NetFrenzy
Import a pcap file into Neo4j and view the network graph
Usage
Setup
Install Neo4j with the instructions here
./setup.sh
will install the Python dependencies and install Neo4j's Graph Data Science Library
Run
Importing a pcap file
python3 NetFrenzy.py -p ../path/to/your.pcap -nc
Processes approx. 45-55 packets per second into Neo4j. Enable --reduce
to increase speeds to 160-180 packets per second at the cost of less information stored about the connections.
Running a live capture
python3 NetFrenzy.py --live eth0
Live captures enable --reduce
automatically which increases performance to keep up with the live capture.
Recommended system specs
Neo4j can be run in the same VM as the ingestor or in a separate VM.
Recommended minimum VM specs:
- 6GB RAM, no swap
- 3 CPU assigned
Why
The human eye is the ultimate sensor.
- Visualize the network from a PCAP
- Verify network segmentation
- Easily identify anomalies
Demo
Using the custom Neovis.js client
Found at /web/NetFrenzy.html
, just open it in your browser
- UI elements can be toggled by clicking on their label
- Use up/down arrow or history button to access and replay queries
- Pause button halts the graph physics
- Built-in list of queries you may find helpful
Using community and pagerank
This will color nodes based on the clusters they form within the graph. This is most useful when you have a capture from a core network point rather than your local machine. Nodes will also appear larger based on the number of incoming/outgoing connections compared to other nodes.
Setup
Requires the Neo4j Graph Data Science Library downloaded and moved to /var/lib/neo4j/plugins/
with the proper user and group permissions. If you have run setup.sh
, this has already been done.
How to generate
Open the Info pane by clicking the i
button. Click the Create COMMUNICATES relationship, Community, and PageRank
link. Wait 20 seconds. Now, you should see that nodes have different colors.
Get rid of the colors
If you don't find the colors useful for your graph screenshots, you can run the command:
MATCH (n) REMOVE n.community REMOVE n.pagerank
Helpful queries
Clear out all objects in database (start over)
MATCH (n) DETACH DELETE n
Contributing
Please check out the Good First Issues. Feel free to contribute user stories to explain how new functionality could improve NetFrenzy. Issues with Help Wanted are requesting input from the community on implementation details and general usability.