Visualizing Network Data Using Python: Part 1

If you are in IT or Security you have had to look at packets to troubleshoot or investigate an issue. Tools like Wireshark are great, but sometimes you need to automate or want to run something all on the terminal. This is a three-part post on visualizing network data with Python. We’ll read a packet capture and graph the number of times each source IP is seen in the packet.

Before we start visualizing the data we will learn how to read PCAP data with Python using ScaPy.  For this example we will use 2 external modules and 1 built in module. ScaPy is a great tool for manipulating and reading packets and PrettyTables is just what you would imagine it is, a library to print pretty tables.

pip3 install scapy-python3
pip3 install prettytable

from scapy.all import *
from collections import Counter
from prettytable import PrettyTable

First we will tell ScaPy to read all of the packets in the PCAP to a list, to do that use the rdpcap function.
packets = rdpcap('example.pcap')

Packets in ScaPy have elements, we will only be dealing with packet’s IP data.  Each packet has attributes like source IP, destination IP, source port, destination port, bytes, etc.  To print a source IP use pkt[IP].src

For our example we will need to read a PCAP file and store the source IP in a list. To do that we will loop through the packets using a try/except as not every packet will have the information we want (malformed, retransmit, etc).
for pkt in packets:
if IP in pkt:

Now that you have a list of IPs from the packets we will use a counter to create a count.

for ip in srcIP:
cnt[ip] += 1

Now we can use PrettyTable to sort and print the data. The first step is to create the table with table().

table= PrettyTable(["IP", "Count"])

Next we will loop through the data and add them to the table  from highest to lowest .
for ip, count in cnt.most_common():
   table.add_row([ip, count])

And lastly we print the column.

The whole script beginning to end looks like:

To run it, create a PCAP with tcdpump:
sudo tcpdump -w example.pcap -c10000

Now run the program and see results.

Check back next week when we introduce using graphing packages to create graphs of network data using Python!

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic