In the first part of this how-to, Visualizing Network Data Using Python: Part 1, we introduced you to packet analysis using Python and ScaPy. Building on those skills, we will make a few small modifications to visualize the data using Plotly, an extremely powerful Python graphing package. In this example we will create a graph of the occurrence of source IPs in a PCAP file.
Step 1
Before we start slinging code we need to install Plotly (and the previous package scapy). Then we will import Plotly.
Installation
pip3 install plotly
pip3 install scapy-python3
Imports
from scapy.all import *
from collections import Counter
import plotly
Step 2
We will then tell ScaPy to read all of the packets in the PCAP to a list. Too do that, use the rdpcap function.
packets = rdpcap('example.pcap')
Step 3
Packets in ScaPy have elements, we will only be dealing with packet’s IP data. Each packet has attributes like source IP, destination IP, source port, destination port, bytes, etc. To print a source IP use pkt[IP].src
print(pkt[IP].src)
For our example we will need to read a PCAP file and store the source IP in a list. To do that, we will loop through the packets using a try/except as not every packet will have the information we want (malformed, retransmit, etc). The try/except gives us an error-free program when reading the PCAP.
srcIP=[]
for pkt in packets:
if IP in pkt:
try:
srcIP.append(pkt[IP].src)
except:
pass
Step 4
Now that you have a list of IPs from the packets we will use a counter to create a count of the times we see each source IP.
cnt=Counter()
for ip in srcIP:
cnt[ip] += 1
Step 5
Now we need to create the x and y data for the graph. We’ll create empty lists for both, then we will loop through the data and append them to the lists from highest to lowest .
xData=[]
yData=[]
for ip, count in cnt.most_common():
xData.append(ip)
yData.append(count)
Step 6
Next we will create a plot. Plotly is great in that it will open the plot in your browser.
plotly.offline.plot({
"data":[ plotly.graph_objs.Bar( x=xData, y=yData) ]
})
The whole script beginning-to-end looks like this:
Step 7
To run it, create a PCAP with tcdpump:
sudo tcpdump -w example.pcap -c10000
Step 8
Now run the program and explore the results in your browser:
Step 9
Now this is optional, but the goal is to visualize the data, adding a title and labels makes the data much easier to read. Adding the “layout” option to plotly will get you that information.
plotly.offline.plot({
"data":[plotly.graph_objs.Bar(x=xData, y=yData)],
"layout":plotly.graph_objs.Layout(title="Source IP Occurrence",
xaxis=dict(title="Src IP"),
yaxis=dict(title="Count"))})
I hope this helped you out with visualizing packet data using Python. As always, feel free to comment or ask questions and tune in tomorrow for Visualizing Network Data Using Python: Part 3!
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.