Graph Exchange

All, I've decided to make the source / xcode project for pkviz (packet structure visualizer/animator) available for free download under GPL3. Check out the details here:

pkviz source

From that link you can find the zipped project as well as a link to the google code project for it if you'd like to contribute. OS X only, unfortunately.

The goal is to analyze Snort logs in order to get a general view of the network events. At your left you have the atacker view, where is ploted a sector graph with quantity(radius) and priorities of atack (red, yellow, green) at your right you have the victims view with same information. there is the abilty to filter by protocol ( TCP, UDP, ICMP ) and priorities, this graph have interaction, and you can get the original log with a mouse right click .
This is the abstract of the paper, the original was written in portuguese.
ABSTRACT
The compromising of computer systems generate evidences on various devices such as routers, operating systems and applications. Monitoring and analyzing this large amount of data is a challenge for network administrators. One way for analyzing large amounts of data like the generated in these cases, is to use information visualization to provide one or more graphics capable to summarize data and translating them into information. This work presents a study on the use of visualization techniques applied to information security and monitoring of computer networks, with emphasis on visual analysis of logs generated by the intrusion detection system Snort. It also reports the development of a software called Apoena, which aims to analyze the alerts generated by Snort, using graphs and pie charts for displaying of the network events.

Per my earlier packet visualizer post, I have an app available for Mac OS X users to download. You can grab it here:

http://sintixerr.wordpress.com/pkviz-packet-visualizer-and-animator/

The app takes tcpdump ascii-hex output (the -X option) and animates through all the packets in a file. It splits the packets into bytes, with position in the packet providing the X axis values and byte value in a given position providing the Y values. You can select a window of packets to display at once (defaults to 30) to see patterns over time. If packet headers are more interesting than payload, there is an option to expand the proportion of space taken by header data so it's easier to see. There are also options to pause the animation, move fwd and back one packet at a time, and jump to specific packts. Finally, if you want to look at the base data for a given packet, you can display the packet in hex.

Right now, I've found there's a rough top limit of 3000 packets, but it really depends on your machine.

So I'm almost ready to release a tool that reads/parses ascii tcpdump logs and animates visualizations the structure of the packets in the file in sequence. You can find a video of it here:

http://www.flickr.com/photos/sintixerr/4094209162/

(Try it HD, full screen)

The packets are laid out left to right, from byte 0 to byte 1500ish. The Y axis is based on the value seen in a given position in the packet (0-255). Colors are based on a combination of "value in position difference from average" and "first byte of the source IP". (Although this will eventually be somewhat customizable...it's just what I have in there now.) The app then displays the packets over time....using a window of 1-N packets at a time (depending on the dataset, different windows help you see patterns you wouldnt otherwise). The further back in the window a packet is, the more transparent/faded it is.....this helps distinguish between newer/older packets being seen as well as to help with smoother animations of patterns seen. The app will let you stop the animation at a given point, change how many packets are seen on the fly (so, if you want to see 1 at a time, you can), step manually through the packets (backward or forward). At some point, I hope to be able to show what value/position combination each of the dots represent if you hover over them.

For me, I use this to get in idea of the boundaries of protocols I dont know, look for "unusual" packets, and look for correlations I wasnt previously aware of between values.

(In this set, the far left will be the TCP/IP headers, but the bulk right of that is payload...you can tell most of the payload is human-headable...the values fall into ASCII ranges more than anything else)

http://sintixerr.wordpress.com

Team Cymru launched a Mac OS X screensaver that displays a global infection map on a rotating globe, together with a RSS and Twitter Feed. http://www.team-cymru.org/News/Screensaver/

Hi all, Team Cymru has posted a movie of some of the visualizations we've made on youtube. www.youtube.com/watch?v=8IBy87mVpcw
This movie shows DDoS attacks, botnet command and control servers, malware relationships and similar visualizations.
Other visualizations that might be of interest :
www.team-cymru.org/Monitoring/Malevolence/irccnc.html
www.team-cymru.org/Monitoring/Malevolence/maps.html
Heatmap animation of worldwide compromised machines

Marcel

Mapping links between users sending inappropriate content via emails using Circos
fifth.sentinel

An other view made from the davix cd.

:-)

A 3d map of my network with nmap and mysql. We made it by using VRML.

So, the blue color is Windows computer and the red one is linux, the others in yellow are the printers (the eight is the number of the open ports)
It is very easy to compare two different scan (different days or weeks). When the cylinder is blue (microsoft computer) with a black cylinder, it is the different of port between the two scan, there is in this some new ports.
It possible to see it from fornt, up, left, right using vrml player.

:-))