argus to picviz "Parallel Coordinates"

CS Lee geek00l at gmail.com
Mon Mar 16 13:58:14 EDT 2009 

hi all,

I'm not sured if any of you heard about parallel coordinates, if you are
not, you can take a good read here -

http://www.usenix.org/events/wasl08/tech/full_papers/tricaud/tricaud_html/

Sebastian is the guy who is behind picviz and it offers pcv language where
you can use to generate parallel coordinates based on the value you define
for each axis, and I think it is useful for us in visualizing argus flows.

I have written a shell script(awk mostly), to convert argus csv data to
picviz. The example usages are -

My rarc file contains this line -
RA_TIME_FORMAT="%T"

# For quicky, you can use this command to generate argus csv data
ra -n -F rarc -S 192.168.1.1:561 -c ',' -s stime proto saddr sport spkts
sbytes daddr dport dpkts dbytes state - ip > argus.csv

# To convert argus csv data to picviz pcv data format:
argus2picviz.sh argus.csv > argus.pcv

# Once you have pcv file, you can actually perform filtering based on
transport protocol -
# Filter tcp
pcv -Tpngcairo argus.pcv 'show value = "60" on axis 2' > argus-tcp.png

# Filter udp
# pcv -Tpngcairo argus.pcv 'show value = "170" on axis 2' > argus-udp.png

# Filter icmp
# pcv -Tpngcairo argus.pcv 'show value = "1" on axis 2' > argus-icmp.png

As you can do filtering on any axis, so it is sort like you can do filtering
for ip address, source bytes, destination bytes and even STATE(I convert it
to number), so this is like what we have in argus filter but this is on the
pcv file itself to generate image. So that way we can do analysis with it
very well.

I have attached a sample png file(anonymized anyway), as well as the script
i write(argus2picviz.sh).

I have also used rastream, to generate 5 minutes data, and have it convert
to csv then pcv before it is archived, so I can actually view the current
network flow state easily to spot any anomaly conversation.

Cheers ;]


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090317/c55b855d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus-ip.png
Type: image/png
Size: 263499 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090317/c55b855d/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus2picviz.sh
Type: application/x-sh
Size: 5255 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090317/c55b855d/attachment.sh>

More information about the argus mailing list