You can never have too many tools for pcap visualization
Flowtime is a script written in Ruby that produces a timeline of the network flows in a pcap file. Everything is better with a picture, so here’s a picture: (warning, this picture is 3000×2000 pixels, kind of large)
Each bar on the left is a IP address along with a port, the timeline on the bottom is the time it was capture (in seconds). The different colors represent different kinds of traffic, http is blue, ssl is red, yellow is other, etc. At the moment there isn’t any legend, but I already think it’s useful just to see patterns in the traffic over time.
Requirements to run Flowtime:
- Argus (version 3 only)
- Ploticus (you should have ‘pl’ in your path. You may have to symlink ‘ploticus’ to ‘pl’)
- EasyTimeline (you should have ‘EasyTimeline’ in your path)
Yea, I know, lots of dependencies, I’m hoping to rewrite this into a MUCH better version in the future, consider this the prototype
Here’s how to run it:
flowtime [-w #] [-h #] [-g] [--help] <pcapfile> <ipaddr> <outfile_base>
-w specify the width, default: 2000
-h specify the height, default: 2000
-g automatically try generate a png (requires 'EasyTimeline' and 'pl' in path)
<pcapfile> the packet file to generate a graph of
<ipaddr> source address to generate a graph for, 'all' for all IPs
<outfile_base> basename for the output file
To generate a basic graph, just do something like ‘
flowtime -g data.pcap all data-out‘. After running this (if everything works okay), you should have a few files in your directory, if you open data-out.png you should be able to see the data as a timeline. If there are errors instead of data-out.png, there will be a file called data-out.err.
I know this script has issues, isn’t very user-friendly and doesn’t always work, here’s what I’m hoping to improve for the next version:
- Generate an image of the entire timeline, in addition to showing it in a window
- The ability to zoom in to a particular range of time to show only that time
- Export an image of the current view
- Select a bar to get more information about that flow
I’m going to have to use a different framework though, I’m considering Tk, but I haven’t ever done anything with it before.
Questions? Concerns? Comments? Suggestions?
P.S. I already made an NSM-Console module for flowtime too