MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨ OF I !"#$%&'()+,-./012345<yA|NFORMATICS A Survey of Tools for Monitoring and Visualization of Network Traffic BACHELOR’S THESIS Jakub Šk ˚urek Brno, Fall 2015 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Jakub Šk ˚urek Advisor: doc. Ing. JiˇríSochor, CSc. ii Abstract The main goal of this thesis is to survey and categorize existing tools and applications for network traffic monitoring and visualization. This is accomplished by first dividing these into three main cate- gories, followed by additional subdivision into subcategories while presenting example tools and applications relevant to each category. iii Keywords network monitoring, network visualization, survey, traffic, monitor- ing iv Acknowledgement I would like to thank my advisor doc. Sochor for his advice and help- ful tips. A big thank you also goes to my family for the continued support and kind words given, and mainly for being understanding of my reclusive behaviour during the writing process. v Contents 1 Introduction ............................3 2 Computer Network Monitoring and Visualization .....5 2.1 Simple Network Management Protocol .........5 2.2 NetFlow/IPFIX Protocol ..................6 2.3 Internet Control Message Protocol ............6 2.4 Windows Management Instrumentation .........7 2.5 Packet Capture .......................7 3 Tools for Local Network Visualization ............9 3.1 Local Traffic and Performance Visualization .......9 3.1.1 NetGrok . .9 3.1.2 EtherApe . 11 3.2 Packet Capture and Visualization ............. 13 3.2.1 Wireshark . 13 3.3 Network Log Data Visualization ............. 16 3.3.1 Time-based Network Visualizer . 16 3.3.2 AfterGlow . 18 3.4 Summary of presented tools and their features ..... 20 4 Tools for Global Network Visualization ........... 21 4.1 Global Traffic and Performance Visualization ...... 21 4.1.1 Cacti . 21 4.1.2 PRTG Network Monitor . 24 4.1.3 PhpWeatherMap . 26 4.2 Network Topology Mapping ............... 27 4.2.1 The Dude . 28 4.2.2 SolarWinds Network Topology Mapper . 29 4.3 Summary of presented tools and their features ..... 30 5 Tools for Anomaly Analysis and Intrusion Detection .... 32 5.1 Snort ............................. 33 5.2 Suricata ............................ 36 5.3 Open Source HIDS SECurity ................ 37 1 6 Conclusion ............................. 39 A Images ............................... 45 A.1 Netgrok ............................ 45 A.2 EtherApe ........................... 46 A.3 Wireshark .......................... 47 A.4 Time-based Network Visualizer .............. 48 A.5 PRTG Network Monitor .................. 49 A.6 PhpWeatherMap ...................... 50 A.7 Solarwinds Network Topology Mapper ......... 51 A.8 Suricata ............................ 52 A.9 Open Source HIDS SECurity ................ 53 B Supplementary Data Files .................... 54 B.1 IRCFlood.pcap ........................ 54 2 Chapter 1 Introduction The Internet became, in the last couple of years, an indispensable part of many people’s lives. It is entangled in almost every corner of our society and life without it is hard to fathom. Ease of access to information, simplifying socialization or facilitation of commerce. Indispensable in everyday life, it represents an absolute must for many firms, companies and institutions. For these it is a key tool for communication, operation and advertisement. However, Internet’s biggest strength is at the same time its biggest weakness—access to it is available to anyone, even people with less than pure inten- tions. It then follows that being connected to the Internet means ex- posing oneself to risk of a wide range of potential malicious attacks aimed at retrieving one’s private and potentially valuable informa- tion. Chance of catching the culprit hiding behind the vast amounts of data produced by computer networks is without the proper in- struments almost a herculean task. This is where tools for monitoring and visualization of computer network traffic, whose categorization and brief overview is this thesis dedicated to, prove invaluable. Pur- pose of these tools is to provide the user holistic and easily navigable data about historical and actual happenings on a computer network, and assist him with comparing these events with those compatible to a network attack or other malfunctions. As briefly stated above, the aim of this thesis is to provide an overview of popular currently in-use visualization tools and soft- ware for network monitoring and visualization and their different approaches towards depiction of network data. Dozens of such ap- 3 1. INTRODUCTION plications exist, but no comprehensive overview has to date been cre- ated [2]. The tools are, for the purpose of this thesis, divided into three main categories—local network monitoring, global network moni- toring, anomaly analysis and network intrusion detection—with a chapter dedicated to each one. Tools selected to represent each cate- gory are based on their performance in said area and the uniqueness of their visualization technique. Focus is, for each tool, only on its applications in the category under which it is presented. Conclusions to chapter three and four contain a summary table of all the features tools covered in that given chapter possess. The thesis, minus the introduction and conclusion, is divided into four chapters. The first one gives a brief introduction into the area of interest and provides a list of most common protocols and ap- proaches to gathering network data used for visualization. The next three chapters then deal with tools pertinent to them. A summary of the findings is given in the concluding sixth chapter. The area of network visualization is still very young and chaotic. Big data and the problems connected with their visualization are a very recent phenomenon and adequate solutions are yet to be found [3]. This thesis is trying to act as a building block for a follow up research in this are by giving an overview of popular currently in- use visualization techniques. The final goal of this research would then be systems capable of recognizing not only catalogued mali- cious software, but to also be able to prevent zero-day 1 attacks in real-time. 1. A zero-day (also known as zero-hour or 0-day) vulnerability is an undisclosed computer application vulnerability that could be exploited to adversely affect the computer programs, data, additional computers or a network. It is known as a "zero-day" because once the flaw becomes known, the application author has zero days in which to plan and advise any mitigation against its exploitation (by, for example, advising workarounds or issuing patches) [4]. 4 Chapter 2 Computer Network Monitoring and Visualiza- tion Computer network monitoring and visualisation are areas closely tied together. Where network monitoring tools produce vast amounts of data, visualization tools give the data form that is concise, unclut- tered and easier for the user to digest. This chapter aims to, before venturing forth towards categoriz- ing the various monitoring tools and applications, provide a brief overview of the most common methods these tools use to gather data from the monitored network. Efficient data collection is an important part of the monitoring process. For this purpose many protocols and approaches exist, are being developed, or refined. 2.1 Simple Network Management Protocol Simple Network Managment Protocol (SMNP) is a protocol used for data collection from, and configuration and management of, network devices such as routers, switches, servers and hubs on an Internet Protocol network. It uses variables known as object identifiers (OID) to allow remote data collection and device configuration. OIDs are stored in a hierarchy in Management information bases (MIB). A protocol query to a device produces a set of OIDs with accompa- nying data, showing, for example, interfaces available on a router or a switch and traffic currently passing though them, which is then cross-referenced with an MIB and presented to the user. To date, three versions of the protocol have been introduced. Ver- sion 1, also known as SNMPv1, is the initial and most widely sup- ported version of the protocol despite the criticism of its very poor 5 2. COMPUTER NETWORK MONITORING AND VISUALIZATION security[5]. Version 2 (SNMPv2c) only expands upon the previous version with the support of larger data types and additions to pro- tocol operation, leaving the security concerns unaddressed. Version 3 (SNMPv3) is the most recent version implementing strong security authentication and data encryption, keeping its primary functional- ity unchanged. 2.2 NetFlow/IPFIX Protocol NetFlow is a feature that was introduced on Cisco routers that pro- vides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a user can de- termine things such as the source and destination of traffic, class of service, and the causes of congestion. A flow is a stream of data that shares the network interface, source and destination IP addresses, ports and the same type of service header (for IPv4 transmissions) [6]. Once a flow is detected, a related flow record, aggregating infor- mation about all packets belonging to the same flow, is created. A typical Netflow monitoring setup consists of a flow exporter, usually a Cisco router, that aggregates packets into flows and ex- ports flow records towards a flow collector that is responsible for record collection and storage and an analysis application that ana- lyzes received flow data in the context of intrusion detection or traffic profiling. Versions most commonly found today are Netflow 5, only re- stricted to IPv4, and Internet Protocol Flow Information eXport(IP- FIX), which is heavily based on Netflow 9 and standardised by the IETF[6]. 2.3 Internet Control Message Protocol The Internet Control Message Protocol (ICMP) is one of the main protocols of the Internet Protocol Suite.