{"id":595,"date":"2012-03-21T13:26:10","date_gmt":"2012-03-21T21:26:10","guid":{"rendered":"http:\/\/raffy.ch\/blog\/?p=595"},"modified":"2012-03-21T13:26:10","modified_gmt":"2012-03-21T21:26:10","slug":"visualizing-packet-captures-for-fun-and-profit","status":"publish","type":"post","link":"https:\/\/raffy.ch\/blog\/2012\/03\/21\/visualizing-packet-captures-for-fun-and-profit\/","title":{"rendered":"Visualizing Packet Captures For Fun and Profit"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/afterglow.sourceforge.net\/afterglow.png\" width=200 style=\"float:right\"\/><br \/>\nHave you ever collected a packet capture and you needed to know what the collected traffic is about? Here is a quick tutorial on how to use <a href=\"http:\/\/afterglow.sf.net\">AfterGlow<\/a> to generate link graphs from your packet captures (PCAP).<\/p>\n<p>I am sitting at the <a href=\"https:\/\/www.honeynet.org\/SecurityWorkshops\/2012_SF_Bay_Area\">2012 Honeynet Project Security Workshop<\/a>. One of the trainers of a workshop tomorrow just approached me and asked me to help him visualize some PCAP files. I thought it might be useful for other people as well. So here is a quick tutorial.<\/p>\n<h4>Installation<\/h4>\n<p>To start with, make sure you have <a href=\"http:\/\/afterglow.sf.net\">AfterGlow<\/a> installed. This means you also need to install <a href=\"http:\/\/graphviz.org\">GraphViz<\/a> on your machine!<\/p>\n<h4>First Visualization Attempt<\/h4>\n<p>The first attempt of visualizing tcpdump traffic is the following:<\/p>\n<p><code>tcpdump -vttttnnelr file.pcap | parsers\/tcpdump2csv.pl \"sip dip\" | perl graph\/afterglow.pl -t | neato -Tgif -o test.gif<\/code><\/p>\n<p>I am using the tcpdump2csv parser to deal with the source\/destination confusion. The problem with this approach is that if your output format is slightly different to the regular expression used in the tcpdump2csv.pl script, the parsing will fail [In fact, this happened to us when we tried it here on someone else&#8217;s computer].<br \/>\nIt is more elegant to use something like <a href=\"http:\/\/www.qosient.com\/argus\/\">Argus<\/a> to do this. They do a much better job at protocol parsing:<\/p>\n<p><code>argus -r file.pcap -w - | ra -r - -nn -s saddr daddr -c, | perl graph\/afterglow.pl -t | neato -Tgif -o test.gif<\/code><\/p>\n<p>When you do this, make sure that you are using Argus 3.0 or newer. If you do not, ragator does not have the <b>-c<\/b> option! <\/p>\n<p>From here you can go in all kinds of directions. <\/p>\n<h4>Using other data fields<\/h4>\n<p><code>argus -r file.pcap -w - | ra -r - -nn -s saddr daddr dport -c, | perl graph\/afterglow.pl | neato -Tgif -o test.gif<\/code><\/p>\n<p>Here I added the dport to the parameters. Also note that I had to remove the <b>-t<\/b> parameter from the afterglow command. This tells AfterGlow that there are not two, but three columns in the CSV file.<\/p>\n<p>Or use this:<\/p>\n<p><code>argus -r file.pcap -w - | ra -r - -nn -s daddr dport ttl -c, | perl graph\/afterglow.pl | neato -Tgif -o test.gif<\/code><\/p>\n<p>This uses the destination address, the destination port and the TTL to plot your graph. Pretty neat &#8230;<\/p>\n<h4>AfterGlow Properties<\/h4>\n<p>You can define your own property file to define the colors for the nodes, configure clustering, change the size of the nodes, etc.<\/p>\n<p><code>argus -r file.pcap -w - | ra -r - -nn -s daddr dport ttl -c, | perl graph\/afterglow.pl -c graph\/color.properties | neato -Tgif -o test.gif<\/code><\/p>\n<p>Here is an example config file that is not as straight forward as the default one that is included in the AfterGlow distribution:<\/p>\n<p><code>color=\"white\" if ($fields[2] =~ \/foo\/)<br \/>\ncolor=\"gray50\"<br \/>\nsize.target=$targetCount{$targetName};<br \/>\nsize=0.5<br \/>\nmaxnodesize=1<br \/>\n<\/code><\/p>\n<p>The config uses the number of times the target shows up as the size of the target node.<\/p>\n<h4>Comments \/ Examples \/ Questions?<\/h4>\n<p>Obviously comments and questions are more than welcome. Also make sure that you post your example graphs on <a href=\"http:\/\/secviz.org\">secviz.org<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Have you ever collected a packet capture and you needed to know what the collected traffic is about? Here is a quick tutorial on how to use AfterGlow to generate link graphs from your packet captures (PCAP). I am sitting at the 2012 Honeynet Project Security Workshop. One of the trainers of a workshop tomorrow [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,2],"tags":[],"class_list":["post-595","post","type-post","status-publish","format-standard","hentry","category-log-analysis","category-visualization"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/comments?post=595"}],"version-history":[{"count":13,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/595\/revisions"}],"predecessor-version":[{"id":615,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/595\/revisions\/615"}],"wp:attachment":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/media?parent=595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/categories?post=595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/tags?post=595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}