MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨  OF I !"#$%&'()+,-./012345

A Survey of Tools for Monitoring and Visualization of Network Traffic

BACHELOR’S THESIS

Jakub Šk ˚urek

Brno, Fall 2015

Declaration

Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Jakub Šk ˚urek

Advisor: doc. Ing. JiˇríSochor, CSc.

ii

Abstract

The main goal of this thesis is to survey and categorize existing tools and applications for network traffic monitoring and visualization. This is accomplished by first dividing these into three main cate- gories, followed by additional subdivision into subcategories while presenting example tools and applications relevant to each category.

iii

Keywords network monitoring, network visualization, survey, traffic, monitor- ing

iv

Acknowledgement

I would like to thank my advisor doc. Sochor for his advice and help- ful tips. A big thank you also goes to my family for the continued support and kind words given, and mainly for being understanding of my reclusive behaviour during the writing process.

v

Contents

1 Introduction ...... 3 2 Computer Network Monitoring and Visualization .....5 2.1 Simple Network Management Protocol ...... 5 2.2 NetFlow/IPFIX Protocol ...... 6 2.3 Internet Control Message Protocol ...... 6 2.4 Windows Management Instrumentation ...... 7 2.5 Packet Capture ...... 7 3 Tools for Local Network Visualization ...... 9 3.1 Local Traffic and Performance Visualization ...... 9 3.1.1 NetGrok ...... 9 3.1.2 EtherApe ...... 11 3.2 Packet Capture and Visualization ...... 13 3.2.1 Wireshark ...... 13 3.3 Network Log Data Visualization ...... 16 3.3.1 Time-based Network Visualizer ...... 16 3.3.2 AfterGlow ...... 18 3.4 Summary of presented tools and their features ..... 20 4 Tools for Global Network Visualization ...... 21 4.1 Global Traffic and Performance Visualization ...... 21 4.1.1 Cacti ...... 21 4.1.2 PRTG Network Monitor ...... 24 4.1.3 PhpWeatherMap ...... 26 4.2 Network Topology Mapping ...... 27 4.2.1 The Dude ...... 28 4.2.2 SolarWinds Network Topology Mapper . . . . . 29 4.3 Summary of presented tools and their features ..... 30 5 Tools for Anomaly Analysis and Intrusion Detection .... 32 5.1 Snort ...... 33 5.2 Suricata ...... 36 5.3 Open Source HIDS SECurity ...... 37

1 6 Conclusion ...... 39 A Images ...... 45 A.1 Netgrok ...... 45 A.2 EtherApe ...... 46 A.3 Wireshark ...... 47 A.4 Time-based Network Visualizer ...... 48 A.5 PRTG Network Monitor ...... 49 A.6 PhpWeatherMap ...... 50 A.7 Solarwinds Network Topology Mapper ...... 51 A.8 Suricata ...... 52 A.9 Open Source HIDS SECurity ...... 53 B Supplementary Data Files ...... 54 B.1 IRCFlood.pcap ...... 54

2 Chapter 1 Introduction

The Internet became, in the last couple of years, an indispensable part of many people’s lives. It is entangled in almost every corner of our society and life without it is hard to fathom. Ease of access to information, simplifying socialization or facilitation of commerce. Indispensable in everyday life, it represents an absolute must for many firms, companies and institutions. For these it is a key tool for communication, operation and advertisement. However, Internet’s biggest strength is at the same time its biggest weakness—access to it is available to anyone, even people with less than pure inten- tions. It then follows that being connected to the Internet means ex- posing oneself to risk of a wide range of potential malicious attacks aimed at retrieving one’s private and potentially valuable informa- tion. Chance of catching the culprit hiding behind the vast amounts of data produced by computer networks is without the proper in- struments almost a herculean task. This is where tools for monitoring and visualization of computer network traffic, whose categorization and brief overview is this thesis dedicated to, prove invaluable. Pur- pose of these tools is to provide the user holistic and easily navigable data about historical and actual happenings on a computer network, and assist him with comparing these events with those compatible to a network attack or other malfunctions. As briefly stated above, the aim of this thesis is to provide an overview of popular currently in-use visualization tools and soft- ware for network monitoring and visualization and their different approaches towards depiction of network data. Dozens of such ap-

3 1. INTRODUCTION plications exist, but no comprehensive overview has to date been cre- ated [2]. The tools are, for the purpose of this thesis, divided into three main categories—local network monitoring, global network moni- toring, anomaly analysis and network intrusion detection—with a chapter dedicated to each one. Tools selected to represent each cate- gory are based on their performance in said area and the uniqueness of their visualization technique. Focus is, for each tool, only on its applications in the category under which it is presented. Conclusions to chapter three and four contain a summary table of all the features tools covered in that given chapter possess. The thesis, minus the introduction and conclusion, is divided into four chapters. The first one gives a brief introduction into the area of interest and provides a list of most common protocols and ap- proaches to gathering network data used for visualization. The next three chapters then deal with tools pertinent to them. A summary of the findings is given in the concluding sixth chapter. The area of network visualization is still very young and chaotic. Big data and the problems connected with their visualization are a very recent phenomenon and adequate solutions are yet to be found [3]. This thesis is trying to act as a building block for a follow up research in this are by giving an overview of popular currently in- use visualization techniques. The final goal of this research would then be systems capable of recognizing not only catalogued mali- cious software, but to also be able to prevent zero-day 1 attacks in real-time.

1. A zero-day (also known as zero-hour or 0-day) vulnerability is an undisclosed computer application vulnerability that could be exploited to adversely affect the computer programs, data, additional computers or a network. It is known as a "zero-day" because once the flaw becomes known, the application author has zero days in which to plan and advise any mitigation against its exploitation (by, for example, advising workarounds or issuing patches) [4].

4 Chapter 2 Computer Network Monitoring and Visualiza- tion

Computer network monitoring and visualisation are areas closely tied together. Where network monitoring tools produce vast amounts of data, visualization tools give the data form that is concise, unclut- tered and easier for the user to digest. This chapter aims to, before venturing forth towards categoriz- ing the various monitoring tools and applications, provide a brief overview of the most common methods these tools use to gather data from the monitored network. Efficient data collection is an important part of the monitoring process. For this purpose many protocols and approaches exist, are being developed, or refined.

2.1 Simple Network Management Protocol

Simple Network Managment Protocol (SMNP) is a protocol used for data collection from, and configuration and management of, network devices such as routers, switches, servers and hubs on an Internet Protocol network. It uses variables known as object identifiers (OID) to allow remote data collection and device configuration. OIDs are stored in a hierarchy in Management information bases (MIB). A protocol query to a device produces a set of OIDs with accompa- nying data, showing, for example, interfaces available on a router or a switch and traffic currently passing though them, which is then cross-referenced with an MIB and presented to the user. To date, three versions of the protocol have been introduced. Ver- sion 1, also known as SNMPv1, is the initial and most widely sup- ported version of the protocol despite the criticism of its very poor

5 2. COMPUTER NETWORK MONITORINGAND VISUALIZATION security[5]. Version 2 (SNMPv2c) only expands upon the previous version with the support of larger data types and additions to pro- tocol operation, leaving the security concerns unaddressed. Version 3 (SNMPv3) is the most recent version implementing strong security authentication and data encryption, keeping its primary functional- ity unchanged.

2.2 NetFlow/IPFIX Protocol

NetFlow is a feature that was introduced on Cisco routers that pro- vides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a user can de- termine things such as the source and destination of traffic, class of service, and the causes of congestion. A flow is a stream of data that shares the network interface, source and destination IP addresses, ports and the same type of service header (for IPv4 transmissions) [6]. Once a flow is detected, a related flow record, aggregating infor- mation about all packets belonging to the same flow, is created. A typical Netflow monitoring setup consists of a flow exporter, usually a Cisco router, that aggregates packets into flows and ex- ports flow records towards a flow collector that is responsible for record collection and storage and an analysis application that ana- lyzes received flow data in the context of intrusion detection or traffic profiling. Versions most commonly found today are Netflow 5, only re- stricted to IPv4, and Internet Protocol Flow Information eXport(IP- FIX), which is heavily based on Netflow 9 and standardised by the IETF[6].

2.3 Internet Control Message Protocol

The Internet Control Message Protocol (ICMP) is one of the main protocols of the Internet Protocol Suite. It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages [7].

6 2. COMPUTER NETWORK MONITORINGAND VISUALIZATION

Although ICMP messages are contained within standard IP pack- ets, ICMP messages are usually processed as a special case, distin- guished from normal IP processing, rather than processed as a nor- mal sub-protocol of IP. In many cases, it is necessary to inspect the contents of the ICMP message and deliver the appropriate error mes- sage to the application that generated the original IP packet, the one that sent the packet that prompted the sending of the ICMP message. Many network utilities commonly in use are based on ICMP mes- sages. The traceroute command can be implemented by transmitting IP datagrams with specially set IP TTL header fields, and looking for ICMP Time to live exceeded in transit (above) and "Destination un- reachable" messages generated in response. The related ping utility is implemented using the ICMP "Echo request" and "Echo reply" mes- sages. Network monitoring tools implement ICMP as an availabil- ity checker by querying a device and waiting for a reply signifying availability or unavailability of the device.

2.4 Windows Management Instrumentation

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. Users can write WMI scripts or applications to automate ad- ministrative tasks on remote computers but WMI also supplies man- agement data to other parts of the operating system and products [8]. In network monitoring software, WMI is used to access various con- figuration parameters and status values on Windows systems. One downside of this service is its relatively high impact on system per- formance [9].

2.5 Packet Capture

Packet capture (PCAP) refers to an API used for capture and logging of network traffic. PCAP is implemented in the libpcap library for Unix-like system and the WinPcap library for Windows. Tools such

7 2. COMPUTER NETWORK MONITORINGAND VISUALIZATION as tcpdump1 and other monitoring software use this library to cap- ture packets traveling over a network and export them into packet capture files (PCAPs). It can then be said that each PCAP file con- tains a time-bounded snapshot of activity on a given network inter- face. Such files are then used for archival purposes, further analysis, or as input files for packet analyzer2 software.

1. tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is connected. 2. Packet analyzer intercepts and logs traffic as it passes over a computer net- work. It can decode contents of individual packets and give alerts according to specification.

8 Chapter 3 Tools for Local Network Visualization

Local network visualization encompasses all forms of monitoring and data gathering that can be done on a single network-connected device. This category was for the purpose of this thesis divided into traffic and performance visualization, packet capture and visualiza- tion of their contents, and log data visualization.

3.1 Local Traffic and Performance Visualization

Local traffic and performance visualization comprises all traffic and other network data that can be gathered and visualized on a local host computer belonging to the network. There are very few tools that deal only with visualisation of local traffic, however, they are still very popular and frequently in use. Two examples of such tools are NetGrok and EtherApe, presented below.

3.1.1 NetGrok NetGrok is a Java based tool for visualizing computer network us- age in real-time. It was created in spring 2008 during the Informa- tion Visualization course at the University of Maryland, College Park with the main goal of creating a tool that can capture traces from a live network interface, and filter the data set dynamically by band- width, number of connections, and time [10]. It supports two types of input – live listening on a selected net- work interface in promiscuous mode and packet capture files. Once one of those conditions is satisfied NetGrok can begin its visualiza- tion process. NetGrok can then show the captured data in two dif- ferent ways—force-directed graph, treemap—which allow for differ-

9 3. TOOLSFOR LOCAL NETWORK VISUALIZATION

ent approaches in reading data. In addition to this is the edge table that lists all connections and data transferred between hosts captured during a session. Figure 3.1 showcases the application’s Graph view. Nodes inside the dashed blue circle are hosts on a local network, nodes outside the circle denote foreign hosts. Foreign hosts are laid out using a hashing algorithm paired with a conversion into planar coordinates, meaning they will always appear in the same place on any NetGrok installation and leading to easier orientation in larger networks[10]. Color indicates bandwidth utilization with red denoting hosts with the most bandwidth used and clear green denoting least bandwidth usage. White nodes surrounded by a dashed gray circle indicate zero- byte hosts 1. Node size represents number of connections propor- tional to other nodes. Connections between hosts can be seen by mousing over. Each node is labeled with its IP address, but a DNS lookup is possible. TreeMap view transforms captured data into a 2D treemap [un- derline?] where local and foreign hosts are separated by a thick black line. Again, hosts with the most connections are largest, those con- suming the most bandwidth red and least yellow. Treemap view is useful when monitoring a large number of hosts that produce a very cluttered graph view. Grouping of both foreign and local hosts is possible. Grouping is done in a groups.ini file that contains groups in the format Name- OfGroup = IPBlock1,IPBlock2,...,IPBlockn. Example of a groups.ini file used in Figure 3.1:

[ l o c a l ] Private1=192.168.0.0/16 Private2=172.16.0.0/12 Private3=10.0.0.0/8

[ foreign ] Google=216.239.0.0/16,64.233.0.0/16,64.68.0.0/1 Last .FM=87.117.229.0/24 Wikimedia=208.80.152.0/24 Valve=162.254.0.0/16

1. The term Zero-byte host is defined as a host that receives traffic, but sends none back [10].

10 3. TOOLSFOR LOCAL NETWORK VISUALIZATION

Figure 3.1: A snapshot of NetGrok’s Graph view. For a full image see the appendix A.1.

Hosts grouped in this way show in close proximity to each other in graph view, and nested inside a thick rectangle in treemap view. Timeline manipulation is also present, allowing filtering for connec- tions only active at the selected time. Additionally, search by IP ad- dress, bandwidth usage and number of connections is possible.

3.1.2 EtherApe

EtherApe is a graphical network monitoring software for Unix-like systems developed and maintained by Juan Toledo et al. [11]. It is released as an open source software under the GNU General Public License. It features three modes of visualization. Link mode, showing traf- fic between nodes on a link layer, IP mode, showing nodes and ac-

11 3. TOOLSFOR LOCAL NETWORK VISUALIZATION tive communications between them and TCP mode showing show- ing source and destination ports along with a used protocol. All nodes are labeled with their IP address or a name if a DNS lookup is performed and visualized in a circular graph with links showing connections between them. Links are color coded according to the most used protocol and link size shows instantaneous traffic between two nodes. Details about nodes exchanging traffic are found in the Nodes panel. Nodes can be filtered by name, the amount of instantaneous and accumulated traffic, number of packets and average packet size exchanged, and time since last communication occurred. Similar fil- tering is also available for individual protocols detected.

Figure 3.2: TCP traffic captured using EtherApe. For a full image see the appendix A.2.

Figure 3.2 demonstrates the application’s TCP view, showing all network and port traffic on a 10.0.0.0/24 home network, with top talker being 10.0.0.4. All the ports with accompanying protocols are shown. Largest volume of traffic comes from 185.42.205.79, which is a twitch.tv streaming multicast server, over HTTP.

12 3. TOOLSFOR LOCAL NETWORK VISUALIZATION

EtherApe also includes the ability to filter captured traffic using filter syntax src net IPADDRESS dst net IPADDRESS, where IPAD- DRESS is the actual address or an address block to monitor. Address blocks are defined by leaving the ranges defining a block blank in the IP definition. Multiple address blocks can be joined, excluded etc. us- ing boolean operators. Example filter syntax that shows only traffic on a 192.168.1.X network is then src net 192.168.1 dst net 192.168.1. For more details about EtherApe and its functionality see [11].

3.2 Packet Capture and Visualization

A packet capturer is a computer program or piece of computer hard- ware that can intercept and log traffic that passes over a digital net- work or part of a network. As data streams flow across the network, the sniffer captures each packet and, if needed, decodes the packet’s raw data, showing the values of various fields in the packet, and ana- lyzes its content according to the appropriate RFC (Request for Com- ments) or other specifications. Many packet capture applications are also packet analyzers and can serve as network intrusion detection (NIDS) agents. For a de- tailed overview of NID systems see chapter 5.

3.2.1 Wireshark Wireshark is one of the oldest packet capture tools in existence. First known as Ethereal since its conception in 1998 until roughly mid 2006, when it was renamed to Wireshark due to trademark issues[12]. Wireshark is a network protocol analyzer that lets the user capture and interactively browse network traffic. It is developed and main- tained by The Wireshark team and freely available as open source under GNU General Public License version 2. Wireshark captures network traffic from a given network inter- face. It can do so locally, or globally by setting the interface, if it sup- ports it, into promiscuous mode. In some cases however, not even promiscuous mode assures total capture of all network traffic. If cap- turing on a port on a network switch, not all traffic through the switch is necessarily sent to the port where capture is done. This can be

13 3. TOOLSFOR LOCAL NETWORK VISUALIZATION

remedied either by port mirroring 2 or network taps 3 to extend cap- ture throughout the whole network. Traffic captured by Wireshark is then shown in a table, with each row containing one packet, in the main application window (snap- shot in Figure 3.3). Packets are queued for inspection in the order of capture, starting with the earliest. Each packet is also assigned a number alongside its timestamp for ease of orientation. Row back- ground is colored based on the packet protocol and font color based on type — distinction is made, for example, between TCP/IP SYN ACK packets and RST packet. Wireshark supports customizable color filters that can be changed on the fly and alter the way Wireshark color codes packets, as well as temporary filters that can be applied to parts of the data and cease to function once the capture session is over. Community-made color filters, highlighting TCP retransmis- sion, grouping WAP 802.11 packets, emphasizing and detecting er- rors in client/server communication, etc. are available for download [13]. Each packet can be further inspected to fully see both its header and content. In addition to color coding, filtering of irrelevant data by pro- tocol, source, destination, etc. is also possible. Wireshark contains dozens of built-in filters within the default installation, and also al- lows the creation of custom filters through the use of a built in filter language. For a detailed introduction to custom filter creation see [14]. Example capture is shown in Figure 3.3. Highlighted along with full header and content details is an ARP packet from 10.0.0.2 (MAC 0c:d2:92:03:dd:5b) with a broadcast destination (MAC ff:ff:ff:ff:ff:ff), querying for the MAC of 10.0.0.138. Packet directly underneath is an ARP response from 10.0.0.138. Wireshark contains many additional feature. Since they are too numerous to list and showcase fully, only those deemed most im-

2. Port mirroring is used on a network switch to send a copy of network packets seen on one switch port a network monitoring connection on another switch port. 3. A network tap is a hardware device which provides a way to access the data flowing across a computer network. It has at least three ports A, B and a monitor port. A tap inserted between points A and allows network traffic to pass through unimpede, but also copies all data to its monitor port, enabling third party listen- ing.

14 3. TOOLSFOR LOCAL NETWORK VISUALIZATION

Figure 3.3: Snapshot of a Wireshark interface showing manipulation with captured network traffic. For a full image see the appendix A.3.

portant are mentioned: Ability to follow and decode conversation streams between hosts, including voice over IP (VoIP) protocols that can be decoded and listened to (if captured under optimal circum- stances) [15]. Generation of packet length and IO packet statistics. Listing of all captured conversations with numbers of packets trans- ferred, total bandwidth consumed, conversation start and end times. Plugin support for protocols not supported in the default installa- tion.

15 3. TOOLSFOR LOCAL NETWORK VISUALIZATION 3.3 Network Log Data Visualization

Log data are a form of big data produced by applications and ser- vices in response to events and notable occurrences. In computer net- works, log data are most often produced by gateway routing rules, firewalls and tools monitoring traffic passing though those points. Many tools to visualize such data exist, two examples are presented below.

3.3.1 Time-based Network Visualizer Time-based Network Visualizer(TnV) depicts network traffic by vi- sualizing packets and links between local and foreign hosts. It is a Java based tool developed by John Goodall et al. and released under the open-source MIT license. TnV allows for two types of input – live capture from a network interface and PCAP packet capture files. In either case input data is parsed and stored in a MySQL database. No real-time visualization is possible; live capture must end before the parsing process can be- gin. Captured data can be exported as PCAP files or stored in the database for trend monitoring and analysis. Main window of the application depicts foreign hosts on the left side and local hosts in a reorderable matrix on the right side with links drawn between them. Matrix in the middle shows traffic for each host on the local network. Background color of each cell shows aggregated packet activity. Packets are depicted as triangles with the point showing their directionality. Both packets and links are color coded to their respective protocols. Selecting a cell within the matrix, representing a local host for a certain time period, the user can either show the packet details or the port activity related to that host. Main mechanism for moving through the captured data is a scroll bar that sets the viewable section with a bar graph showing overview of network activity. Sidebar on the right side illustrates ports, both source and destination, involved in the selected conversations. Figure 3.4 shows the outlined functionality on a PCAP sample of an Internet Relay Chat (IRC) flood attack, a typical example of a De- nial of Service attack with the goal of disconnecting the user from an

16 3. TOOLSFOR LOCAL NETWORK VISUALIZATION

Figure 3.4: Visualization of an IRC flood attack using TnV. For a full image see the appendix A.4.

IRC server by abusing the fact that the maximum number of mes- sages that can be sent in a given time frame is limited and controlled by the server. Flooding the user with messages thus causes the server to disconnect him with a “Excess Flood” message. Highlighted pack- ets show communication between local host 192.168.248.105 and for- eign host 64.32.28.7 on port 5553, a non-standard IRC port, millisec- onds before a flood from 208.98.1.12 commences. In the next three seconds local host is flooded with hundreds of packets until the com- munication ceases, signifying termination of the IRC session.

17 3. TOOLSFOR LOCAL NETWORK VISUALIZATION

3.3.2 AfterGlow AfterGlow is a tool that facilitates the process of creating link graph visualization of network traffic log data written in Perl created and maintained by Raffael Marty. Many open source graphing libraries, Gephi4 or Pajek5, for example, require input in a very specific format, generally a graph description language. AfterGlow 1.6.X is designed to be run from the command line, lacking any graphical interface. This is expected to be remedied in AfterGlow 2.0.. The tool expects CSV files as input and generates an attributed graph language file (DOT) that can be processed by tools like Pajek or Gephi (GraphViz). To help convert pcap and other log file formats AfterGlow contains custom parsers that come with the installation. Most useful of which are the PCAP, sendmail log file and Snort alert log parsers.

Figure 3.5: Visualization of an IRC flood attack using AfterGlow [16].

AfterGlow creates graphs with three distinct nodes; the source, which indicates the origin of a communication between two nodes, the event node, shaped as a rectangle, which indicates the target host of a communication and the target node, indicating the targeted port. Node color may be customized using regular expressions in a color.properties file that can be specified when running AfterGlow. Ex-

4. Gephi is an interactive visualization and exploration platform for all kinds of networks and complex systems and hierarchical graphs gephi.github.io (cited 2015-11-11). 5. Pajek provides analysis tools for large networks and graph-drawing capabili- ties. http://mrvar.fdv.uni-lj.si/pajek/ (cited 2015-11-11).

18 3. TOOLSFOR LOCAL NETWORK VISUALIZATION ample color.properties file used when generating DOT file for Figure 3.5: color .source="yellow" i f ($fields[0]=~/^192\.168\..∗/); color . source="greenyellow" i f ($fields[0]=~/^10\.. ∗ /); color .source="yellow4" i f ($fields[0]=~/^172\.16\..∗/); color .source="red" color .event="yellow" i f ($fields[1]=~/^192\.168\..∗/) color .event="greenyellow" i f ($fields[1]=~/^10\..∗/) color .event="yellow4" i f ($fields[1]=~/^172\.16\..∗/) color .event="red" color. target="blue" i f ($fields[2]<1024) color. target="lightblue" Figure 3.5 shows a graph generated from DOT file created by Af- terGlow using the GraphViz library. The graph depicts the same IRC flood attack as Figure 3.5. It highlights the conversation between the local host 192.168.248.105 and foreign 64.32.28.7 over a non-standard IRC port 5553. The various hosts are also color coded according to the properties file show above. Nodes belonging to the local network are yellow, foreign hosts are red, and ports grater than 1023 blue. Another way to filter data are variables. AfterGlow allows the user the define any variables using Perl expressions and use those when allocating colors to nodes during DOT file generation [17].

19 3. TOOLSFOR LOCAL NETWORK VISUALIZATION 3.4 Summary of presented tools and their features

Figure 3.6 shows a full summary of all the functionality the user can expect from tools covered in this chapter. The first horizontal line lists all the functionality covered in this chapter. LocalTraffVis stands for local traffic visualization, GlobalTraffVis for global traffic visual- ization, PCAP for packet capture and visualization and LogVis for Log data visualiza tion. Check mark in a cell belonging to a given application indicates that the application possesses the feature.

Functionality: LocalTraffVis GlobalTraffVis PCAP LogVis NetGrok EtherApe Wireshark TnV AfterGlow

Figure 3.6: Feature summary

20 Chapter 4 Tools for Global Network Visualization

4.1 Global Traffic and Performance Visualization

Global traffic is traffic travelling throughout, as well as inside and outside of a network. Capture of such traffic is performed by multi- ple data gathering remote probes positioned at critical points, for ex- ample firewalls and switches, inside the network all connected to a central data collection service. Visualization can be accomplished us- ing, for example, network topology maps with directed graphs rep- resenting traffic flows, regular bar or pie charts, or heatmaps. Performance monitoring depicts the load various network de- vices are under. Similarly, charts and pie graphs, heatmaps, or both combined with network topology maps are the most common visu- alization approaches. Presented below are examples representing the graph and topology map approach, respectively.

4.1.1 Cacti Cacti is a multi-purpose network monitoring software being devel- oped by the Cacti Group and released free under the GNU General Public License. It leverages PHP, a custom polling1 client and RRD- tool2 to create near real-time graphs showing network traffic and per- formance. The basic Cacti installation consists of a web server with a MySQL database storing default graph, device and data source tem- plates. Newly added network devices get assigned a template, which

1. Polling, or polled operation, refers to actively periodically sampling the status of an external device. 2. Round-Robin Database tool is a high performance data logging and graphing sys- tem for time series data www.rrdtool.org/ (cited 2015-11-05).

21 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION can be created, edited or further customized with a simple and intu- itive interface, describing what data sources should Cacti query for. Data sources can vary from simple wireless interface usage statis- tics for a router device to running processes and concurrent logged in users on a server machine. Main method of data acquisition is through SNMP. To retrieve network traffic and performance information an add- on polling program called Spine that comes with the default installa- tion is used. Spine periodically queries the monitored network over SNMP and saves the retrieved data to a round-robin database file (rrd). Each monitored data source–CPU load, memory utilization, disk space—has its own rrd file. These files then serve as data sources for the traffic and performance graphing itself using RRDtool, which offers a set of commands for a wide range of individual graph cus- tomization. Selection of multiple data sources compared against each other, color customization, rate of change, 95th percentile and many others are supported, leading to the creation of graphs the user re- quires. Cacti provides a built-in interface to easily write and store these custom templates. This functionality is demonstrated in Figure 4.1, depicting five in- dividual graphs generated by Cacti. First four are captures from a lo- cal network computer showing processor usage, bandwidth, divided into total bandwidth and unicast traffic, and used hard drive space over a period of seven hours. The last graph shows total incoming and outgoing wireless traffic over a router’s ppp1.1 interface. Cacti can be further enhanced through many community-created plug-ins made available for download on the official page 3. Popu- lar ones include PhpWeathermap, a plugin generating maps and dia- grams using data collected by Cacti or other sources, that also exists as a standalone installation (covered below), cereusreporting facilitat- ing instant PDF report creation, murlin, adding URL monitoring sup- port, etc. The main strength of Cacti lies in its ability to pinpoint the ex- act time a notable event, such as a surge in network traffic, increase in connections, occurs. This allows the user to apply different tools,

3. Official Cacti plugin repository is located at http://docs.cacti.net/ plugins (cited 2015-11-05).

22 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION

Figure 4.1: Traffic and performance graphs created using Cacti.

for example Snort, covered further on in this thesis, to analyze only relevant data.

23 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION

4.1.2 PRTG Network Monitor

PRTG Network Monitor is a network traffic and performance moni- toring software developed by Paessler and building upon a previous version known as the Paessler Router Traffic Grapher. PRTG monitors the network by attaching sensors, called probes, to network-connected devices. These probes are objects that tell the tool what information to query for on a given device. Each PRTG in- stallation can support upwards of ten thousand probes depending on sensor type and server hardware[18]. This number can, for larger networks, be further increased by deploying Remote Probes, which are additional installations of the service on computers within the network. This splits the performance load of managing a high num- ber of sensors between multiple installations. Probes are divided into four main categories: device availability and uptime, device status, network traffic and performance moni- toring, network traffic analysis. First category contains probes that range from a ping probe to monitor general device availability to probes customized for monitoring common services. There are, for example, probes that monitor folder and file content, count and their availability on a FTP server, IMAP and POP3 monitoring for mail servers including round trip probes reporting the time it takes for an e-mail to reach its destination after being sent, Oracle, MySQL, PostgreSQL database monitoring and virtual machine monitoring. Probes in the second category report hardware status of moni- tored devices. CPU load, disk usage and general hardware make-up of a system as well as the status of anti-virus and other select secu- rity applications can be watched. Monitoring for Windows systems is done mainly through WMI, other operating systems are monitored through SNMP. The network traffic and performance category houses probes vi- sualizing data flows on the network using Netflow/IPFIX and sib- ling protocols or SNMP. The resulting visualization can be filtered by incoming or outgoing traffic, unicast or multicast packets, errors and discards or set to show only unknown protocol traffic. Example of such a sensor is shown in Figure 4.2. Network traffic analysis contains pre-set and customisable packet sniffers that, when attached to an interface, monitor network traffic

24 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION

Figure 4.2: Traffic sensor deployed by PRTG [19]. For a full image see the appendix A.5.

details and content. Customisable packet sniffers have filters that al- low the monitoring of only desirable traffic. Traffic can be filtered by protocols, source and destination IP or ports, MAC, IP version. Additional filtering options, interface, Actual-Sensor interface, are available for Netflow 5 and higher. Additional channels(graph data sources) can the be defined to further divide the filtered traffic. Each probes triggers an alert or a notification whenever an event, for example a service becoming unavailable, occurs ,a custom thresh- old, bandwidth or CPU usage, is exceeded etc. Alerts depend on sensor type and are gathered on the dashboard, which provides an overview of all devices on the network along with associated probes and their status. PRTG is a highly customizable tool that provides the user with an overview of the whole network and alerts him when necessary according to his rules.

25 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION

4.1.3 PhpWeatherMap PhpWeatherMap (also known as Network Weathermap) is an open source network visualization tool, that creates live network maps from the network statistics collected by tools such as Cacti or RRD- tool. Example of a live network map is shown in Figure 4.3. Depict- ing Switzerland’s SWITCHaai (Shibboleth)4 college network. Indi- vidual nodes depict whole networks with links between them color coded to show current bandwidth throughput. Hovering over a link produces an RRDtool bandwidth usage history graph. Image in the background can be freely customized, enabling the creation of pse- udo-topology maps. With enough available data, Network Weath- ermap can monitor networks down to individual links between de- vices. Data is collected via plugins. Plugins are supplied for RRDtool, MRTG (RRD and old log-format), tab-delimited text files, SNMP, ex- ternal scripts, and Cacti-specific data. Usage o the RRDtool ensures Weathermap has access to data from any application generating rrd files, including Cacti, Cricket, MRTG, and many more. Other sources are supported via plugins or external scripts. Maps are created either through a web interface, or in a text file with simple syntactic language. More information about this process can be found in [21]. There is strong Cacti (covered above) integration in particular, leveraging its plugin architecture to provide a management user in- terface, and access control for maps using Cacti’s existing user data- base. Additional datasource plugins allow efficient access to data from Cacti’s poller directly.

4. Shibboleth is a single sign-on (log-in) system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations.

26 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION

Figure 4.3: Network Weathermap of Switzerland university network. [20] For a full image see the appendix A.6

4.2 Network Topology Mapping

Network topology is the arrangement of the various elements (links, nodes, etc.) of a computer network. Essentially, it is the topological structure of a network and may be depicted physically or logically. Physical topology is the placement of the various components of a network, including device location and cable installation, while logi- cal topology illustrates how data flows within a network, regardless of its physical design. Distances between nodes, physical intercon- nections, transmission rates, or signal types may differ between two networks, yet their topologies may be identical. An example is a local area network (LAN): Any given node in the LAN has one or more physical links to other devices in the net- work; graphically mapping these links results in a geometric shape that can be used to describe the physical topology of the network.

27 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION

Conversely, mapping the data flow between the components deter- mines the logical topology of the network. Network topology mapping then refers to creation of these maps. Tools for network topology mapping create mainly logical maps. Ex- amples of two such tools are given below.

4.2.1 The Dude The Dude is a free tool for network scanning and topology mapping being developed an maintained by MikroTik. It allows for scanning a selected range of IP addresses, detecting and sorting active hosts based on available protocols, and creating a basic network layout from retrieved data that can be further customized with user input. Dude then monitors all devices and traffic on such a network for any service outages. The application window consists of a menu on the left side and a main window on the right. Bottom left corner contains a small overview of a currently selected monitored network. Network scan is started in the Discover submenu. There the user can specify the subnet, services to search for, DNS, SMTP, NetBIOS, FTP, for exam- ple, and types of devices to discover, router, switch, SMTP server etc. Discovered devices are automatically added to the network map and color coded based on the availability of their services. Additional de- vices can be manually added. Relations between devices are depicted using links. Three types of links exist—simple, SNMP, RouterOS— where simple shows an unknown link between two network com- ponents and SNMP with RouterOS link two devices over a selected interface. Ethernet links are straight, wireless links are displayed as lightning bolts. Hovering over each link produces a bandwidth us- age chart with variable zoom rate. Network status is kept up-to-date by periodically polling all de- vices. Polling interval can be set between one second and one day. Figure 4.4 shows an example topology map of a home network with five hosts connected to a single router constructed and laid out using The Dude. Green host indicates all detected services working and re- sponding, yellow shows a service outage and red complete unavail- ability. Each non-simple link also shows bandwidth usage detected during last poll.

28 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION

Figure 4.4: Topology map of a network created using The Dude.

The tool supports additional features such as custom chart gener- ation from existing or created data sources, custom functions editor for use with chart generation, service outage and event logging with user notification, MIB nodes panel showing all OID databases known to Dude, and export of all tabular data to csv or pdf formats.

4.2.2 SolarWinds Network Topology Mapper

SolarWinds Network Topology Mapper (NTM) is a complex soft- ware solution whose main function resides in helping the user map out his entire network, providing him with the means of discovering which devices are connected to it. NTM is a commercially available product developed and maintained by SolarWinds. NTM discovers network devices according to given parameters— SNMP strings, WMI identification, VMware credentials, IP blocks

29 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION and number of hops taken to reach the host. After device discovery is complete, Physical and logical layouts are created. Those can be freely merged and customized. Default device layout is radial with a selectable radius. Devices without any detected connection to the network are highlighted. Created network maps can be further customized with backgrou- nd images, node images, link color coding etc. Example of a cus- tomized logical topology map generated with NTM is given in Fig- ure 4.5.

Figure 4.5: Example of a map generated and customized with Net- work Topology Mapper Trial version [23]. For a full image see the appendix A.7.

Generated networks can be exported as pdf files or to other simi- lar programs such as Microsoft Visio.

4.3 Summary of presented tools and their features

Figure 4.6 shows a full summary of all the functionality a user can ex- pect from the tools presented in this chapter. The first horizontal line lists all the functionality covered in this chapter. TraffVis stands for

30 4. TOOLSFOR GLOBAL NETWORK VISUALIZATION traffic visualization, PerfVis for performance visualization, PCAP for packet capture and visualization, LogVis for Log data visualization and Topology the ability to visualize network topology.

Functionality: TraffVis PerfVis PCAP Topology Cacti PRTG PhpWeatherMap The Dude SolarWinds NTM

Figure 4.6: Summary of features

31 Chapter 5 Tools for Anomaly Analysis and Intrusion De- tection

An intrusion detection system (IDS) is a device or software applica- tion that monitors network or system activities for malicious activ- ities and policy violations. Basic division of IDSes is into signature- based and anomaly-based. Signature-based systems match traffic to a known library of attacks whereas anomaly-based systems work off of heuristics and historical data to detect anomalies in normal net- work operations. Another division is between network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is not required or expected. Intrusion detection and prevention systems (IDPS) are pri- marily focused on identifying possible incidents, logging informa- tion about them, and reporting attempts. Network Intrusion Detection Systems (NIDS) are placed at strate- gic points within the network to monitor traffic to and from all de- vices on the network. They perform an analysis of passing traffic on the entire subnet, and match the traffic that is passed on the subnets to the library of known attacks. These are known as signature-based NIDS. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. NID Systems are also capable of comparing signatures for sim- ilar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS. There are two types of NIDSes when classified based on interactivity: on-line and off- line. On-line NIDS deals with the network in real time. It analyses captured live network traffic and decides, based on a given ruleset,

32 5. TOOLSFOR ANOMALY ANALYSIS AND INTRUSION DETECTION whether it is an attack or not. Off-line NIDS does the same, but with already captured and stored data. Host-based Intrusion Detection Systems (HIDS) monitor the state of a computing system. They watch over system and application re- source usage, monitor the state of the file system and log data and alert the user once any sign of tampering has been detected. Two NIDS, Snort and Suricata, and one HIDS, OSSEC, are cov- ered below as examples with a brief description of their capabilities.

5.1 Snort

Snort is a free and open source NIDS with a voluntary subscription- based commercial model. It was created by Martin Roesch in 1998 and is now developed and maintained by Sourcefire. Snort’s NIDS has the ability to perform real-time traffic analysis and packet logging on IP networks. It performs protocol analysis, content searching and matching according to a given ruleset. Snort allows the user to define custom rules. Snort rule are di- vided into two logical sections, the rule header and the rule options. The rule header contains the rule’s action, protocol, source and des- tination IP addresses and netmasks, and the source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken [24]. Example snort rule:

alert tcp any any –> 192.168.1.0/24 111 (content:|00 01 86 a5|; msG. “mountd access”;)

This rule generates an alert with the mountd access message when a TCP packet originating from any IP address and containing the specified hexadecimal sequence is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111. The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are called option keywords. For more in- formation about custom rulesets and their definition see [25]. Many

33 5. TOOLSFOR ANOMALY ANALYSIS AND INTRUSION DETECTION custom Snort rulesets are created and maintained by the commu- nity. One of the most well-known and popular being the Emerging Threats1 ruleset. The program can also be used to detect probes or attacks, includ- ing operating system fingerprinting attempts, common gateway in- terface, buffer overflows, server message block probes, and stealth port scans using, for example, the network vulnerability scanner soft- ware Nmap [26]. Snort has three main modes of operation: packet analyzer, packet logger, and network intrusion detection. In analyzer mode, the pro- gram will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against the user’s ruleset and then perform tasks ac- cordingly. Because Snort outputs everything into log files or the console, which makes it very hard to find relevant alerts and data, many third-party security information and event management (SIEM) ap- plications, such as Snorby2 , Sguill3 , Aanval4 , interfacing with Snort exist. These serve as GUIs for Snort providing administrative, report- ing, performance and log analysis services. Example of a Snort GUI Snorby is shown in Figure 5.1. Figure 5.2 shows detected Nmap scan on host 192.168.1.107.

1. Available from http://www.emergingthreats.net/ (cited 2015-11-17) 2. Available from https://github.com/Snorby/snorby (cited 2015-11-17) 3. Available from http://bammv.github.io/sguil (cited 2015-11-17) 4. Available from https://www.aanval.com/ (cited 2015-11-17)

34 5. TOOLSFOR ANOMALY ANALYSIS AND INTRUSION DETECTION

Figure 5.1: Snort alerts gathered and displayed in Snorby, a Snort GUI. [27]

Figure 5.2: Nmap scan detected by Snort and displayed in Snorby.

35 5. TOOLSFOR ANOMALY ANALYSIS AND INTRUSION DETECTION 5.2 Suricata

Suricata is an open source-based IDS, IPS and Network Security Mon- itoring engine. It is developed and maintained by the Open Informa- tion Security Foundation (OISF). Its NIDS capabilities are very similar to Snort. It analyzes live net- work traffic passing through key points on the network and provides alerts to the user based on the given ruleset. Suricata is capable of using the specialized Emerging Threats Suricata ruleset and the VRT ruleset5. It provide some additional functionality over Snort, how- ever. A single Suricata instance is capable of inspecting multi-gigabit traffic. The engine is built around a multi threaded and highly scal- able code base. Experimental GPU acceleration to offload CPU in- tensive tasks to the GPU is also possible. Suricata is also capable of automatic protocol detection, such as HTTP, on any port and apply- ing the proper detection and logging logic. Suricata can also log HTTP requests, log and store TLS certifi- cates, extract files from flows and store them to disk. There is full PCAP capture support for historic data analysis. All of the event and alert output can be done through JSON files, which allows the usage of third-party GUIs like Kibana6 in addition to UIs like Sguill and Aanval also available for Snort. It is difficult to provide graphical examples these applications since their setup is very individual and based mainly on the user’s needs. Both Snort and Suricata can, because of the format of their output use various third party applications for parsing and subse- quent visualization of results. Example in Figure 5.3 shows Suricata output in the Kibana GUI. All detected events are gathered on the main dashboard with visible statistics and trend information.

5. Available from https://snort.org/talos (cited 2015-11-19) 6. Available from https://www.elastic.co/products/kibana (cited 2015-11-19)

36 5. TOOLSFOR ANOMALY ANALYSIS AND INTRUSION DETECTION

Figure 5.3: Suricata output data displayed in the Kibana GUI [29]. For a full image see the appendix A.8.

5.3 Open Source HIDS SECurity

OSSEC is a free, open source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows reg- istry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. It was written by Daniel B. Cid and made public in 2004. OSSEC uses a Client/Server based architecture, which is very im- portant in a HIDS system, since it could be potentially compromised at the same time as the OS. Due to this distributed architecture, se- curity and forensic information leave the host to be stored elsewhere as soon as possible.This is to avoid any kind of tampering or obfus- cation from malicious software that would prevent detection. It’s architecture design incorporates this strategy by delivering alerts and logs to a centralized server where analysis and notifica- tion can occur even if the host system is taken offline or compro- mised. Alerts can also be sent to the user’s email. Another advantage of this architecture is the ability to centrally manage agents from a single server. Since OSSEC supports deployment of up to thousands

37 5. TOOLSFOR ANOMALY ANALYSIS AND INTRUSION DETECTION of agents, the ability to make changes en masse via a central server is critical. There are two types of agents within OSSEC: installable agents and agentless agents. Installable agents are installed on hosts, and they report back to a central OSSEC server via the OSSEC encrypted message protocol. Agentless agents require no installation on remote hosts. They are processes initiated from the OSSEC manager, which gather information from remote systems, and use SNMP, WMI and similar protocols [31]. Similar to Snort and Suricata, OSSEC’s log output allows the us- age of many third party GUIs, some of which were mentioned above. It, however, also comes with it’s own GUI shown in Figure 5.4, de- picting OSSEC alerts from brute force SSH login attempts by a non- existent user.

Figure 5.4: OSSEC’s web UI depicting gathered alerts from a brute force SSH attack. [32]. For a full image see the appendix A.9

38 Chapter 6 Conclusion

This thesis sought to categorize and differentiate the multitude of network visualization tools in existence today. It did so by categoriz- ing them into three distinct categories—tools for local network mon- itoring, global network monitoring, anomaly analysis and network intrusion prevention—and presenting examples from each one along with description of their methods of monitoring network traffic and intrusion. Based on the feature summary table shown in Figure 3.6 of sec- tion 3.4 of chapter 3, dealing with tools for local network visualiza- tion, it can be concluded that very few tools are built to visualize only locally and even those that do so can still monitor the whole network due to traffic cloning. This, of course, does not mean that their visu- alization technique are particularly suited for such a purpose, or that the device providing it can handle the performance load. If, for ex- ample, NetGrok’s (section 3.1.1) method of visualization was to be applied onto the whole network, it would be very difficult to acquire any meaningful data out of it. Similarly for EtherApe (section 3.1.2). From this it can be concluded that there are some visualization ap- proaches more suited to visualization of only parts of the network. As a special case of local visualization were mentioned tools per- forming packet capture and tools enabling log data visualization. Chapter 4 focused on global network visualization. Tools covered there provide much higher scalability for larger networks and, com- pared to tools from chapter 3, more presentation and customization options. Finally, chapter 5 provided examples of NIDS and HIDS systems and their capabilities.

39 6. CONCLUSION

The aim of this thesis was to provide an overview of the most popular tools for network monitoring as selected by the author. Do- zens different tools exist with varying degrees of similarity. Provid- ing a complete categorization is outside the scope of this thesis, and would be, at least according to the author’s experience, almost an impossible task.

40 Bibliography

[1] MARTY, Raffael. The Heatmap: Why is security visualisation so Hard?. In: SlideShare [online]. 2014 [cit. 2015-04-21]. Avail- able from: http://www.slideshare.net/zrlram/the- heatmap-why-is-security-visualization-so-hard. [2] MARTY, Raffael. Cyber Security: How Visual Analytics Un- lock Insight. SlideShare [online]. 2013 [cit. 2015-04-21]. Available from: http://www.slideshare.net/zrlram/kdd-2013- dm-challenges

[3] Five Big Data Challenges: And how to overcome them with visual analytics. SAS: The power to know [online]. [cit. 2015-11- 15]. Available from: https://www.sas.com/resources/ asset/five-big-data-challenges-article.pdf

[4] What is a Zero-Day vulnerability. PcTools [online]. 2015 [cit. 2015-11-10]. Available from: http://www.pctools.com/ security-news/zero-day-vulnerability/

[5] AETHIS, Ubizen. Security in SNMPv3 versus SNMPv1 or v2c [online]. 2002 [cit. 2015-11-02]. Available from: http: //text.123doc.org/document/1143814-security- in-snmpv3-versus-snmpv1-or-v2c-pdf.htm

[6] Introduction to Cisco IOS NetFlow: A Technical Overview [online]. 2011, May 2012 [cit. 2015-11-09]. Available from: http://www.cisco.com/c/en/us/products/ collateral/ios-nx-os-software/ios-netflow/ prod_white_paper0900aecd80406232.html

[7] FOROUZAN, Behrouz A a Sophia Chung FEGAN. Data commu- nications and networking. 4th ed. New York: McGraw-Hill Higher Education, c2007, xxxiv, 1134 p. ISBN 978-007-2967-753.

41 6. CONCLUSION

[8] Windows Management Instrumentation. Microsoft De- veloper Network [online]. 2015 [cit. 2015-11-10]. Avail- able from: https://msdn.microsoft.com/cs- cz/library/aa394582(v=vs.85).aspx

[9] Monitoring via WMI. Paessler: The Network Monitoring Company [online]. 1998 [cit. 2015-11-10]. Available from: https://www. paessler.com/manuals/prtg/wmi_monitoring

[10] BLUE, Ryan, Cody DUNNE, Adam FUCHS, Kyle KING a Aaron SCHULMAN. Visualizing Real-Time Network Resource Usage [online]. University of Maryland, College Park, 2008 [cit. 2015-11-01]. Available from: http://www.cs.umd.edu/ projects/netgrok/files/vizsec08-netgrok.pdf

[11] EtherApe: A graphical network monitor. SourceForge [online]. SlashDot Media, 2015 [cit. 2015-11-09]. Available from: http: //etherape.sourceforge.net/

[12] Wireshark: FAQ. Wireshark [online]. 1998 [cit. 2015-11-12]. Avail- able from: https://www.wireshark.org/faq.html#q1. 2

[13] Wireshark: Coloring Rules. Wireshark [online]. 2015-04-16 [cit. 2015-11-12]. Available from: https://wiki.wireshark. org/ColoringRules

[14] Wireshark: Building Display Filter Expresions. Wire- shark [online]. [cit. 2015-11-12]. Available from: https: //www.wireshark.org/docs/wsug_html_chunked/ ChWorkBuildDisplayFilterSection.html

[15] Wireshark: VoIP Calls. Wireshark [online]. [cit. 2015-11-12]. Available from: https://wiki.wireshark.org/VoIP_ calls

[16] SWITCH Traffic Weather Map. Linux Magazine [online]. c Linux New Media USA, LLC. [2015-11-11] Available from: http://www.linux-magazine.com/var/linux_ magazin/storage/images/linux-magazine.com/

42 6. CONCLUSION issues/2009/106/pictures/figure-2/423148-1- eng-US/Figure-2_reference.png

[17] Advanced Network Graph Visualization with AfterGlow. Raffael Marty: Blog [online]. 2012, April 23, 2012 [cit. 2015-11- 11]. Available from: http://raffy.ch/blog/2012/03/ 24/advanced-network-graph-visualization-with- afterglow/

[18] Planning Large Installations of PRTG Network Monitor. Paessler Knowledge Base [online]. 2015, 2015-11-08 [cit. 2015-11-08]. Avail- able from: http://kb.paessler.com/en/topic/26383- planning-large-installations-of-prtg-network- monitor

[19] PRTG Network Monitor Traffic Sensor. Paessler [online]. c 2011 Paessler AG. [2015-12-13] Available from: http://www. abload.de/img/prtgnetworkmonitorxpprdcyw.png

[20] SWITCH Traffic Weather Map. SWITCHaai [online]. c 2015 SWITCH. [2015-11-13] Available from: https://traffic. lan.switch.ch/pub/international-map/index.html

[21] Network Weathermap 0.97b Manual. Network Weathermap [on- line]. 2004 [cit. 2015-11-13]. Available from: http://network- weathermap.com/manual/0.97b/

[22] Manual:The Dude [online]. [cit. 2015-11-03]. Available from: http://wiki.mikrotik.com/wiki/Manual:The_Dude

[23] SolarWinds Network Topology Mapper. Softpedia [online]. [cit. 2015-11-13] Available from: http://i1-win.softpedia- static.com/screenshots/SolarWinds-Network- Topology-Mapper_1.png

[24] Writing Snort Rule: The Basics. Snort: Manual [online]. [cit. 2015-11-17]. Available from: http://manual.snort.org/ node28.html

[25] Writing Snort Rules. Snort: Manual [online]. [cit. 2015-11-17]. Available from: http://manual.snort.org/node27.html

43 6. CONCLUSION

[26] KRISHNAMURTHY, Mohan. How to cheat at securing Linux. 1 edition (30 Oct. 2007). Burlington, MA: Syngress, c2008, xvi, 415 p. ISBN 978-159-7492-072.

[27] Snorby GUI. Everyday Is Zero Day [online]. [2015-11-13] Avail- able from: http://everydayiszeroday.blogspot.cz/ 2013/01/installing-snorby-on-ubuntu-1204.html

[28] Suricata: Documentation [online]. 2010 [cit. 2015-11-19]. Available from: https://redmine.openinfosecfoundation.org/ projects/suricata/wiki

[29] Suricata with Kibana GUI. Github [online]. [cit. 2015-11- 19] Available from: http://mestizo.github.io/images/ suricata.png

[30] OSSEC: Documentation [online]. 2010 [cit. 2015-11-21]. Available from: http://ossec-docs.readthedocs.org/en/

[31] OSSEC Documentation: Agents [online]. 2010 [cit. 2015-11-21]. Available from: http://ossec-docs.readthedocs.org/ en/latest/manual/agent/index.html

[32] OSSEC SSH Brute Force Attack Detection raymii [online]. [cit. 2015-11-21] Available from: https://raymii.org/s/inc/ img/ossec/webui-brute-2.8.png

44 Appendix A Images

A.1 Netgrok

45 A.IMAGES A.2 EtherApe

46 A.IMAGES A.3 Wireshark

47 A.IMAGES A.4 Time-based Network Visualizer

48 A.IMAGES A.5 PRTG Network Monitor

49 A.IMAGES A.6 PhpWeatherMap

50 A.IMAGES A.7 Solarwinds Network Topology Mapper

51 A.IMAGES A.8 Suricata

52 A.IMAGES A.9 Open Source HIDS SECurity

53 Appendix B Supplementary Data Files

B.1 IRCFlood.pcap

Description: This accompanying packet capture file contains a captured sam- ple of an Internet Relay Chat (IRC) flood attack. It was used when testing visualization capabilities of Tnv and AfterGlow (section 3.3), and when creating graphical representations of their output for this thesis.

54