This application helps in visualizing network traffic. It does that by reading pcap files and outputting files that can be read by graphing applications, for example Gephi.
Supported protocols are IPv4, IPv6, TCP, UDP, and SCTP.
Simple graph made with Gephi from resulting data:
Dependencies (tested with):
- libpcap 1.5+
- go 1.22
For Debian use this: sudo apt install libpcap-dev
Recommended:
To build, just use go get and build:
go get github.com/mikkolehtisalo/brassfork
go build github.com/mikkolehtisalo/brassfork
First capture some network traffic, and save it as pcap file. Then run brassfork:
GOMAXPROCS=8 ./brassfork -in=capture.pcap -edges=edges.csv -nodes=nodes.csv
The resulting edge and node files can then be imported to Gephi for graphing.
Extra attributes generated for edges:
- Packages: Amount of packages related to edge
- SYNs: SYN packages (attempted new TCP connections)
- FINs: FIN packages (by the source node)
- Unfinished: For TCP, SYNs-FINs (rough indication to how many connections have not been closed already/properly)
- Avg: Average TCP connection duration in milliseconds, for completed connections
- Bytes: Cumulative counter of bytes transported. This is also the Weight of edges.
Extra attributes generated for nodes:
- Network: Name of the network, based on CIDR network mask (see below)
Network names are useful for partitioning data in Gephi. Create a valid JSON file containing information about your known networks. Take a look at example.json for example:
[
{
"CIDR": "192.168.1.0/24",
"Name": "Home network"
},
{
"CIDR": "192.168.2.0/24",
"Name": "Other network"
}
]
After creating the file run brassfork with the -networks parameter, like
./brassfork -in=capture.pcap -edges=edges.csv -nodes=nodes.csv -networks=example.json
The nodes output should contain the Network information for nodes with matching IP addresses.