Visualizations for Network Protocols

3D Interarrival Plots

First, we look at packet interarrivals as triples of (size, IA time, size). By plotting these points in 3d space, we can get a feel for the kinds of consecutive packets each protocol tends to send, and what the interarrival times tend to be for each pair of sizes.

For example, two big packets with a small delay between them probably indicate some sort of bulk data transfer. Similarly, small or medium-sized packets with a longer interarrival period indicate some sort of query-response behavior, possibly involving user interaction.

Both types of behavior are visible in the graph below of HTTP, SMTP, and SSH traffic. We see that many of the HTTP packets are medium-sized or large, and are sent by the server, while SMTP tends to send data from the client to the server. SSH, on the other hand, exhibits two main behavior patterns. First, we see SSH has a higher density of small packets with longer interarrival times than the other two protocols, representing its interactive (Telnet-like) mode. We also see several blue SSH packets in the lower left area of the graph, which correspond to back-to-back big packets from the server --- these probably belong to SCP bulk data transfer sessions, or to other programs such as CVS or rsync using SSH in place of the aging rsh facility for copying files across the network.

Profile Heatmaps

Here we use heatmaps to give us an idea of what the "average" sequence of packets for each protocol looks like.

The X axis shows the time from when we observed the first packet in the session. The Y axis shows the packets' size. We use the sign bit of the size to indicate direction, so packets with size less than zero are those observed in transit from server to client. Similarly, packets sent from the client to the server have size greater than zero.

The color of each pixel indicates the "packet density" at the given time and size. Brighter areas indicate higher packet density, so the yellow areas are where we tend to see a lot of packets, and the dark areas are where we rarely, if ever, observe a packet.

Packet Heatmaps

Similarly, we can look at packet densities to get an idea of the kinds of individual packets a protocol tends to generate, regardless of arrival time or position in the sequence. In the following graphs, each pixel represents a certain type of packet, identified by its interarrival time (on the X axis) and its directed size (on the Y axis, as before). Bright areas indicate the kinds of packets that the given protocol tends to generate very frequently; dark areas correspond to packet types that the protocol (almost) never generates.

So, for example, a protocol which consisted only of the client repeatedly sending a large packet to the server, at intervals of about one second, would produce a very bright spot in the top middle of the graph, and darkness everywhere else. In reality, we see that small packets (40-48 bytes) are much more common, and that their interrival times can be quite varied.

Future Directions

Other interesting work on visualizing temporal sequences includes that of McGregor et al on clustering and visualizing network flows and work by Lin et al on visually mining and finding motifs in more general time series. In the near future, we plan to investigate the use of these and other techniques to analyze and visualize our packet sequence data.

The above images were generated with gnuplot and the pm3d module. Many thanks to the authors of these tools for making them freely available.

Copyright (c) 2005 Charles V Wright, Johns Hopkins University