The CyberSift Packet Capture Parser — Bandwidth Usage
This article is part of a series on the CyberSift Packet Capture Parser. In this article, we’ll discuss two modules: “Bandwidth Per IP” and “Bandwidth Per ASN”. Both visualize the amount of bandwidth used as captured by an uploaded packet capture such as one from Wireshark or Tcpdump
Bandwidth Per IP
This module uses a Sankey Diagram to help you visualize the top 50 connections (more than 50 becomes difficult to read). As can be seen in the above screenshot, the Sankey diagram makes it easy to see what’s happening in the packet capture at a glance. On the left, you can see an internal IP address (192.168.1.107) made a number of connections to public servers represented by multi-colored nodes in the middle of the diagram. The nodes are connected to each other by links which vary in thickness depending on the amount of bytes transferred between the two IP addresses. For example, the link connecting 192.168.1.107 to 52.85.219.239 is much thicker than the link with 8.8.8.8, representing the fact that in this packet capture much more data was transferred to the former IP address than to the latter one.
In addition, on the right hand side we see the port numbers which those servers were listening on. In the screenshot we see that almost all servers were listening on port 443 (HTTPS), except one — 8.8.8.8 was listening on port 53 (DNS). Once again, the thickness of the links represent the amount of data that was transferred to/from each port.
Bandwidth Per ASN
But what if you need a more global view rather than just the top 50? What if you’d like to know what organization each IP address belongs to, so you can have a better idea of what is using your bandwidth? That’s where the “Bandwidth Per ASN” module comes into the picture:
One of the functions of the PCAP parser is to lookup which BGP Autonomous System Number (ASN) a particular IP address belongs to. This serves two purposes:
- Gives a more descriptive name to the IP addresses — seeing “Google LLC” is a lot easier to understand than a bunch of IP addresses
- Groups IP addresses that belong to the same organization together — reducing the clutter and making it easier to understand
The result is a treemap diagram similar to the one shown in the screenshot above. While it gives a bit less detail than the sankey diagram, it’s immediately obvious to a user that most of the bandwidth was consumed talking to FASTLY (an advertisement company), AKAMAI (a content-delivery network), GOOGLE and AMAZON.
Using both diagrams gives you a very good idea of where your network traffic is heading to!
Make sure to check out the rest of the articles in this series!
