I have been in a few environments where installing a full blown PCAP analyser is just not possible. Therefore I created a Python script that will go through a PCAP file, split up IP flows and spit it out in a JSON format. This depicts TCP and UDP flows with the amount of traffic uploaded and downloaded, it also attempts to map IP addresses to domains using DNS requests found in the same PCAP file.
Having it in the this format then allows it to be easily visualised using something like d3.
The code can be found here:
Using the HTML files you can visualise the traffic with the forced graph, colour cordinating the traffic and showing flows that have downloaded or uploaded more in a bolder line. The treemap allows you to drill down to IP address and port showing you the big hitters.
Python Scapy is required which can be installed with pip:
pip install scapy
Other packages that are required but are installed by default with python:
Locate the folder that contains your PCAP file and run the python script
The script will then loop through all the pcap files in this folder. Try to make sure the PCAP file are named appropriately so that they are parsed chronologically this will ensure the DNS mapping will be as accurate as possible.
This will create 2 JSON files: * output.json - This is the main json file which can be used to visualise the data * dnsMapping.json - This is the IP address to DNS name mappings. The script finds DNS requests in the pcap and maps IP addresses to domain names. This is the output of that mapping
You can then use the below command to launch a simple web server:
python -m SimpleHTTPServer
Then access the force map on the below url: http://127.0.0.1:8000/forced.html
and the treemap on: http://127.0.0.1:8000/treemap.html