Recent blog posts

How do you visualize your traffic flow (NetFlow) logs?

By Raffael Marty  2 comments

November 18, 2008, 9:05 AM In my last blog post I showed how you collect NetFlow records and format them suitable for visualization. The next step, after the data has been processed and prepared in a CSV format, is to pick a graph or visual representation that is suitable for the problem at hand. Relationships between data entries are best visualized with link graphs. GraphViz is a tool that can be used to generate these link graphs. Unfortunately, the input format for GraphViz is a DOT file, which is a fairly complicated representation of a link graph. In order to translate CSV files to DOT files, I am going to use a tool called AfterGlow.
AfterGlow reads CSV data. Each edge in the graph is represented by a single CSV entry. For example, a node from 10.0.0.1 to 10.0.0.2 is generate by the following entry:

10.0.0.1,10.0.0.2

To generate the DOT file from our CSV input, run the CSV data through the following command:

cat file.csv | afterglow.pl -t > graph.dot

The DOT file now needs to be visualized with GraphViz. There are various layout algorithms that GraphViz supports, each launched through its own command. An example graph is generated as follows:

cat graph.dot | neato -Tgif -o graph.gif

To try out the other layouts, exchange neato in the above command with circo, dot, fdp, twopi.

If you want to get a bit more sophisticated with formatting the graph, you can use a graph property file and pass it to AfterGlow. The property file is used to assign color to nodes, filter nodes, or cluster them. A sample property file looks as follows:

color="yellow" if (field()=~/^192\.168\..*/);
color="greenyellow" if (field()=~/^10\..*/);
color="lightyellow4" if (field()=~/^172\.16\..*/);
color="red"

This sample property file assigns colors to the nodes based on their subnet. Nodes that belong to private address spaces are drawn in yellow. Other nodes are drawn in red. To tell AfterGlow to use this property file, use the following command:

cat file.csv | afterglow.pl -t -c sample.properties | neato -Tgif -o graph.gif

Have you generated your own link graphs? Share your examples and experiences on SecViz.

Hope to see you at my visualization workshop on Thursday the 20th of November in Hong Kong at the IS Summit 2008.

2 comments

    Anonymous 2 years ago
    Thanks for the article. Traffic visualization is very important.I thought you would like to know that Plixer International is doing some very interesting things with visualizing NetFlow traffic. They store long term data like most NetFlow tools, but they are definitely spicing things up with some very cool ways to look at the data.Take a look.
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    Great article! I have seen your book at the store and online and can't wait until I buy it! It will be my Xmas present. Until then I am using your manual (which is a excellent document). I plan to use Davix for Vulnerability assessment data and systems (IDS, Firewall, syslog) log data. You should get this tool approved by the Government agencies to use on their networks. SANS is using it and they are taking it in the right direction.
    Flag comment  |  Permalink Reply

      Add a comment

      Post a comment using one of these accounts
      Or join now
      At least 6 characters

      Note: Comment will appear soon after you have activated your account.
      Obscene/spam comments will be removed and accounts suspended.
      The information you submit is subject to our Privacy Policy and Terms of Service.

      ITworld LIVE

      SecurityWhite Papers & Webcasts

      White Paper

      Overcome Top 7 Admin Challenges of Active Directory

      As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities. Brought to you by NetIQ.

      White Paper

      Insiders Can Ruin Your Company. Take Action.

      Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.

      White Paper

      Top Solutions and Tools to Prevent Devastating Malware

      Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts. This white paper has been brought to you by NetIQ, the leader in solving complex IT challenges.

      White Paper

      Streamline Compliance and Increase ROI

      Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will help your business gain the maximum return on investment possible while aligning your compliance programs.

      White Paper

      X-Ray of the PCI Process-4 Proactive Steps

      This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into creating a compliant and secure IT environment. Follow these four proactive steps now before your next audit. Brought to you by NetIQ.

      See more White Papers | Webcasts

      Answers - Powered by ITworld

      ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

      Join Now

      New questions

      What can be done to control noise levels in data centers?
      2 answers
      How much will the security flaws in Google Wallet set back the transition to "digital wallets"?
      3 answers
      What type of enterprise user is going to use Ubuntu Business Desktop Remix?
      2 answers
      How well does facial recognition work for device security?
      3 answers
      What are the best tools for speeding up a website?
      0 answers
      View more questions

      Ask a question

      Join Now or Sign In to ask a question.
      Ask a Question