Table of Contents

1. tcpdump2dot : Turn a 'tcpdump -e -n' into a layer 2 flow map of your network , (with image gallery)

Contents

tcpdump2dot

Turn a 'tcpdump -e -n' into a layer 2 flow map of your network , (with image gallery)

The Source:

tcpdump2dot/dist/latest.tar.gz

Description:

Take a `tcpdump -e -n ` output and convert it into something wonderfull, as seen in the Gallery. Warning: Some of the images in the gallery are rather large and may not display on your browser. For these I use the Macos X preview application.

My home network. if you have more interesting pictures, I'd love to show them to people. There are more interesting graphs, but the data is not public, so nuts.



How to read the map

• Each node is a MAC addr, and is labeled with the MAC vendor OUI.
• Each node also has a list of IPs that it has sent packets with, or received packets with.
• every edge is a stream of packets with the source node MAC and IP going to the dest node MAC and IP.

Interesting things you can see from the map above. 12.234.162.49 (my laptop, the rotarran), is an Mac. It has sent traffic to 12.234.160.1 at 0:30:80:76:fc:54 and that traffic was returned from a different MAC addr. Asymmetric routing at layer 2. You can also see that the rotarran sent traffic to 12.234.160.3 but that nothing came back.

I'm not sure, but I'm of the guessing opinion that the cisco macs that end in like bytes, are more than likely the same card, or switch or however cable modems work.

• Asymmetric routing from 12.234.162.49 <-> 12.234.162.49
• Highly related Cisco MAC adddrs.

Other things that can be seen from these sorts of maps.

• Machine X does not believe it is on the same subnet as machine Y. (it sends to it's router)
• Which machines are directly visible to the sensor / tcpdump. They show up as 1 ip and 1 mac pairs. (typically)
• gross network topology
• operational network communication patterns
• other stuff.

Usage

This works for me.

	tcpdump -e -n  -c 1000 > some_tmp_file
	tcpdump2dot some_tmp_file > stf.dot
	dot stf.dot -Tjpg -o stf.jpg -Goverlap=false	

Another option is to just glom in all together into one big pipe. Then you might put that into a loop so that you have a continually updating map of a network segment.

	tcpdump -e -n -c 1000 | tcpdump2dot | ./dot -Tjpg -Goverlap=false -o mynetwork.jpg

and

#!/bin/sh

	while true
		do
		echo ""
		echo ""
		date
		tcpdump -e -n -c 1000 | tcpdump2dot | ./dot -Tjpg -Goverlap=false -o mynetwork.tmp.jpg
		mv mynetwork.tmp.jpg mynetwork.jpg
		sleep 300;
	done

This works fine until you get graphs that are larger than about 4kx4k. Sometime around here, Mozilla and Netscape start complaining about things. Graphs of larger than 64k pixels in ether x or y, will probably crash dot or neato. Most image librarys were written with the idea of 16 bit integers. Wimps. At this point you'll need to start outputting in postscript or some other non rasterized format.

If you want to use a different type of output driver like -Tps, which you'll have to do when he maps get to big, you'll need to start fiddling with the .dot file, and adding things like 'size ="20,20";', or 'page="8.5,11";' I'm still working on trying to fully figure out how to use them.

If dot starts getting cranky or you'd like the layout to be different, it's time to crack open the graphviz manuals and start working on it. This is meant as a starting point and a work in progress.

Things that need doing

1. Incorporate TTL, port numbers, protocol types, etc.
2. Spell checking.
3. Graph gallery, you could send me data or pictures you know...
4. figuring out and solving my problems with page / size and output driver choice.
5. Work on getting a sub OUI map, sometimes vendors will do things in runs, like there are no Sun Sparc-20s with a high MAC addr. It could really help in guessing the node types. I know someone was doing this already, but I lost the link .. help?
6. More documentation.
7. Lots more argument checking and validation.

People who get thanked

• The Undergraduate Project Labretory at the Computer Science Department at the University of Madison Wisconsin, and the CSL who keeps the department running.
• The Makers of Graphvis
• Users of tcpdump2dot who have submitted bug reports, graphs, tcpdumps or booze.
• Everyone else, you might just know who you are.

Installing:

1. Untar the tarball
2. Use your version of perl not mine.
3. read the script, it has embedded config knobs, they should be arguments...
4. send me gulfie@grotto-group.com bug reports if anything goes wrong, or something could go better.

Requisites

• Graphviz : a relatively neat graphing (as in nodes and arcs, not pies and bars), package original from ATT research... they are so cool, someday I hope to be that cool.
• tcpdump / some data source : I use both NFR derived and tcpdump.
• ps2pdf : depending on how you want to view the results of graphviz you may need a ps2pdf translator.
• A recent copy of oui.txt a mapping from IEEE of hardware MAC addresses to the people who built them. There is a stale copy in the distribution, you might want to freshen it.

[ Top ]