The site provides rich graph and chart interfaces, which are nicely interactive.  There are definatley some ideas I want to incorporate form this into my own Network Telescope management console.  It is however worth bearing in mind that his is a Eurocentric view and is only based on their observed traffic. As such the “attacking countries” view seems to be a bit skewed.

Interoute World view 2009-06-30

After digging around with squid and wireshark, its evident that a lot of the data is actually served up as XML files, and as such can potentially be postprocessed. The Adobe AIR Barometer Widget they provide also makes use of these. One issue I had getting this installed is you need Air 1.5.1, and the 1.0.8 version I had wouldn’t auto upgrade correctly.  A little disappointing in that I was expecting a map view, it provides the basics of a total count and cycles through various country stats.

Interoute Barometer Widget

Where the real value  comes form is having another independent source of reporting ( even at the highly granular level) that can be used to correlate observations with my own data sets, and those available form places like dShield and ISC. Maybe I should dust off my old Infocon alert plugin for Firefox and integrate some of this data.

• tcpreplay is now at version 3.4.0 with a number of significant bugfixes. This staple of packet analysis allows for the replay of captured pcap file back over network interfaces.  Its a great way of having a repeatable test framework, or for explosing yout NIDS system to collected bad traffic.
• picviz 0.5 has been released. I blogged about this before and the project seems to be comming on nicely. Formy own purposes its not much use with my network telescope data, but does produce some pretty pictures for some other work Ive been doing of late. The new version comes with a bumber of new log parsers. A slide deck discussing its use as presented at USENIX 2008 is also available.
• pcapr is the new tool out and describes itself as “web 2.0 meets packets“, and “pcapr does to packets what flickr does to pictures”. If it performs as promised it could make life a lot easier maintinaing libraries of packet captures. The fact its a hosted service does have some distinct disadvantages. Currently there seems to be quote a lot of little snippets. An RSS feed of new content is also available.  Another similar repository s that of openpacket.org
• libtrace while not a new tool as such, is somethign I’ve started workign with recentlyafter comming across it in Dean Pemberton’s MSc Thesis2007 on Internet Background Radiation Arrival Density and Network Telescope Sampling Strategies. The api looks pretty clean and it comes with a couple of nice demo tools which are actually useful.  the URI syntax it uses for accessing files is a little strange but managable.

A sample of the kind of output is seen below (full resolution image is 990K) which shows destination IP addresses harvested from the Albany Schools Cache server during January through May 2008:


A plot of 53 million packets from the CAIDA telescope project – 27 Feb 2007 midnight to 6am:





With these higher resolution images available, analysis can be performed at a much finer grained level.

After rummaging around in one of my boxes at home I found a suitable replacement drive, and have taken the opportunity to do the OS upgrade — re-install — from 5.0 to 5.4. Other than the usual fun of making sure the same packages are installed, and minor tweeks in configuration files due to version upgrades, things went very smoothly, with the only real hiccups, being wet ware problems as I mounted partitions in the wrong place and had finger trouble copying things to the right directories.

In other news, progress is being made on a number of fronts

• Thanks to Jacot, Guy, David and Jock, Ive now got a proper Darknet running and collecting some very interesting backscatter data. The next coupe of weeks will focus on actually working out what exactly to do with the data, but for now everything is being logged to good old pcap files. As an aside, anyone seeing massive numbers of probes to 1434/udp (MS-sql-M) ??. What this means is that I am actually making some kind of progress on what up until now has been a rather elusive PhD
• My first batch of Masters Students Russell, Dominic and Yusuf have also started on the final slog to actually get their research and ideas down onto paper. Somewhat nervous times for me since they are my first batch, but I have full confidence in you all!
• Two weeks to go untill my op to remove the broken bits of bone in my foot. I cant wait. Weather is starting to improve ,and its getting light earlier, and I’d love to be out and about on my bike, o hopefully three weeks and I can start getting back into action.

I’ve also been working on some other bits and pieces I’ll post in due course, fornow its good to be back

PS – For those of you that were following Planet Rhodes or Planet Security, they are now updating correctly, and regularly. I notice a couple of dead links on both, and I’ll weed them out in due course.