Network Topology using Graph

l4m4l · February 26, 2020, 7:46am

Hello all,

I have indices that contain .pcap data (imported using tshark and elasticsearch BULK API). I would like to visualise this packet capture as a network topology using graph.

I am envisaging that this would go something along these lines:

Vertices = all the host_names (or ip_src) in a given capture duration
Connections = the sum of traffic from one host to another

Unfortunately it seems a bit trickier to do this than I first imagined. As in each packet there is only "ip_src" and "ip_dst" information, it is hard to display a group of "Vertices" by their "ip_src" tags but then link them based on the "ip_dst"==each Vertice.

I have managed to get as far as creating a double-up of information, by listing both the source and destination IP's as Vertices and then connecting them from there... but this isn't quite what I want as it "splits" the information (one group may have all of the traffic from "Host_A" to other hosts, which is then repeated for each host with "Host_A" being the receiver of network traffic).

Has anyone had a similar problem and would be able to point me towards the right path? I would appreciate any help. Thanks

flash1293 · February 26, 2020, 8:36am

Hi @l4m4l,

a common way around this is to ingest both source and destination ip into a third field ip and then using this field to create the Graph instead of your two splitted fields. This is called a "role-free" field. You can do this on ingestion time by using copy_to in your mapping: https://www.elastic.co/guide/en/elasticsearch/reference/current/copy-to.html

l4m4l · February 26, 2020, 10:13pm

Hi @flash1293,

Thank-you very much, this appears to be the answer that I'm looking for! Turns out tshark already outputs this field under the name "layers.ip.ip_ip_addr" (which contains ip_src, ip_dst).

By graphing the "top terms" however, this seems to disregard two packets (out of a total of 43) between two of my hosts. I know that it still registers 43 in total, because I can see that in the total when I select the "link summary". Is there a way to increase the resolution of the links, so that they will be visible even if there is only 1 document?

Thanks

flash1293 · February 27, 2020, 9:11am

You can set the "Certainty" setting to 1 by clicking the "Settings" button in the top menu:

To make sure all connections are shown, select all nodes and click the "link" button a few times - this should fill in missing connections if there are some:
Screenshot 2020-02-27 at 10.10.55

l4m4l · March 1, 2020, 9:40pm

Hi @flash1293, thanks - I was changing the certainty but was missing the "link" button step.

Thanks very much for your help!

system · March 29, 2020, 9:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.