4. […] too. Once I get a PCAP file converted to csv, I load it up to HDFS via HUE. I also found this PCAP visualization blog entry by Raffael […]

    Pingback by Security Big Data Analytics Solutions | BigSnarf blog — March 14, 2014 @ 11:40 am

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> .