Visualizing Network Data Using Python: Part 1

If you are in IT or Security you have had to look at packets to troubleshoot or investigate an issue. Tools like Wireshark are great, but sometimes you need to automate or want to run something all on the terminal. This is a three-part post on visualizing network data with Python. We’ll read a packet capture and graph the number of times each source IP is  seen in the packet.

Before we start visualizing the data we will learn how to read PCAP data with Python using ScaPy.  For this example we will use 2 external modules and 1 built in module. ScaPy is a great tool for manipulating and reading packets and PrettyTables is just what you would imagine it is, a library to print pretty tables.

pip3 install scapy-python3
pip3 install prettytable

from scapy.all import *
from collections import Counter
from prettytable import PrettyTable

First we will tell ScaPy to read all of the packets in the PCAP to a list, to do that use the rdpcap function.
packets = rdpcap('example.pcap')

Packets in ScaPy have elements, we will only be dealing with packet’s IP data.  Each packet has attributes like source IP, destination IP, source port, destination port, bytes, etc.  To print a source IP use pkt[IP].src

For our example we will need to read a PCAP file and store the source IP in a list. To do that we will loop through the packets using a try/except as not every packet will have the information we want (malformed, retransmit, etc).
for pkt in packets:
if IP in pkt:


Now that you have a list of IPs from the packets we will use a counter to create a count.

for ip in srcIP:
cnt[ip] += 1

Now we can use PrettyTable to sort and print the data. The first step is to create the table with table().

table= PrettyTable(["IP", "Count"])

Next we will loop through the data and add them to the table  from highest to lowest .
for ip, count in cnt.most_common():
   table.add_row([ip, count])

And lastly we print the column.

The whole script beginning to end looks like:

#!/usr/bin/env python3
from scapy.all import *
from prettytable import PrettyTable
from collections import Counter#Read the packets from file
packets = rdpcap('example.pcap')#List to hold srcIPs
srcIP=[]#Read each packet and append to the srcIP list.
for pkt in packets:
   if IP in pkt:
           pass#Crreate an empty list to hold the count of ips
cnt=Counter()#Create a list of IPs and how many times they appeared
for ip in srcIP:
   cnt[ip] += 1#Create header
table= PrettyTable(["IP", "Count"])#Add records to table
for ip, count in cnt.most_common():
   table.add_row([ip, count])print(table)

To run it, create a PCAP with tcdpump:
sudo tcpdump -w example.pcap -c10000

Now run the program and see results.

Check back next week when we introduce using graphing packages to create graphs of network data using Python!

Subscribe to Our Newsletter

Stay up to date on all things patch management

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.