I have been in a few environments where installing a full blown PCAP analyser is just not possible. Therefore I created a Python script that will go through a PCAP file, split up IP flows and spit it out in a JSON format. This depicts TCP and UDP flows with the amount of traffic uploaded and downloaded, it also attempts to map IP addresses to domains using DNS requests found in the same PCAP file.

Having it in the this format then allows it to be easily visualised using something like d3.

The code can be found here:

https://github.com/thomasweaver/pcap-visualizer

Using the HTML files you can visualise the traffic with the forced graph, colour cordinating the traffic and showing flows that have downloaded or uploaded more in a bolder line. The treemap allows you to drill down to IP address and port showing you the big hitters.

Requirements

Python Scapy is required which can be installed with pip:

pip install scapy

Other packages that are required but are installed by default with python:

  • os
  • sys
  • json
  • hashlib
  • copy

The HTML files get the d3 javascript files from the below URL’s: * d3js.org/d3.v4.min.js * d3js.org/d3-selection-multi.v1.js * d3js.org/d3.v3.min.js

Using

Locate the folder that contains your PCAP file and run the python script

pcap-analyzer.py C:\my-pcap-files\

The script will then loop through all the pcap files in this folder. Try to make sure the PCAP file are named appropriately so that they are parsed chronologically this will ensure the DNS mapping will be as accurate as possible.

This will create 2 JSON files: * output.json - This is the main json file which can be used to visualise the data * dnsMapping.json - This is the IP address to DNS name mappings. The script finds DNS requests in the pcap and maps IP addresses to domain names. This is the output of that mapping

You can then use the below command to launch a simple web server:

python -m SimpleHTTPServer

Then access the force map on the below url: http://127.0.0.1:8000/forced.html

and the treemap on: http://127.0.0.1:8000/treemap.html

The d3 Treemap visualisation is based on http://bl.ocks.org/ganeshv/6a8e9ada3ab7f2d88022 THe d3 forced graph is based on various examples on http://bl.ocks.org

Screenshots:

PCAP Analyser d3 Forced Graph PCAP Analyser d3 Treemap Graph