Argus + GraphViz = Very Cool

Sometimes, it is really handy to be able to get a bird's eye view of your network traffic. I've used (and continue to use) ntop and I love it. It provides great reporting, but sometimes the bird's eye view is necessary. That's where Argus and GraphViz come into play. Here is the description of Argus from the website:

Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.

The data that it collects on your network traffic (and it can monitor multiple interfaces simultaneously) is impressive. Argus runs as a daemon process and then you can use the client tools to extract the data from the Argus log. You can either dump the entire log or you can use filter the results for a specifc time period, or a specific host, or for a specific type of traffic. This data, then, you can feed to GraphViz to generate your graphs. The image below is generated using a Perl script that I wrote (using the Perl's GraphViz module, available at any CPAN mirror) using Argus data over a 1 hour period.


I color coded the arrows (or "edges" in GraphViz terms). The blue edges are TCP traffic, red is UDP, green is ICMP, and magenta is ARP. For TCP and UDP traffic, I've labeled the edges with the destination port. The only potential downside is that the resulting image can be a little large. Since Argus tracks all of your network traffic, this could be an invaluable tool in the face of some sort of security incident or virus outbreak.