PcapViz: Visualize network topologies & collect graph statistics based on pcap files

by do son · Published · Updated

PcapViz

PcapViz

PcapViz visualizes network topologies and provides graph statistics based on pcap files. It should be possible to determine key topological nodes or data exfiltration attempts more easily.

Features

  • Draw network topologies (Layer 2) and communication graphs (Layer 3 and 4)
  • Network topologies contain country information and connection stats
  • Collect statistics such as most frequently contacted machines

Installation

Required:

  • GraphViz
  • Download GeoIP database to ~/GeoIP.dat (https://dev.maxmind.com/geoip/)
pip install -r requirements.txt

For Debian-based distros you have to install GraphViz with some additional dependencies:



apt-get install python3-dev

apt-get install graphviz libgraphviz-dev pkg-config

 

 

Usage

usage: main.py [-h] [-i [PCAPS [PCAPS ...]]] [-o OUT] [-g GRAPHVIZ] [--layer2]

               [--layer3] [--layer4] [-fi] [-fo]



pcap topology drawer



optional arguments:

  -h, --help            show this help message and exit

  -i [PCAPS [PCAPS ...]], --pcaps [PCAPS [PCAPS ...]]

                        capture files

  -o OUT, --out OUT     topology will be stored in the specified file

  -g GRAPHVIZ, --graphviz GRAPHVIZ

                        graph will be exported to the specified file (dot

                        format)

  --layer2              derive layer2 topology

  --layer3              derive layer3 topology

  --layer4              derive layer4 topology

  -fi, --frequent-in    print frequently contacted nodes to stdout

  -fo, --frequent-out   print frequent source nodes to stdout

 

 

Example

Example pcap: smallFlows.pcap

Drawing a communication graph (layer 2), segment:

python main.py -i smallFlows.pcap -o small_tcp_l2.png –layer2

Drawing a communication graph (layer 3), segment:

python main.py -i smallFlows.pcap -o small_tcp.png –layer3

Drawing a communication graph (layer 4), segment:

python main.py -i smallFlows.pcap -o small_tcp_l4.png –layer4

Return most frequently contacted hosts:

python main.py -i smallFlows.pcap –layer3 –frequent-in

115 172.16.255.1
70 192.168.3.131
21 10.0.2.15
2 65.55.15.244
2 224.0.0.252
2 192.168.3.90
2 239.255.255.250
2 255.255.255.255
1 178.144.253.171
1 92.247.222.20
1 72.14.213.103
1 67.170.187.174

Source: https://github.com/mateuszk87/

Tags: PcapViz