InetVis
InetVis is a 3-D scatter-plot visualization for network traffic. In way, it's more or less like a media player, but for network traffic. It's quite handy for observing scan activity and other anomolous traffic patterns.
Concept
The 3-D scatter-plot concept is adopted from Stephen Lau's Spinning Cube of Potential Doom. Network packets are plotted by:
- Destination address (home network) plotted along blue x-axis (horizontal).
- Source address (external Internet range) plotted along red z-axis (depth).
- Ports (TCP and UDP) plotted along green y-axis (vertical).
- ICMP traffic plotted below TCP/UDP cube grey/white ICMP plane.
Features
InetVis has several features to explore network traffic and assist the formation of insight. A set of key features are listed below:
- Adjustable replay position to seek through the traffic capture files.
- Variable playback speed (time scaling), from as slow as 0.001x (1 ms/s), or as fast as 86400x (1 day/s).
- Variable time frame/window to view events for the past 100 ms up to 5 years.
- Transparent decay of events - points fade as they age (with respect to the time window).
- New events are highlighted by pulsing once (a momentarily bulge of the point).
- Filtering capability via BPF filter expressions (as used in libpcap and tcpdump).
- Various colour schemes for colouring points and adjustable point size.
- Setting the data ranges and scaling down into sub-domain IP addresses (destination and source) as well as port ranges to view a subset of the traffic data.
- Adjustable logarithmic plot for stretching out lower port range where, in general, most TCP/UDP traffic occurs.
- Various reference frame controls, i.e. toggling visibility of axes, markers, transparent grid lines, labels, and background colour.
- Orthographic and perspective projection modes.
- Immersive navigation - scaling (zooming), translating (moving) and rotating.
- Record single snapshot image, or dump all image frames (useful for manually encoding video clips).
- Record output back to pcap binary file format, for further detailed analysis with other applications (e.g. tcpdump, Ethereal and Snort).
Screenshots
The user interface is split up into four functional windows. The main control panel, plotter settings, reference frame settings and a dedicated display pane which can be set to full screen mode.
The four window components are laid out below. Click the thumbnail to see full sized images.
control panel |
display pane (with white background) |
plotter settings window |
refrence frame settings window |
Incidentally, the display pane shows a decoy scan generated with nmap.
Download
InetVis is available for download in two variants:
- An older legacy version, 0.9.3, which is considered the 'stable' release. It is built against the older qt3 libaries and only complies and runs on the Linux platform.
- A development version that has been converted from qt3 to qt4. Be aware that a few 'covertion' bugs are anticpated. This qt4 based version of InetVis includes an experimental port for the Microsoft windows platform.
Although possible, InetVis has not yet been ported to Max OS X. For more information about the qt development framework, refer to http://trolltech.com/.
InetVis 0.9.3 [stable]
Stable legacy qt3 release:
- inetvis-0.9.3.1.tar.gz (496 KB) - Linux binary, source and documentation.
- InetVis 0.9.3 Manual - on-line documentation.
InetVis 0.9.5 [development]
Development qt4 release including experimental windows port:
- inetvis-0.9.5.1-linux.tar.gz (601 KB) - Linux binary, source and documentation.
- InetVis-0.9.5.1-w32.zip (5.51 MB) - Windows binary, DLLs, source and documentation.
- InetVis 0.9.5 Manual - on-line documentation.
Mirrors
None yet. In the future, the intent is to create a Sourceforge project page for InetVis downloads and development.
Revision History
A brief log of revisions is kept in the text file: Revision_History.txt
Dependencies and Requirements
Linux Dependencies
On Linux, InetVis depends on the following library support:
- Libpcap packet capture library, included by default with most Linux distributions.
- Qt GUI application library by Trolltech. This is installed by default if KDE applications are present. Otherwise, it should be available via the package management system particular to the Linux distribution.
- OpenGL graphics library which should be supported by your Linux distribution. Be aware that some Linux distributions do not ship proprietry graphics drivers with the default installations. To improve OpenGL performance with hardware support, it is recommended that vendor specific Linux graphics drivers are installed. For example, NVidia or ATI provide Linux drivers.
- The Linux InetVis binary was compiled on Ubuntu 7.04 with shared libraries and should hopefully work on similar systems. However, the shared library dependencies are likely to break across different Linux distributions and versions. In that case, until proper distribution package support is made available (e.g. .deb and .rpm), InetVis will have to be compiled from source.
Windows Dependencies
On Windows, InetVis depends on the following library support:
- WinPcap is the windows equivalent of Libpcap. The InetVis Windows package includes the required WinPcap DLLs for Windows 2000/XP/2003. Windows 95/98/ME requires a different version of packet.dll and is only supported by older versions of WibPcap (3.1 and 4.0beta2).
- Qt GUI application library by Trolltech. The Windows InetVis package has Qt libraries statically linked and built in.
- OpenGL graphics library which is supported in Windows 95/98/ME/2000/XP/2003. Improved performance via OpenGL hardware acceleration is usually achieved by installing graphics drivers from the vendor of your graphics card/chipset. Note that in Windows Vista, OpenGL is support has changed and may suffer a slight performance penalty - see Windows Vista and OpenGL - the Facts for more details.
- MinGW (Minimalist GNU for Windows) is used to build the Windows version of InetVis and mingwm10.dll is included with the Windows download.
Building InetVis from Source
For information about compiling and building InetVis from source, please refere to the manual included with the InetVis download.
System Requirements
Recommended minimum system specifications for InetVis are:
- Pentium III class processor at the least, though the faster the better. A slow processor will limit the replay rate.
- 256MB RAM, but obviously more is desirable. Memory size will limit the amount of data that can be visualised.
- A 3-D graphics accelerator with OpenGL hardware support. Software OpenGL implementations will suffer a serious performance penalty.
On lesser hardware InetVis will probably crawl, crash or fail to execute.