Quantcast
Network Data

Visualizing Network Data Using Python: Part 2

By June 14, 2018 No Comments

In the first part of this how-to, Visualizing Network Data Using Python: Part 1, we introduced you to packet analysis using Python and ScaPy. Building on those skills, we will make a few small modifications to visualize the data using Plotly, an extremely powerful Python graphing package. In this example we will create a graph of the occurrence of source IPs in a PCAP file.

Step 1
Before we start slinging code we need to install Plotly (and the previous package scapy). Then we will import Plotly.  

Installation
pip3 install plotly
pip3 install scapy-python3

Imports
from scapy.all import *
from collections import Counter
import plotly

Step 2
We will then tell ScaPy to read all of the packets in the PCAP to a list. Too do that, use the rdpcap function.
packets = rdpcap(‘example.pcap’)

Step 3
Packets in ScaPy have elements, we will only be dealing with packet’s IP data.  Each packet has attributes like source IP, destination IP, source port, destination port, bytes, etc.  To print a source IP use pkt[IP].src
print(pkt[IP].src)  

For our example we will need to read a PCAP file and store the source IP in a list. To do that, we will loop through the packets using a try/except as not every packet will have the information we want (malformed, retransmit, etc). The try/except gives us an error-free program when reading the PCAP.

srcIP=[] for pkt in packets:
if IP in pkt:
try:

           srcIP.append(pkt[IP].src)
except:
pass

Step 4
Now that you have a list of IPs from the packets we will use a counter to create a count of the times we see each source IP.

cnt=Counter()

for ip in srcIP:
cnt[ip] += 1

Step 5
Now we need to create the  x and y data for the graph. We’ll create empty lists for both  then we will loop through the data and append them to the lists  from highest to lowest .
xData=[]
yData=[] for ip, count in cnt.most_common():
xData.append(ip)
yData.append(count)

Step 6
Next we will create a plot. Plotly is great in that it will open the plot in your browser.

plotly.offline.plot({
“data”:[  plotly.graph_objs.Bar( x=xData, y=yData) ] })

The whole script beginning-to-end looks like this:

#!/usr/bin/env python3
from scapy.all import *
from collections import Counter
import plotly
#Read the packets from file
packets = rdpcap(‘example.pcap’)
#List to hold srcIPs
srcIP=[] #Read each packet and append to the srcIP list.
for pkt in packets:
   if IP in pkt:
       try:
           srcIP.append(pkt[IP].src)
       except:
           pass
#Create an empty list to hold the count of ips
cnt=Counter()
#Create a list of IPs and how many times they appeared
for ip in srcIP:
   cnt[ip] += 1
xData=[] yData=[] #Sort data and create x and y
for ip, count in cnt.most_common():
   xData.append(ip)
   yData.append(count)
#Create a graph
plotly.offline.plot({
   “data”:[  plotly.graph_objs.Bar( x=xData, y=yData) ]})



Step 7

To run it, create a PCAP with tcdpump:
sudo tcpdump -w example.pcap -c10000

Step 8
Now run the program and explore the  results in your browser:

Step 9
Now this is optional, but  the goal is to visualize the data, adding a title and labels makes the data much easier to read. Adding the “layout” option to plotly will get you that information.
plotly.offline.plot({
   “data”:[plotly.graph_objs.Bar(x=xData, y=yData)],
“layout”:plotly.graph_objs.Layout(title=”Source IP Occurrence”,
xaxis=dict(title=”Src IP”),
       yaxis=dict(title=”Count”))})

I hope this helped you out with visualizing packet data using Python. As always, feel free to comment or ask questions and tune in tomorrow for Visualizing Network Data Using Python: Part 3!

Joe McManus

Author Joe McManus

Joe is a Senior Cyber Security Researcher at CERT and a Professor at the University of Colorado College of Engineering where he teaches graduate courses in information security and forensics. Recently, Joe was the Director of Security at SolidFire, (acquired by NetApp [NTAP]). He is an avid cyclist, climber and leads the Automox security team.

More posts by Joe McManus

Leave a Reply