idlethreat » Code http://idlethreat.com/site stupid is durable Fri, 03 Sep 2010 11:33:51 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 Visualizing network connections using GraphViz and Afterglow http://idlethreat.com/site/index.php/archives/5 http://idlethreat.com/site/index.php/archives/5#comments Sun, 15 Mar 2009 16:53:41 +0000 admin After recovering from a particularly nasty crash and migrating my sites and data over to a new server, I became curious at the number of networking connections that it received, and what was going where. Sure, there’s a lot of tools out there to give me that sort of information, but sometimes you would really just like a pretty (if informative) picture of information instead of dry old text scrolling across the screen.

In this document I’ll assume the following:

You have access to a Linux / Unix server system and have administrative capabilities on it.

tools I used

Graphviz is an open source graph visualization software. It takes standard textual input and can automatically generate graphs depending on the input itself. It has its own graphing language, which is used to create all of this information for you.

Afterglow is a collection of scripts which assist in converting csv and other table data into information which can be pushed off to Graphviz to generate graphs with.

I also ended up with a ‘glue’ shell script or two which assisted in gathering the information and pushing it off to Afterglow for processing.

How To

Download and install GraphViz using your favorite package management system. Next, download and un-archive the Afterglow package on the system. For myself, I placed all the Afterglow packages from afterglow/src/perl directory to a new /opt/afterglow directory.

After that has been set up, it’s time to get a tcpdump of your current connections. We’ll grab the first 10,000 packets and put it in the /opt/afterglow directory.

tcpdump -vttttnneli eth0 -c10000 > /opt/afterglow/eth0.dump

Next, we'll parse it through Afterglow and let it do its magic. In this instance, we'll be looking at the source IP, destination IP, and finally the destination port. There's quite a number of possible fields to go by. Check out the source code from tcpdump2csv.pl for a full treatment of what is available.

cat /opt/afterglow/eth0.dump | /opt/afterglow/parsers/tcpdump2csv.pl "sip dip dport" | /opt/afterglow/graph/afterglow.pl -c /opt/afterglow/parsers/color.properties -e 2 | neato -Tgif -o /opt/afterglow/eth0.gif>

The initial run is interesting, but pretty cluttered. Looks more like a geek version of a fertilized-egg-and-sperm picture.

Since we're using three arguments (sip dip dport) as arguments, let's change the mode from the default (zero) up to three and then re-run the results.

cat /opt/afterglow/eth0.dump | /opt/afterglow/parsers/tcpdump2csv.pl "sip dip dport" | /opt/afterglow/graph/afterglow.pl -p3 -c /opt/afterglow/parsers/color.properties -e 2 | neato -Tgif -o /opt/afterglow/eth0.gif

This one is much more revealing and easy to read. You will notice by now that:

  • Arrows show the direction of traffic
  • Red ovals will be an IP address which initiates a connection. A lot of the time this will be your own system. Other times it will be an external system sending in a request.
  • Red blocks will be an IP address which is processing a request. Again, your system will show up either as a processor of requests, or sending something out.
  • Light Blue Ovals will show which port this traffic is traveling across
  • Dark Blue Ovals will show up whenever communication is going across a 'named' port (below 1024). This is normally like port 80, 443, or 53 (DNS).

Changing colors to fit your needs are relatively easy as well. I like a nice bright green to distinguish my system against all the other connections out there. To color your own "home" system as green, edit the /opt/afterglow/parsers/color.properties. At the top of the regex list, add in a line something like:

color.source="green" if ($fields[0]=~/^your.ip.address.here/);

Save your changes and re-run the script to get an output where your IP address has a dinstinct color to it.

Finally, if you would like to have a constantly refreshing view of your server traffic, then something like this should work out well for you:


while true; do
tcpdump -vttttnneli eth0 -c 2000 > /opt/afterglow/current.dump
cat current.dump |/opt/afterglow/parsers/tcpdump2csv.pl "sip dip dport" | /opt/afterglow/graph/afterglow.pl -p3 -c /opt/afterglow/parsers/color.properties -e 2 | neato -Tgif -o /var/www/yourwebsite.com/traffic.gif
sleep 60
done

Kick off the script, let it run once, and then hit http://yourwebsite.com/traffic.gif for the story. It will refresh every 60 seconds.

Summary

Using Graphviz and Afterglow will give you a unique overview of your incoming and outgoing traffic and a much broader overview of what is coming in and out of your immediate network. This is a wonderful tool and one that deserves to be in every server geek's arsenal.

Enjoy!

tom

]]> http://idlethreat.com/site/index.php/archives/5/feed 0