CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

This python script generates a .pdf file that is a simple time-series visualization of a binary SiLK file. View a sample output or download the script. In addition to python, this script requires gnuplot and gstools / ghostscript (gs) be installed.

Motivation and use of the script is described in the FloCon 2010 presentation titled "Strip Plots: A Simple Automated Time Series Visualization.

Documentation from the script itself:

Usage: ./stripplot.py [options] FILE
Creates a strip-plot of the most significant traffic contributors
within a raw SiLK data file

  FILE   (required) The binary SiLK file to analyze

  Options:
  --binsize   Default counting bin size (seconds) (def=auto)
  --bottomleft Bottom left tag; allows %(substitution)s; use '-' for none (def
              =-)
  --bottommiddle Words on the bottom right of the page, allows %(substitution)
              s; use '-' for none (def=FOUO)
  --bottomright Words on the bottom middle of the page, allows %(substitution)
              s; use '-' for none (def=Page %(page)i of %(pagecount)s)
  --count     Number of plots to output (def=5)
  --endtime   Plot end time, YYYY/MM/DDTHH:MM:SS (def=auto)
  --fields    rwuniq-style list of fields to group IN traffic on, or '*' for a
              utomatic (NOT ALL FIELDS WORK) (def=sip,dip)
  --flags     Include this option to add a plot of TCP flags to the strips (de
              f=0)
  --help      Print this output (def=)
  --types     Inbound and outbound types; these are used to make sure the IN a
              ddress is on the top plot; must be in the form [in-type/out-type
              ]; unspecified types work fine but either address may end up on
              the top. (def=in/out,inweb/outweb,inicmp/outicmp)
  --pdffilepath PDF final output file (def=tmp.pdf)
  --plotfile  Temporary gnuplot script file to create (def=tmp.plot)
  --plotsperpage Number of plots per page (def=10)
  --prefilter rwfilter expression to apply to flow file before selecting what
              to plot.  NOTE:  this filter is NOT applied to the trends themse
              lves, only to the selection routine (def=--proto=0-)
  --psfilepath Post-script file to generate (def=tmp.ps)
  --selectionval Choose the top [count] combinations to plot based on this val
              ue; must be either 'bytes', 'packets', 'flows' or 'none'); if 'n
              one' then output is in rwuniq (random) order (def=bytes)
  --topleft   Words on the upper left of the page, allows %(substitution)s; us
              e '-' for none (def=-)
  --topright  Words on the upper right of the page, allows %(substitution)s; u
              se '-' for none (def=-)
  --trendline Highlighted and dotted trendline to add to plot; f for flows, p
              for packets (def=b)
  --starttime Plot start time in YYYY/MM/DDTHH:MM:SS format (def=auto)
  --maintitle Title for this plot, allows %(substitution)s; use '-' for none (
              def=auto)
  --verbose   Print out debugging info, use twice for more info and to print d
              ebugging info on the plot itself (def=0)

Fields with string substitution support the following:
  %(page)i    Current page number
  %(date)s    Date the report was printed
  %(time)s    Time the report was printed
  %(pagecount)i Total number of pages in the report
  %([setting])s Any of the report configuration settings
              (run with -v option to see settings

  • No labels