Skip to main content
Background Image

PCAP analysis V: Graphing results

·1390 words·7 mins
Table of Contents

When analyzing network traffic easiest way to grasp “big picture” is to visualize the data. One of the easiest ways to draw network graphs is to use GraphViz package, which is open source graph visualization software.

Dot language
#

Dot language is used to describe nodes and edges which again we’ll get from analyzed pcap files.

I’m not going to go too much detail about dot language, you should check out their website for documentation and tutorials. There are also good tutorials which are available on youtube and various blogs.

If you want to play with dot, I can highly recommend Dot plugin for Visual Studio Code. It gives you realtime view of your code and makes creating with dot a real pleasure.

Log to graph
#

Let’s look an example log-file which was created with tshark.

$ tshark -r example.pcap -T fields -E separator=, -E quote=d -e ip.src -e ip.dst | sort |
 uniq > tcp.log
$ head tcp.log
"130.236.100.79","192.168.0.2"
"192.168.0.1","192.168.0.51"
"192.168.0.1","239.255.255.250"
"192.168.0.2","130.236.100.79"
"192.168.0.2","188.126.88.9"
"192.168.0.2","194.71.144.71"
"192.168.0.2","213.155.151.149"
"192.168.0.2","213.155.151.150"
"192.168.0.2","213.155.151.151"
"192.168.0.2","213.155.151.155"

This gives us nice an easy way to create a graph with dot:

$ echo "graph {" ; awk -F "," {'print $1 " -- " $2 ";"'} tcp.log ; echo "}"
graph {
"104.118.221.147" -- "192.168.10.9";
"104.16.28.216" -- "192.168.10.51";
"104.88.107.204" -- "192.168.10.5";
"104.88.60.48" -- "192.168.10.5";
"128.100.100.128" -- "192.168.10.12";
"128.100.100.128" -- "192.168.10.17";
"128.100.100.128" -- "192.168.10.19";
"129.128.12.20" -- "192.168.10.12";
"129.128.12.20" -- "192.168.10.16";
"129.128.12.20" -- "192.168.10.17";
"129.128.12.20" -- "192.168.10.19";
"129.6.15.29" -- "192.168.10.50";
"131.253.34.240" -- "192.168.10.5";
"131.253.61.82" -- "192.168.10.14";
"134.170.104.154" -- "192.168.10.15";
"134.170.30.202" -- "192.168.10.5";
"134.170.51.188" -- "192.168.10.14";
"136.179.236.67" -- "192.168.10.9";
"136.179.236.72" -- "192.168.10.9";
"144.217.148.73" -- "192.168.10.12";
"144.217.148.73" -- "192.168.10.16";
"144.217.148.73" -- "192.168.10.17";
"144.217.148.73" -- "192.168.10.19";
"144.217.164.10" -- "192.168.10.16";
"144.217.164.10" -- "192.168.10.17";
"144.217.164.10" -- "192.168.10.19";
"144.217.164.10" -- "192.168.10.50";
"144.217.252.208" -- "192.168.10.12";
"144.217.252.208" -- "192.168.10.16";
"144.217.252.208" -- "192.168.10.17";
"144.217.252.208" -- "192.168.10.19";
"144.217.95.60" -- "192.168.10.16";
"144.217.95.60" -- "192.168.10.17";
"144.217.95.60" -- "192.168.10.19";
"157.240.18.19" -- "192.168.10.51";
"157.240.2.35" -- "192.168.10.51";
"158.69.125.231" -- "192.168.10.16";
"158.69.125.231" -- "192.168.10.17";
"158.69.125.231" -- "192.168.10.19";
"162.213.33.44" -- "192.168.10.51";
"162.213.33.50" -- "192.168.10.51";
"172.217.10.110" -- "192.168.10.51";
"172.217.10.131" -- "192.168.10.5";
"172.217.10.78" -- "192.168.10.5";
"172.217.10.78" -- "192.168.10.51";
"172.217.11.2" -- "192.168.10.51";
"172.217.11.46" -- "192.168.10.51";
"172.217.12.131" -- "192.168.10.5";
"172.217.12.194" -- "192.168.10.51";
"172.217.12.195" -- "192.168.10.5";
"172.217.6.206" -- "192.168.10.5";
"172.217.6.225" -- "192.168.10.51";
"172.217.9.228" -- "192.168.10.5";
"178.255.83.1" -- "192.168.10.51";
"184.25.102.48" -- "192.168.10.5";
"184.84.243.218" -- "192.168.10.51";
"192.168.10.1" -- "192.168.10.3";
"192.168.10.1 -- 192.168.10.3";
"192.168.10.12" -- "128.100.100.128";
"192.168.10.12" -- "129.128.12.20";
"192.168.10.12" -- "144.217.148.73";
"192.168.10.12" -- "144.217.252.208";
"192.168.10.12" -- "192.168.10.255";
"192.168.10.12" -- "192.168.10.3";
"192.168.10.12" -- "199.182.221.110";
"192.168.10.12" -- "199.19.167.36";
"192.168.10.12" -- "206.108.0.132";
"192.168.10.12" -- "206.75.89.101";
"192.168.10.12" -- "224.0.0.22";
"192.168.10.12" -- "224.0.0.251";
"192.168.10.12" -- "255.255.255.255";
"192.168.10.12" -- "47.55.177.238";
"192.168.10.12" -- "91.189.89.198";
"192.168.10.12" -- "91.189.89.199";
"192.168.10.12 -- 192.168.10.3";
"192.168.10.14" -- "131.253.61.82";
"192.168.10.14" -- "134.170.51.188";
"192.168.10.14" -- "192.168.10.255";
"192.168.10.14" -- "192.168.10.3";
"192.168.10.14" -- "224.0.0.22";
"192.168.10.14" -- "224.0.0.252";
"192.168.10.14" -- "23.15.4.8";
"192.168.10.14" -- "23.61.187.27";
"192.168.10.14" -- "23.63.226.146";
"192.168.10.14" -- "255.255.255.255";
"192.168.10.14" -- "40.83.143.209";
"192.168.10.14" -- "64.4.54.253";
"192.168.10.14" -- "64.4.54.254";
"192.168.10.14" -- "64.4.54.36";
"192.168.10.14" -- "65.52.98.233";
"192.168.10.14 -- 192.168.10.3";
"192.168.10.15" -- "134.170.104.154";
"192.168.10.15" -- "192.168.10.3";
"192.168.10.15" -- "224.0.0.22";
"192.168.10.15" -- "64.4.54.254";
"192.168.10.16" -- "128.100.100.128";
"192.168.10.16" -- "129.128.12.20";
"192.168.10.16" -- "144.217.148.73";
"192.168.10.16" -- "144.217.164.10";
"192.168.10.16" -- "144.217.252.208";
"192.168.10.16" -- "144.217.95.60";
"192.168.10.16" -- "158.69.125.231";
"192.168.10.16" -- "192.168.10.255";
"192.168.10.16" -- "192.168.10.3";
"192.168.10.16" -- "199.182.221.110";
"192.168.10.16" -- "206.108.0.132";
"192.168.10.16" -- "206.108.0.134";
"192.168.10.16" -- "224.0.0.251";
"192.168.10.16" -- "255.255.255.255";
"192.168.10.16" -- "66.70.172.17";
"192.168.10.16" -- "91.189.89.198";
"192.168.10.16" -- "91.189.91.157";
"192.168.10.16" -- "99.224.25.39";
"192.168.10.16 -- 192.168.10.3";
"192.168.10.17" -- "128.100.100.128";
"192.168.10.17" -- "129.128.12.20";
"192.168.10.17" -- "144.217.148.73";
"192.168.10.17" -- "144.217.164.10";
"192.168.10.17" -- "144.217.252.208";
"192.168.10.17" -- "144.217.95.60";
"192.168.10.17" -- "158.69.125.231";
"192.168.10.17" -- "192.168.10.255";
"192.168.10.17" -- "192.168.10.3";
"192.168.10.17" -- "199.182.221.110";
"192.168.10.17" -- "199.19.167.36";
"192.168.10.17" -- "206.108.0.132";
"192.168.10.17" -- "206.108.0.133";
"192.168.10.17" -- "206.108.0.134";
"192.168.10.17" -- "206.75.89.101";
"192.168.10.17" -- "224.0.0.22";
"192.168.10.17" -- "224.0.0.251";
"192.168.10.17" -- "47.55.177.238";
"192.168.10.17" -- "66.70.172.17";
"192.168.10.17" -- "91.189.89.198";
"192.168.10.17" -- "91.189.89.199";
"192.168.10.17" -- "91.189.91.157";
"192.168.10.17" -- "99.224.25.39";
"192.168.10.17 -- 192.168.10.3";
"192.168.10.19" -- "128.100.100.128";
"192.168.10.19" -- "129.128.12.20";
"192.168.10.19" -- "144.217.148.73";
"192.168.10.19" -- "144.217.164.10";
"192.168.10.19" -- "144.217.252.208";
"192.168.10.19" -- "144.217.95.60";
"192.168.10.19" -- "158.69.125.231";
"192.168.10.19" -- "192.168.10.255";
"192.168.10.19" -- "192.168.10.3";
"192.168.10.19" -- "199.182.221.110";
"192.168.10.19" -- "199.19.167.36";
"192.168.10.19" -- "206.108.0.132";
"192.168.10.19" -- "206.108.0.133";
"192.168.10.19" -- "206.108.0.134";
"192.168.10.19" -- "206.75.89.101";
"192.168.10.19" -- "224.0.0.22";
"192.168.10.19" -- "224.0.0.251";
"192.168.10.19" -- "47.55.177.238";
"192.168.10.19" -- "66.70.172.17";
"192.168.10.19" -- "91.189.89.198";
"192.168.10.19" -- "91.189.89.199";
"192.168.10.19" -- "91.189.91.157";
"192.168.10.19" -- "99.224.25.39";
"192.168.10.3" -- "192.168.10.1";
"192.168.10.3" -- "192.168.10.12";
"192.168.10.3" -- "192.168.10.14";
"192.168.10.3" -- "192.168.10.15";
"192.168.10.3" -- "192.168.10.16";
"192.168.10.3" -- "192.168.10.17";
"192.168.10.3" -- "192.168.10.19";
"192.168.10.3" -- "192.168.10.255";
"192.168.10.3" -- "192.168.10.5";
"192.168.10.3" -- "192.168.10.50";
"192.168.10.3" -- "192.168.10.51";
"192.168.10.3" -- "192.168.10.8";
"192.168.10.3" -- "192.168.10.9";
"192.168.10.3" -- "224.0.0.252";
"192.168.10.3" -- "224.0.1.24";
"192.168.10.3" -- "65.52.108.186";
"192.168.10.5" -- "104.88.107.204";
"192.168.10.5" -- "104.88.60.48";
"192.168.10.5" -- "131.253.34.240";
"192.168.10.5" -- "134.170.30.202";
"192.168.10.5" -- "172.217.10.131";
"192.168.10.5" -- "172.217.10.78";
"192.168.10.5" -- "172.217.12.131";
"192.168.10.5" -- "172.217.12.195";
"192.168.10.5" -- "172.217.6.206";
"192.168.10.5" -- "172.217.9.228";
"192.168.10.5" -- "184.25.102.48";
"192.168.10.5" -- "192.168.10.255";
"192.168.10.5" -- "192.168.10.3";
"192.168.10.5" -- "198.41.215.185";
"192.168.10.5" -- "224.0.0.22";
"192.168.10.5" -- "224.0.0.252";
"192.168.10.5" -- "23.15.4.19";
"192.168.10.5" -- "23.15.4.9";
"192.168.10.5" -- "23.202.233.152";
"192.168.10.5" -- "23.217.41.219";
"192.168.10.5" -- "23.50.75.27";
"192.168.10.5" -- "23.52.146.130";
"192.168.10.5" -- "23.66.239.97";
"192.168.10.5" -- "239.255.255.250";
"192.168.10.5" -- "255.255.255.255";
"192.168.10.5" -- "52.84.145.75";
"192.168.10.5" -- "54.69.227.52";
"192.168.10.5" -- "65.55.242.254";
"192.168.10.5" -- "65.55.252.71";
"192.168.10.5" -- "65.55.252.93";
"192.168.10.5" -- "72.21.91.29";
"192.168.10.50" -- "129.6.15.29";
"192.168.10.50" -- "144.217.164.10";
"192.168.10.50" -- "192.168.10.12";
"192.168.10.50" -- "192.168.10.16";
"192.168.10.50" -- "192.168.10.17";
"192.168.10.50" -- "192.168.10.19";
"192.168.10.50" -- "192.168.10.255";
"192.168.10.50" -- "192.168.10.3";
"192.168.10.50" -- "192.168.10.51";
"192.168.10.50" -- "192.168.10.9";
"192.168.10.50" -- "224.0.0.251";
"192.168.10.50" -- "24.86.68.24";
"192.168.10.51" -- "104.16.28.216";
"192.168.10.51" -- "157.240.18.19";
"192.168.10.51" -- "157.240.2.35";
"192.168.10.51" -- "162.213.33.44";
"192.168.10.51" -- "162.213.33.50";
"192.168.10.51" -- "172.217.10.110";
"192.168.10.51" -- "172.217.10.78";
"192.168.10.51" -- "172.217.11.2";
"192.168.10.51" -- "172.217.11.46";
"192.168.10.51" -- "172.217.12.194";
"192.168.10.51" -- "172.217.6.225";
"192.168.10.51" -- "178.255.83.1";
"192.168.10.51" -- "184.84.243.218";
"192.168.10.51" -- "192.168.10.255";
"192.168.10.51" -- "192.168.10.3";
"192.168.10.51" -- "192.168.10.50";
"192.168.10.51" -- "194.226.130.228";
"192.168.10.51" -- "199.96.57.6";
"192.168.10.51" -- "209.85.144.155";
"192.168.10.51" -- "224.0.0.22";
"192.168.10.51" -- "224.0.0.251";
"192.168.10.51" -- "23.111.11.211";
"192.168.10.51" -- "23.61.187.27";
"192.168.10.51" -- "255.255.255.255";
"192.168.10.51" -- "50.63.243.230";
"192.168.10.51" -- "72.21.91.29";
"192.168.10.51" -- "87.240.165.80";
"192.168.10.51" -- "87.250.250.119";
"192.168.10.51" -- "87.250.251.119";
"192.168.10.51" -- "88.212.201.193";
"192.168.10.51" -- "91.189.89.144";
"192.168.10.51" -- "91.189.94.25";
"192.168.10.51" -- "91.189.95.15";
"192.168.10.51" -- "91.221.199.170";
"192.168.10.51" -- "91.236.51.100";
"192.168.10.51" -- "91.236.51.131";
"192.168.10.51" -- "91.236.51.134";
"192.168.10.51" -- "91.236.51.44";
"192.168.10.51" -- "91.236.51.45";
"192.168.10.51" -- "91.236.51.54";
"192.168.10.51" -- "91.236.51.69";
"192.168.10.51 -- 192.168.10.3";
"192.168.10.8" -- "192.168.10.255";
"192.168.10.8" -- "192.168.10.3";
"192.168.10.8" -- "224.0.0.22";
"192.168.10.8" -- "224.0.0.252";
"192.168.10.8" -- "255.255.255.255";
"192.168.10.9" -- "104.118.221.147";
"192.168.10.9" -- "136.179.236.67";
"192.168.10.9" -- "136.179.236.72";
"192.168.10.9" -- "192.168.10.255";
"192.168.10.9" -- "192.168.10.3";
"192.168.10.9" -- "192.168.10.50";
"192.168.10.9" -- "224.0.0.22";
"192.168.10.9" -- "224.0.0.252";
"192.168.10.9" -- "23.15.4.17";
"192.168.10.9" -- "23.15.4.24";
"192.168.10.9" -- "23.15.4.8";
"192.168.10.9" -- "255.255.255.255";
"192.168.10.9" -- "52.10.50.117";
"192.168.10.9" -- "52.11.17.245";
"192.168.10.9" -- "54.192.36.242";
"192.168.10.9" -- "66.61.168.121";
"192.168.10.9" -- "69.28.187.147";
"192.168.10.9" -- "72.21.91.29";
"192.168.10.9" -- "74.125.29.108";
"194.226.130.228" -- "192.168.10.51";
"198.41.215.185" -- "192.168.10.5";
"199.182.221.110" -- "192.168.10.12";
"199.182.221.110" -- "192.168.10.16";
"199.182.221.110" -- "192.168.10.17";
"199.182.221.110" -- "192.168.10.19";
"199.19.167.36" -- "192.168.10.12";
"199.19.167.36" -- "192.168.10.17";
"199.19.167.36" -- "192.168.10.19";
"199.96.57.6" -- "192.168.10.51";
"206.108.0.132" -- "192.168.10.12";
"206.108.0.132" -- "192.168.10.16";
"206.108.0.132" -- "192.168.10.17";
"206.108.0.132" -- "192.168.10.19";
"206.108.0.133" -- "192.168.10.17";
"206.108.0.133" -- "192.168.10.19";
"206.108.0.134" -- "192.168.10.16";
"206.108.0.134" -- "192.168.10.17";
"206.108.0.134" -- "192.168.10.19";
"206.75.89.101" -- "192.168.10.12";
"206.75.89.101" -- "192.168.10.17";
"206.75.89.101" -- "192.168.10.19";
"209.85.144.155" -- "192.168.10.51";
"23.111.11.211" -- "192.168.10.51";
"23.15.4.17" -- "192.168.10.9";
"23.15.4.19" -- "192.168.10.5";
"23.15.4.24" -- "192.168.10.9";
"23.15.4.8" -- "192.168.10.14";
"23.15.4.8" -- "192.168.10.9";
"23.15.4.9" -- "192.168.10.5";
"23.202.233.152" -- "192.168.10.5";
"23.217.41.219" -- "192.168.10.5";
"23.50.75.27" -- "192.168.10.5";
"23.52.146.130" -- "192.168.10.5";
"23.61.187.27" -- "192.168.10.14";
"23.61.187.27" -- "192.168.10.51";
"23.63.226.146" -- "192.168.10.14";
"23.66.239.97" -- "192.168.10.5";
"24.86.68.24" -- "192.168.10.50";
"40.83.143.209" -- "192.168.10.14";
"47.55.177.238" -- "192.168.10.12";
"47.55.177.238" -- "192.168.10.17";
"47.55.177.238" -- "192.168.10.19";
"50.63.243.230" -- "192.168.10.51";
"52.10.50.117" -- "192.168.10.9";
"52.11.17.245" -- "192.168.10.9";
"52.84.145.75" -- "192.168.10.5";
"54.192.36.242" -- "192.168.10.9";
"54.69.227.52" -- "192.168.10.5";
"64.4.54.253" -- "192.168.10.14";
"64.4.54.254" -- "192.168.10.14";
"64.4.54.254" -- "192.168.10.15";
"64.4.54.36" -- "192.168.10.14";
"65.52.108.186" -- "192.168.10.3";
"65.52.98.233" -- "192.168.10.14";
"65.55.242.254" -- "192.168.10.5";
"65.55.252.93" -- "192.168.10.5";
"66.61.168.121" -- "192.168.10.9";
"66.70.172.17" -- "192.168.10.16";
"66.70.172.17" -- "192.168.10.17";
"66.70.172.17" -- "192.168.10.19";
"69.28.187.147" -- "192.168.10.9";
"72.21.91.29" -- "192.168.10.5";
"72.21.91.29" -- "192.168.10.51";
"72.21.91.29" -- "192.168.10.9";
"74.125.29.108" -- "192.168.10.9";
"87.240.165.80" -- "192.168.10.51";
"87.250.250.119" -- "192.168.10.51";
"87.250.251.119" -- "192.168.10.51";
"88.212.201.193" -- "192.168.10.51";
"91.189.89.144" -- "192.168.10.51";
"91.189.89.198" -- "192.168.10.12";
"91.189.89.198" -- "192.168.10.16";
"91.189.89.198" -- "192.168.10.17";
"91.189.89.198" -- "192.168.10.19";
"91.189.89.199" -- "192.168.10.12";
"91.189.89.199" -- "192.168.10.17";
"91.189.89.199" -- "192.168.10.19";
"91.189.91.157" -- "192.168.10.16";
"91.189.91.157" -- "192.168.10.17";
"91.189.91.157" -- "192.168.10.19";
"91.189.94.25" -- "192.168.10.51";
"91.189.95.15" -- "192.168.10.51";
"91.221.199.170" -- "192.168.10.51";
"91.236.51.100" -- "192.168.10.51";
"91.236.51.131" -- "192.168.10.51";
"91.236.51.134" -- "192.168.10.51";
"91.236.51.44" -- "192.168.10.51";
"91.236.51.45" -- "192.168.10.51";
"91.236.51.54" -- "192.168.10.51";
"91.236.51.69" -- "192.168.10.51";
"99.224.25.39" -- "192.168.10.16";
"99.224.25.39" -- "192.168.10.17";
"99.224.25.39" -- "192.168.10.19";
}

$ fdp -o tcp.png -Tpng tcp.dot

Now we have an image name tcp.png which gives you information about different computers and how they communicate with each other.

tcp.png
TCP

Ok, that’s it. Hopefully you got something out of this and I’ll see you in next post.