CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

Visualizing flows allows one to easily see interactions that are harder to see in flow. A directed graph can be used to show both directions of flows coming in and out of each IP address (or vertex). 

Graphviz is a popular open-source graph drawing software that can draw many types of graphs. Graphviz does not scale as well as SiLK, therefore flow records should be filtered down to a minimum.

The first step is to filter down the binary flow file as much as possible, such as only one port being desired (i.e. port 80 ) and only two traffic types (i.e. in and out).

rwfilter --any-set=interesting.set flowfile.rwf --protocol=17 --aport=80 --types=in,out --pass=interesting.rwf

In order for Graphviz to consume our flow file we must format it into the DOT language.

An example file, interesting.dotlooks like this:

digraph GraphOfMyNetwork {
overlap=scale
"1.1.1.1" -> "2.2.2.2"
"2.2.2.2" -> "1.1.1.1"
"1.1.1.1" -> "3.3.3.3"
"4.4.4.4" -> "5.5.5.5"
}

The first line defines the name of the graph. The attributes and data are given inside the brackets {} . The line “overlap=scale” is an attribute that usually increases readability of output graphs. Graphviz will assume that overlapping each vertex is permitted if this option is omitted, thus reducing graph compile time but often resulting in an unreadable graph.

Now we need to compile the dotfile. Choose what file format you would like. I prefer svgbecause it is ideal for zooming in and out and loading portions of the graph on demand, however not all viewers support the svgfile format.

dot -Tsvg interesting.dot -o interesting.svg

To output in png:

dot -Tpng interesting.dot -o interesting.png

The dot file would compile to this: 

The other output types available include: ps, gif, pdf and many other types. For a complete list see the graphviz documentation. <http://www.graphviz.org/cvs/doc/info/output.html.>

Other layouts can be generated withneato. In contrast to the dot command, neatoorganizes the output in the “spring model” or “energy minimized” layouts. To use neato to generate a pngfile:

neato -Tpng interesting.dot -o interesting.png


DOT language conversion can be done on the command line by modifying the output of rwcut.  Our flow files from SiLK can be converted to graphs using graphviz. The following commands will take the output of an rwfilter command and show how it can be converted to the DOT language for graphing.

#add the title and scaling overlap option
echo -e "digraph my_graph {\noverlap=scale\n" >> interesting.dot
#run rwfilter,rwcut and add quotes around the IP addresses
rwfilter interesting.rwf --aport=80 --type=in,out --pass=stdout | rwcut \
--no-titles --fields=1-2  --no-final-delim | sort | uniq | \
sed 's/|/" -> "/;s/^/"/;s/$/"/' >> interesting.dot;
#end the file with a file closing bracket
echo "}" >> interesting.dot

This dot file can be edited if you would like to add some graph parameters that can include: colorizing, labeling, changing the shape of the vertex and more. See the following for more information.

<http://www.graphviz.org/pdf/dotguide.pdf>

<http://www.graphviz.org/pdf/neatoguide.pdf>

  • No labels