In the first part of this how-to, Visualizing Network Data Using Python: Part 1, we introduced you to packet analysis using Python and ScaPy. Building on those skills, we will make a few small modifications to visualize the data using Plotly, an extremely powerful Python graphing package. In this example we will create a graph of the occurrence of source IPs in a PCAP file.
Before we start slinging code we need to install Plotly (and the previous package scapy). Then we will import Plotly.
pip3 install plotly
pip3 install scapy-python3
from scapy.all import *
from collections import Counter
We will then tell ScaPy to read all of the packets in the PCAP to a list. Too do that, use the rdpcap function.
packets = rdpcap('example.pcap')
Packets in ScaPy have elements, we will only be dealing with packet’s IP data. Each packet has attributes like source IP, destination IP, source port, destination port, bytes, etc. To print a source IP use pkt[IP].src
For our example we will need to read a PCAP file and store the source IP in a list. To do that, we will loop through the packets using a try/except as not every packet will have the information we want (malformed, retransmit, etc). The try/except gives us an error-free program when reading the PCAP.
for pkt in packets:
if IP in pkt:
Now that you have a list of IPs from the packets we will use a counter to create a count of the times we see each source IP.
for ip in srcIP:
cnt[ip] += 1
Now we need to create the x and y data for the graph. We’ll create empty lists for both, then we will loop through the data and append them to the lists from highest to lowest .
for ip, count in cnt.most_common():
Next we will create a plot. Plotly is great in that it will open the plot in your browser.
"data":[ plotly.graph_objs.Bar( x=xData, y=yData) ]
The whole script beginning-to-end looks like this:
To run it, create a PCAP with tcdpump:
sudo tcpdump -w example.pcap -c10000
Now run the program and explore the results in your browser:
Now this is optional, but the goal is to visualize the data, adding a title and labels makes the data much easier to read. Adding the “layout” option to plotly will get you that information.
"layout":plotly.graph_objs.Layout(title="Source IP Occurrence",
I hope this helped you out with visualizing packet data using Python. As always, feel free to comment or ask questions and tune in tomorrow for Visualizing Network Data Using Python: Part 3!
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.