Network Visualization

Published: 2011-02-14. Last Updated: 2011-02-14 04:14:11 UTC
by Lorna Hutcheson (Version: 1)
17 comment(s)

One area of interest that I have is network visualization.  What I'm referring to is being able to visually see the traffic flows and patterns to determine anomolies or events of interest.  We have so much information with our networks today, that it is difficult to process all of it.    The trend seems to be getting worse and reverting back to my good ole Army days of "Do more with less".  With the economic times we live it, it always seems that security is one area that takes a hit.  So, we have to work smarter and network visualization is one area that I think has great potential, but seems to be very under developed. 

I haven't explored what's out there in a couple of years.  What was out there that I experimented with it were tools such as:

  • Time-based Network Traffic Visualizer (TNV)
  • NVisionIP
  • Spinning Cube of Potential Doom
  • VisFlowConnect
  • FlowTag
  • InetVis

However, these tools had a long ways to go before they could really be effective on a large scale.  Some were java based and SLOW (others were just slow) when processing any significant amount of data.  However, what they did do, was pretty impressive for being able to visually make sense of a pcap file or your netflow data.  They work great for looking at small chunks of traffic and helping immediately see anomolies.  If this could just be channeled into a near real-time scenario for monitoring networks, that would be fantastic.

I did some quick google searches and didn't turn up any thing new in this arena.  If anyone has any experience with network visualization or knows of any tools or work being done, please let us know.

17 comment(s)

Comments

The following blog is in Spanish but it has a lot of information about network visualization tools like Xplot, Xtraffic, TShark, ... http://seguridadyredes.nireblog.com/
Make haste to the console:
iftop
pktstat
you touched upon a subject close to my heart as well and wanted to share open source Sguil (pronounced sgweel) tool but have not had a chance to play with it yet. Seems promising and if anyone has used it would love to hear about their experience.

http://sguil.sourceforge.net/

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
One robust software is Network Instrument's Observer - http://www.networkinstruments.com/products/observer/.
This is a very powerful solution when used in conjuction with GigaStor (from the same company).
They have a demo for download at http://www.netinst.com/downloads/observer_form.html
Check out CACE Pilot.

http://www.cacetech.com/products/cace_pilot.html
For folks with the $$, Arbor Networks' Peakflow devices do a good job of presenting visually network monitoring done thru Netflow. There are other Netflow tooks out there, of course, including free ones, but I haven't had the chance to play w/ any. I'd like to hear any recommendations.
One of the coolest things I've ever seen was the look on my boss' face as an SSH scan of our network happened WHILE I was showing him how BSOD worked... http://research.wand.net.nz/software/visualisation.php
Intermapper (http://www.intermapper.com/)

We have used it over a decade.
This may be a crude solution in comparison to fancier netflow-based stuff, but if all you want to see is bandwidth utilization, I've been using nagios with mklivestatus and nagvis (http://www.nagvis.org/) to overlay a network diagram with icons and "weathermap lines" with performance data from nagios. So at a glance at the "WAN Dashboard" I can tell which links are being utilized the most (each link's stats update once a minute). In a complicated WAN environment it's almost a sort of nagios lava-lamp. :-)

One nice thing about this is I can use the same tools for making (and viewing) dashboards for WAN connectivity, LAN router/switch connectivity in each office, or even SAN Fabrics.

Of course it doesn't show you what the traffic is or what ports/protocols are in use, but it's a start.
There was a presentation at Defcon in 2009 about network security visualization by Raffael Marty.
He has a book, and a blog at http://raffy.ch/blog/

Also see http://secviz.org/

BJ

Diary Archives