Menu What is NVisionIP Papers on NVisionIP Getting NVisionIP Installation Instructions Installing NVisionIP Sample Netflows Input Data Files Generating Input Data Running NVisionIP Comments Screenshots Mailing List

What is NVisionIP

NVisionIP allows an operator on one screen to visualize traffic flows to/from every machine on a large and complex computer network. It leverages the innate cognitive processing abilities of human operators, allowing them to see security events. In addition to an overall view of an entire network on one screen, NVisionIP also includes the ability to drill down multiple levels to view subnets of machines or view attributes on individual machines relevant to security such as connection and data transfer statistics per protocol or per port.

NVisionIP is developed in Java and is modular by design with the data retrieval/preprocessing component being independent of the visualization component. The data source for our experiments, the NetFlow application, was selected specifically because it provides a mid-level sensing information.

For more detailed description of NVisionIP motivation, goals, and usage visit our NVisionIP publications

Getting NVisionIP

Installation Instructions

• Installing NVisionIP

  • Windows Instructions: After downloading, double-click NVisionIP.exe
  • Linux Instructions:
    • After downloading open a shell and, cd to the directory where you downloaded the installer
    • At the prompt type: sh ./NVisionIP.bin
    Go to the top!

    ---

  • Sample Netflows Input Data Files

    For your convenience, we have included sample data sets of Argus netflow format and NCSA Unified format below. The sample data files can be found here.

    Also, we have a developed a tool called CANINE that can be used to convert netflows from one format to another. For example, you can use this tool to convert Cisco Netflow v5 or v7 formats to Argus or NCSAUnified netflow formats and use this data as input to NVisionIP.

    Sample data sets have been generated for hypothetical classB networks. Please set the ipHeader argument while running NVisionIP accordingly. If this argument is not set, the application defaults to NCSA ipHeader - 141.142

    
    Go to the top!

    ---

  • Generating Input Data

    Argus is required if new flow files need to be processed. Note: Script argus-NCSA-convert will not work without Argus

    Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand,loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.

    The raw Argus format is undocumented, and the ra utility (bundled with Argus) must be used to extract records from Argus flow files. We wrote a script (download here) that uses the ra utility to create the Argus ASCII flows usable by NVisionIP and our other NetFlow visualization tools. This script must be run on a *NIX platform (e.g., Solaris, Linux, BSD, or Mac OS). The script is also dependent upon ra, which can be found as part of the Argus 2.0.5 toolkit. Argus version 2.0.6 will not work as the interface to ra and command line options have completely changed. For more information on Argus, go to Argus Web site

    Following is a description of Argus netflow format with an example.

    start-time

    end-time

    protocol

    src_ip.src_port

    dst_ip.dstport

    src2dst_packets

    dst2src_packets

    src2dst_bytes

    dst2src_bytes

    status_flag

    Given a record: 20 Aug 03 00:00:34 20 Aug 03 00:00:45 tcp 202.202.11.172.80 ?> 130.126.143.184.7140 116 2 158216 910 E

    will look like:

    start-time	end-time	protocol	src_ip.src_port	dst_ip.dstport	src2dst_packets	dst2src_packets	src2dst_bytes	dst2src_bytes	status_flag
    20 Aug 03 00:00:34	20 Aug 03 00:00:45	tcp	202.202.11.172.80	130.126.143.184.7140	116	2	158216	910	E

    
    
    
  • For NCSA users: Another data source that NVisionIP uses is called NCSA Unified netflows. As different versions of Cisco NetFlow Export are installed in the routing equipments of diverse types/models, there are several different datagram formats. At NCSA, we have been using Cisco v5 and Cisco v7 NetFlows. For the sake of easy access control and data manipulation, the multiple datagram formats are unified into our unique uniform NCSA format which consists of fixed size records. Each record contains the principle information about a net flow, including IP addresses, ports, traffic amount, and type of service, etc. The equal-length record structure provides the random access capability, which is critical for our visualization tools to handle large files. We also provide tool (CANINE) to transform Cisco v5 and Cisco v7 NetFlows into NCSA uniform format files, which can then be fed to the visualization tools.

    Following is a description of NCSA Unified netflow format with an example.

    start-time

    end-time

    src_ip

    src_port

    dst_ip

    dst_port

    src2dst_bytes

    src2dst_packets

    protocol

    
    
    Given a record: 1074059407 1074059410 2374904902 4321 2374894082 45074 5724 34 6

    will look like:
    

    start-time	end-time	src_ip	src_port	dst_ip	dst_port	src2dst_bytes	src2dst_packets	protocol
    1074059407	1074059410	2374904902 (141.142.44.70)	4321	2374894082 (141.142.2.2)	45074	5724	34	6

    • The information in the paranthesis of src_ip and dst_ip columns is displayed for readability purposes. The actual records don't contain the decimal seperated format of the IP addresses.
  
  
  Go to the top!

  ---

Running NVisionIP

• Generate Argus Files:
  • Use the script argus-NCSA-convert to split the argus file into the size you wish and convert to ascii fixed length records.
  
  
• Run NVisionIP:
  Go into the directory where you installed NVisionIP
  • Windows users: Double click on NVisionIP
  • Unix or Linux users:Type ./NVisionIP
  • All Other Platforms: Type
    • java -Xms512M -Xmx512M -jar NVisionIP.jar
    • -Xms and -Xmx are used to adjust the minimum and maximum heap size for your machine.This value depends on the RAM of the machine running NVisionIP. For more information refer to Setting Java Heap Sizes
      
    • Note: NVisionIP is a memory intensive application and for it to run successfully, the user has to increase the heap size.
  
  
  
• When the file chooser dialog comes up
  1. Click on Load, then pick the argus file that you just created
  2. If you have selected a NCSAUnified file, set the Netflow File Format field accordingly
  3. Set the ClassB IP Header field to reflect the classB netflows that your are trying to visualizing.Default is set to NCSA IP Header - 141.142
  4. Intervals to split data into field takes in an integer > 0 and splits the total number of netflows into the number of intervals mentioned by the user. Ex: if the user loaded two files containing 3000 and 2000 netflows and selected the number of intervals to be 25. Then in NVisionIP, the 5000 netflows will be split into 25 intervals with 200 records in every interval
  5. Click on Ok
  6. NVisionIP Galaxy View window will pop-up
  7. The initial view of NVisionIP is set to Cumulative View. This can be changed by using DataView Menu
  8. To start processing the data, move the slider across the ranges of the slider bar located at the bottom of the application window. The number of intervals on the slider bar reflect the value selected by the user in the above steps. As the user moves the slider across, records will be processed and displayed.
  
  
  

Comments

• A user manual for NVisionIP will be coming soon

Screenshots

All Views	Galaxy View

SmallMultiple View	Machine View

Linear Magnification View	Fisheye Magnificaiton View

Mailing List

Visit archives of the NVisionIP Mailing list to search/browse through other posted questions and answers.