Security

How do you visualize your traffic flow (NetFlow) logs?

2 comments | 10I like it!
Tags: communication visualization, netflow, security visualization, traffic visualization

Recent Posts

November 18, 2008, 09:05 AM —

In my last blog post I showed how you collect NetFlow records and format them suitable for visualization. The next step, after the data has been processed and prepared in a CSV format, is to pick a graph or visual representation that is suitable for the problem at hand. Relationships between data entries are best visualized with link graphs. GraphViz is a tool that can be used to generate these link graphs. Unfortunately, the input format for GraphViz is a DOT file, which is a fairly complicated representation of a link graph. In order to translate CSV files to DOT files, I am going to use a tool called AfterGlow.
AfterGlow reads CSV data. Each edge in the graph is represented by a single CSV entry. For example, a node from 10.0.0.1 to 10.0.0.2 is generate by the following entry:

10.0.0.1,10.0.0.2

To generate the DOT file from our CSV input, run the CSV data through the following command:

cat file.csv | afterglow.pl -t > graph.dot

The DOT file now needs to be visualized with GraphViz. There are various layout algorithms that GraphViz supports, each launched through its own command. An example graph is generated as follows:

cat graph.dot | neato -Tgif -o graph.gif

To try out the other layouts, exchange neato in the above command with circo, dot, fdp, twopi.

If you want to get a bit more sophisticated with formatting the graph, you can use a graph property file and pass it to AfterGlow. The property file is used to assign color to nodes, filter nodes, or cluster them. A sample property file looks as follows:

color="yellow" if (field()=~/^192\.168\..*/);
color="greenyellow" if (field()=~/^10\..*/);
color="lightyellow4" if (field()=~/^172\.16\..*/);
color="red"

This sample property file assigns colors to the nodes based on their subnet. Nodes that belong to private address spaces are drawn in yellow. Other nodes are drawn in red. To tell AfterGlow to use this property file, use the following command:

cat file.csv | afterglow.pl -t -c sample.properties | neato -Tgif -o graph.gif

Have you generated your own link graphs? Share your examples and experiences on SecViz.

Hope to see you at my visualization workshop on Thursday the 20th of November in Hong Kong at the IS Summit 2008.

I like it!

Email
Print
Share
- Slashdot
- Digg
- Stumble
- Reddit
- Newsvine

2 comments Add a comment

http://www.tanucoo.com

Great article! I have seen your book at the store and online and can't wait until I buy it! It will be my Xmas present. Until then I am using your manual (which is a excellent document). I plan to use Davix for Vulnerability assessment data and systems (IDS, Firewall, syslog) log data. You should get this tool approved by the Government agencies to use on their networks. SANS is using it and they are taking it in the right direction.

by kleanchap (not verified) on 11/20/08 at 9:58 am | reply

NetFlow Visualization

Thanks for the article. Traffic visualization is very important.

I thought you would like to know that Plixer International is doing some very interesting things with visualizing NetFlow traffic. They store long term data like most NetFlow tools, but they are definitely spicing things up with some very cool ways to look at the data.

Take a look.

by Jon (not verified) on 6/12/09 at 9:09 am | reply

View all comments »

peer-to-peer

Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers

Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal

Tom Henderson
Top Ten General Operating Systems Rants

pasmith
PS3 motion controller delayed; goes up against Project Natal

sjvn
Neolithic Windows security hole alive and well in Windows 7

claird
Perl source code comparison makes for good reading

mikelgan
Cell phones don't create stress or interrupt much

Sandra Henry-Stocker
How to: The Unix Interview

Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann

Join the conversation here

The Daily Tip

Quick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

*E-mail address:

*Verify E-mail:

*Job Title:

*Industry:

*Company Size:

*Country

* State:

I would like to receive offers via email from ITworld partners.

By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.

view all newsletters »

	Friends With Benefits: A Social Media Marketing Handbook Tips, tricks, and real-world case studies to help you increase your online visibility.Enter now!
	Ubuntu Unleashed 2010 Edition Detailed information on installing, using, and administering Ubuntu. Enter now!
	VMware vSphere 4 Implementation Best practices for deploying the vSphere product in real-world enterprise environments.Enter now!