24 hours of firewall logs plotted by source port over time (color is dest port)

24 hours of firewall logs plotted by source port over time (color is dest port)

Description

The last plot of source ports over time points to crafted packets. Normal sockets allocated through the operating system will have positively incrementing source ports for each new connection. Look for the horizontal lines and you have most likely found tools that are not using the operating system to instantiate new sockets. To me, this screams packet crafting.

All of these graphs were created by parsing firewalls logs using a perl script and loading them into Advizor Analyst.