public
Created

generate a timeline using ggplot and tshark

  • Download Gist
ggplot-tcp-timeline.R
R
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
require('ggplot2')
require('stringr')
 
FIELDS = c('frame.time_relative', 'frame.len',
'ip.src', 'tcp.srcport', 'udp.srcport',
'ip.dst', 'tcp.dstport', 'udp.dstport')
PCAP = 'nytimes.pcap'
TSHARK = paste('tshark','-E header=y', '-T fields')
 
data = read.csv(header=T, sep="\t", pipe(
paste(TSHARK, '-r', PCAP,
str_c(c('-e '), FIELDS, collapse=' '))))
 
# pick from yes or no, based on q.
select = function(q, yes, no) {
q = as.logical(q)
q[is.na(q)] <- F
result <- rep(no, length.out = length(q))
result[q] <- rep(yes, length.out = length(q))[q]
return(result);
}
 
# Munge some fields -- use either the tcp or udp port for a given connection,
# and determine whether a packet is incoming or outgoing.
data = within(data, {
srcport = select(tcp.srcport, tcp.srcport, udp.srcport)
dstport = select(tcp.dstport, tcp.dstport, udp.dstport)
direction = select(srcport < 1000, "incoming", "outgoing")
server_ip = select(srcport < 1000, ip.src, ip.dst)
local_port = select(srcport < 1000, dstport, srcport)
server_port = select(srcport < 1000, srcport, dstport)
stream = paste(local_port, paste(server_ip, server_port, sep=":"))
})
 
p = ggplot(data=data, aes(x=frame.time_relative, y=stream,
color=direction, size=frame.len)) +
geom_point(position=position_jitter(width=0, height=0.2)) +
scale_fill_hue() +
scale_size(range=c(0.5, 5))
 
show(p)

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.