We have no clue on the actual content of the network communication (is this DNS? HTTP? Something else?).We see how interactions between systems change as time moves on.Ī few shortcomings of this first experiment include:.It’s quickly visible which hosts account for the “bulk” of the traffic.We quickly see which IP addresses are most actively communicating with each other (172.29.0.111 and 172.29.0.255).This visualisation already allows us to quickly see and understand a few things: IP traffic illustrated as interactive nodes. For our experiments, the time dimension is normalised: each packet traveling from A to B is visualised in the order they took place, but we don’t distinguish the duration between packets for now.
This simple principle is highlighted below. A packet being sent from source A to destination B is visualised as the dot visually traveling from A to B. Each dot in the visualisation represents the source of a packet. Let’s go!Įxperiment 1 – Visualising network traffic using graph nodesĪs a first step, we simply represent all IP packets in our PCAP as unconnected graph nodes. In the screenshot a 15Kb sample containing 112 packets.įor this blog post we will use this simple 112 packet PCAP to experiment with novel ways of visualising and understanding our network data. A screen we are all familiar with – our beloved Wireshark! Unmatched capabilities to analyse even the most exotic protocols, but scrolling & filtering through events can be daunting if we want to quickly understand what is actually happening inside the PCAP. In this blog post we want to perform a series of experiments to try and improve our understanding of captured network traffic as intuitively as possible, by exclusively using interactive visualisations. Going through these network events in traditional tools such as Wireshark is extremely valuable however they are not always the best to quickly understand from a higher level what is actually going on. Analysing these often takes a lot of time: a 1MB network traffic capture (PCAP) can easily contain several hundred different packets (and most are much larger!). In this context, our work often involves investigating raw network traffic logs. This ranges from our SOC analysts looking at millions of collected data points per day all the way to the malware analyst tearing apart a malware sample and trying to make sense of its behaviour. At NVISO Labs, we are constantly trying to find better ways of understanding the data our analysts are looking at.
0 kommentar(er)
