I

n the first part of this how-to, Visualizing Network Data Using Python: Part 1, we introduced you to packet analysis using Python and ScaPy. Building on those skills, we will make a few small modifications to visualize the data using Plotly, an extremely powerful Python graphing package. In this example we will create a graph of the occurrence of source IPs in a PCAP file.

Step 1
Before we start slinging code we need to install Plotly (and the previous package scapy). Then we will import Plotly.

Installation
pip3 install plotly
pip3 install scapy-python3

Imports
from scapy.all import *
from collections import Counter
import plotly

Step 2
We will then tell ScaPy to read all of the packets in the PCAP to a list. Too do that, use the rdpcap function.
packets = rdpcap('example.pcap')

Step 3
Packets in ScaPy have elements, we will only be dealing with packet’s IP data.  Each packet has attributes like source IP, destination IP, source port, destination port, bytes, etc.  To print a source IP use pkt[IP].src
print(pkt[IP].src)

For our example we will need to read a PCAP file and store the source IP in a list. To do that, we will loop through the packets using a try/except as not every packet will have the information we want (malformed, retransmit, etc). The try/except gives us an error-free program when reading the PCAP.

srcIP=[]
for pkt in packets:
if IP in pkt:
try:
           srcIP.append(pkt[IP].src)
except:
pass

Step 4
Now that you have a list of IPs from the packets we will use a counter to create a count of the times we see each source IP.

cnt=Counter()

for ip in srcIP:
cnt[ip] += 1

Step 5
Now we need to create the  x and y data for the graph. We’ll create empty lists for both, then we will loop through the data and append them to the lists  from highest to lowest .
xData=[]
yData=[]
for ip, count in cnt.most_common():
xData.append(ip)
yData.append(count)

Step 6
Next we will create a plot. Plotly is great in that it will open the plot in your browser.

plotly.offline.plot({
"data":[  plotly.graph_objs.Bar( x=xData, y=yData) ]
})

The whole script beginning-to-end looks like this:

 



Step 7
To run it, create a PCAP with tcdpump:
sudo tcpdump -w example.pcap -c10000

Step 8
Now run the program and explore the  results in your browser:

Step 9
Now this is optional, but  the goal is to visualize the data, adding a title and labels makes the data much easier to read. Adding the “layout” option to plotly will get you that information.
plotly.offline.plot({
   "data":[plotly.graph_objs.Bar(x=xData, y=yData)],
"layout":plotly.graph_objs.Layout(title="Source IP Occurrence",
xaxis=dict(title="Src IP"),
       yaxis=dict(title="Count"))})

I hope this helped you out with visualizing packet data using Python. As always, feel free to comment or ask questions and tune in tomorrow for Visualizing Network Data Using Python: Part 3!

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

More posts like this:

Cybersecurity
# of endpoints

15-day free trial. No credit card required.

By submitting this form you agree to our terms of service.

Already have an account?