Quantcast
Network DataUncategorized

Visualizing Network Data Using Python: Part 1

By June 12, 2018 No Comments

If you are in IT or Security you have had to look at packets to troubleshoot or investigate an issue. Tools like Wireshark are great, but sometimes you need to automate or want to run something all on the terminal. This is a two-part post on visualizing network data with Python. We’ll read a packet capture and graph the number of times each source IP is  seen in the packet.

Before we start visualizing the data we will learn how to read PCAP data with Python using ScaPy.  For this example we will use 2 external modules and 1 built in module. ScaPy is a great tool for manipulating and reading packets and PrettyTables is just what you would imagine it is, a library to print pretty tables.

Installation
pip3 install scapy-python3
pip3 install prettytable

Imports
from scapy.all import *
from collections import Counter
from prettytable import PrettyTable

First we will tell ScaPy to read all of the packets in the PCAP to a list, to do that use the rdpcap function.
packets = rdpcap(‘example.pcap’)

Packets in ScaPy have elements, we will only be dealing with packet’s IP data.  Each packet has attributes like source IP, destination IP, source port, destination port, bytes, etc.  To print a source IP use pkt[IP].src
print(pkt[IP].src)

For our example we will need to read a PCAP file and store the source IP in a list. To do that we will loop through the packets using a try/except as not every packet will have the information we want (malformed, retransmit, etc).
srcIP=[]
for pkt in packets:
if IP in pkt:
try:

           srcIP.append(pkt[IP].src)
except:
pass

Now that you have a list of IPs from the packets we will use a counter to create a count.
cnt=Counter()

for ip in srcIP:
cnt[ip] += 1

Now we can use PrettyTable to sort and print the data. The first step is to create the table with table().

table= PrettyTable([“IP”, “Count”])

Next we will loop through the data and add them to the table  from highest to lowest .
for ip, count in cnt.most_common():
   table.add_row([ip, count])

And lastly we print the column.
print(table)

The whole script beginning to end looks like:

#!/usr/bin/env python3
from scapy.all import *
from prettytable import PrettyTable
from collections import Counter#Read the packets from file
packets = rdpcap(‘example.pcap’)#List to hold srcIPs
srcIP=[]#Read each packet and append to the srcIP list.
for pkt in packets:
   if IP in pkt:
       try:
           srcIP.append(pkt[IP].src)
       except:
           pass#Crreate an empty list to hold the count of ips
cnt=Counter()#Create a list of IPs and how many times they appeared
for ip in srcIP:
   cnt[ip] += 1#Create header
table= PrettyTable([“IP”, “Count”])#Add records to table
for ip, count in cnt.most_common():
   table.add_row([ip, count])print(table)


To run it, create a PCAP with tcdpump:
sudo tcpdump -w example.pcap -c10000

Now run the program and see results.

Check back next week when we introduce using graphing packages to create graphs of network data using Python!

Joe McManus

Author Joe McManus

Joe is a Senior Cyber Security Researcher at CERT and a Professor at the University of Colorado College of Engineering where he teaches graduate courses in information security and forensics. Recently, Joe was the Director of Security at SolidFire, (acquired by NetApp [NTAP]). He is an avid cyclist, climber and leads the Automox security team.

More posts by Joe McManus

Leave a Reply