Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.

 


 

help debugging tcpdump2csv.pl?

I'm trying to use afterglow 1.5 on a gentoo system and running into an issue that I hope you can help me figure out.
When I read a dump file into tcpdump2csv.pl, using the switches documented, I get absolutely no output. If I turn on debug, I get my tcpdump lines, preceded by "ERROR:" as below:
ERROR: 2009-05-04 18:37:28.332949 In ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 77)
ERROR: 74.63.208.3.53 > 216.245.196.14.56383: 14710 1/0/0 mail.lab.spb.ru. A 77.234.201.82 (49)
If I run with tcpdump -ttnnlr, I get a little closer to the lines in your documentation, in that the timestamp is on the same line as the capture info:
ERROR: 1241462458.413252 In ethertype IPv4 (0x0800), length 93: 74.63.208.3.53 > 216.245.196.14.43954: 7712 1/0/0 A 195.128.50.36 (49)

There is no description of what the error is, and still no CSV output is appearing.
If it makes a difference, I am running with tcpdump 4.0. If I can add an ebuild for afterglow 2.0 for the gentoo world, I will give that a try and see if I get a little further.

Firewall Log in a Treemap

Firewall Log in a Treemap

This treemap was generated with the Treemap 4.1 tool from University of Maryland. This is a tutorial that I wrote on how to get to the output, step by step.

Picviz curves

Picviz curves

As I just commited an option for the Picviz pngcairo plugin to draw curves instead of straight lines.

To me it just looks pretty without anything technically interesting behind it. I guess some people could argue this helps uncovering clusters, maybe... What do you guys think of such ways of playing with parallel coordinates?

VizSec 2009 - submission deadline approaching

The 6th International Workshop on Visualization for Cyber Security (VizSec) will be held October 11, 2009 in Atlantic City, NJ, USA in conjunction with VisWeek 2009.

The deadline for full papers (12 pages) is May 8, 2009. The deadline for short papers (6 pages) is May 22, 2009.

Please see the web site for formatting instructions, templates and information on how to submit your paper.

http://vizsec.org/vizsec2009/

Best,
-john

Sphere Of Influence

Take a look at my site www.manntechcomputersinc.com We have developed a visualization tool for pix/asa and snort. It maps ip to geographical locations countries (source or destination), anonymous proxies , sat providers, regions etc. We repsent countries by flags and provide users to add their own icons. I'd be interested to hear what people think....

Screen Shot Sphere of Influence

Inappropriate Email Investigation - with time line

Inappropriate Email Investigation - with time line

see http://5thsentinel.wordpress.com/2009/04/01/inappropriate-content-visualization/ for background.

This is similar to the Visio diagram that showed all the inappropriate email attachments that a specific user sent. However a time line was included to better articulate number and time of incidents.

Inappropriate Email Investigation - Attachment Flow

Inappropriate Email Investigation - Attachment Flow

see http://5thsentinel.wordpress.com/2009/04/01/inappropriate-content-visualization/ for background.

This image was created using Visio and shows the flow of an inappropriate email attachment as it flowed from one internal user to another.

Conficker.C UDP P2P Traffic

The chart represent several hours of conficker's P2P Udp activity, it relates destination address with dest UDP used.

Conficker.C UDP P2P Traffic

conficker.c - ccTLD attractor

This is my smart analysis about the first 20days of April 2009 ccTLD (country code top level domain) generated by the algorithm used by worm for pseudo random domain name generation.
The following chart show the frequency for each ccTLD. As you can see there is a sort of attractor for some ccTLD such as AG, BO, LC, HN, PE, and TW. A singular point is for DJ ccTLD domain. For more information http://extraexploit.blogspot.com. This kind of analysis I think that is usefull for get evidence as indicator of conficker.c activities inside your corporate network.

Feedback are well come.

Regards

conficker.c - ccTLD attractor

heatmap_spam_eu.jpg

heatmap_spam_eu.jpg

This was made using gheat to generate a nice map of locations sending spam into our spam traps.
This is just the Europe map, for full story go here http://honeynet.org.au/?q=node/41