Python network data visualization

Data Harvest

© Lead Image © Mark Bridger,

© Lead Image © Mark Bridger,

Article from Issue 220/2019

The Scapy packet manipulation program lets you analyze and manipulate packets to create incident response reports or examine network security.

Most folks have pulled up Wireshark a time or two to troubleshoot an application or system problem. During forensics, packet captures (PCAPs) are essential. Often you are looking at things like top talkers, ports, bytes, DNS lookups, and so on. Why not automate this process with Python?

Scapy [1] is a great tool suite for packet analysis and manipulation. It is most often talked about in the realm of packet manipulation, but its ability to analyze packets is also top-notch.

Make Ready

First, you need to make sure you have Python 3 installed along with the following packages:

sudo pip3 install scapy scapy_http plotly PrettyTable

To get started, you will want a PCAP to analyze. To capture 1,000 packets and save them to the file example.pcap, enter:

~$ sudo tcpdump -c 1000 -w example.pcap
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
1000 packets captured
1010 packets received by filter
0 packets dropped by kernel

Scapy can handle all parts of the OSI model except Layer 1 (Figure 1). Listing 1 shows the Hello World! of packet reading. To begin, you need to read a raw packet (line 5), see if it has the layer your want (line 9), and then act on it. Because you are using Python, if you try to print out pkt[IP].src when no IP is present, Python will throw an error, so you need to wrap it in a try/except (lines 10-13).

Listing 1

Looking for Layers

01 #Step 1: Import scapy
02 from scapy.* import all
04 #Step 2: Read the PCAP usimg rdpcap
05 packets = rdpcap("example.pcap")
07 #Step 3: Loop and print an IP in a packet in Scapy by looking at Layer 3
08 for pkt in packets:
09   if IP in pkt:
10     try:
11       print(pkt[IP].src) // Source IP
12     except:
13       pass
Figure 1: Check OSI Layer.


If you ran the code in Listing 1 with your example.pcap file of 1,000 packets, your terminal printed ~1,000 lines, which is obviously not very useful. To improve, you can read all the IPs, append them to a list, then run a counter, and print the results using the PrettyTable module (Listing 2). As before, you import Scapy, but now you will also import the collection module and PrettyTable (Step 1). Next, add an empty list, and append (Step 2). Now you can use the counter to loop through the list of IPs and create a count (Step 3); finally, using the PrettyTable module, you print out the results in a clean table (Step 4).

Listing 2

Adding a Counter

01 #Step 1: Imports
02 from scapy.all import *
03 from prettytable import PrettyTable
04 from collections import Counter
06 #Step 2: Read and Append
07 srcIP=[]
08 for pkt in packets:
09   if IP in pkt:
10     try:
11       srcIP.append(pkt[IP].src)
12     except:
13       pass
15 #Step 3: Count
16 cnt=Counter()
17 for ip in srcIP:
18   cnt[ip] += 1
20 #Step 4: Table and Print
21 table= PrettyTable(["IP", "Count"])
22 for ip, count in cnt.most_common():
23   table.add_row([ip, count])
24 print(table)
26 +-----------------+-------+
27 |        IP       | Count |
28 +-----------------+-------+
29 |    |  482  |
30 |  |   93  |
31 |     |   82  |
32 |   |   76  |
33 | |   30  |
34 |  |   20  |
35 |  |   16  |
36 | |   16  |
37 | |   15  |
38 |   |   12  |
39 | |   12  |
40 +-----------------+-------+


Now that you know how to read packets and do some counting, you can use the Plotly package to make graphs by building on the last example (Listing 3). First, you have to add the plotly import to Step 1 (line 1); then, after going through Steps 2 and 3 as before, you replace Step 4 in the previous example of Listing 2 with new code that creates two new lists to hold x and y data (Listing 3, lines 4-5) and loops through the IPs again, adding them to the lists (lines 7-9).

Listing 3

Making Graphs

01 import plotly
03 #Step 4: Add Lists
04 xData=[]
05 yData=[]
07 for ip, count in cnt.most_common():
08   xData.append(ip)
09   yData.append(count)
11 #Step 5: Plot
12 plotly.offline.plot({
13   "data":[plotly.graph_objs.Bar(x=xData, y=yData)] })

By default, Plotly uses its web UI to create charts, but if, like me, you use this data in a incident response situation, you do not want to share that data with a cloud system. Therefore, I use the offline version to plot my data in a new Step 5. When run, it will open your default web browser (Figure 2).

Figure 2: Offline plot of IPs.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Core Technologies

    Learn what's going on in your network, using Linux and its arsenal of packet capture tools.

  • Security Visualization Tools

    Spot intruders with these easy security visualization tools.

  • Hping

    Don't let intruders crash your dance. We'll show you how to test your firewalls and intrusion detection systems with hping.

  • Capture File Filtering with Wireshark

    Wireshark doesn’t just work in real time. If you save a history of network activity in a pcap file using a tool such as tcpdump, you can filter the data with Wireshark to search for evidence.

  • Wireshark's New 1.2

    Wireshark 1.2 introduces a few "new and exciting" features for its network protocol analyzer software.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95