argus to picviz "Parallel Coordinates"
Carter Bullard
carter at qosient.com
Mon Mar 23 10:06:12 EDT 2009
Hey CS Lee,
I like the link to the wallinfire dot net site, as a reference.
Very interesting, but I'm not sure what is the best way to interpret
the graph.
Is there something specific that we should be seeing/looking for?
Maybe some concrete examples will help to highlight the best aspects of
this type of analysis?
Carter
On Mar 16, 2009, at 1:58 PM, CS Lee wrote:
> hi all,
>
> I'm not sured if any of you heard about parallel coordinates, if you
> are not, you can take a good read here -
>
> http://www.usenix.org/events/wasl08/tech/full_papers/tricaud/tricaud_html/
>
> Sebastian is the guy who is behind picviz and it offers pcv language
> where you can use to generate parallel coordinates based on the
> value you define for each axis, and I think it is useful for us in
> visualizing argus flows.
>
> I have written a shell script(awk mostly), to convert argus csv data
> to picviz. The example usages are -
>
> My rarc file contains this line -
> RA_TIME_FORMAT="%T"
>
> # For quicky, you can use this command to generate argus csv data
> ra -n -F rarc -S 192.168.1.1:561 -c ',' -s stime proto saddr sport
> spkts sbytes daddr dport dpkts dbytes state - ip > argus.csv
>
> # To convert argus csv data to picviz pcv data format:
> argus2picviz.sh argus.csv > argus.pcv
>
> # Once you have pcv file, you can actually perform filtering based
> on transport protocol -
> # Filter tcp
> pcv -Tpngcairo argus.pcv 'show value = "60" on axis 2' > argus-tcp.png
>
> # Filter udp
> # pcv -Tpngcairo argus.pcv 'show value = "170" on axis 2' > argus-
> udp.png
>
> # Filter icmp
> # pcv -Tpngcairo argus.pcv 'show value = "1" on axis 2' > argus-
> icmp.png
>
> As you can do filtering on any axis, so it is sort like you can do
> filtering for ip address, source bytes, destination bytes and even
> STATE(I convert it to number), so this is like what we have in argus
> filter but this is on the pcv file itself to generate image. So that
> way we can do analysis with it very well.
>
> I have attached a sample png file(anonymized anyway), as well as the
> script i write(argus2picviz.sh).
>
> I have also used rastream, to generate 5 minutes data, and have it
> convert to csv then pcv before it is archived, so I can actually
> view the current network flow state easily to spot any anomaly
> conversation.
>
> Cheers ;]
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
> <argus-ip.png><argus2picviz.sh>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090323/067d9431/attachment.html>
More information about the argus
mailing list