Ends Tomorrow! iPad Pro, Surface Pro 4, or $500 Off with SANS Online Training

IDFAQ: Are there tools to visualize the data from an intrusion detection system?

Algis Kibirkstis
November 2009


Intrusion detection systems (IDS) and intrusion protection systems (IPS) provide valuable protection mechanisms to operational environments: the first flags anomalies as a passive listener, while the second is designed to react to discovered anomalies by blocking undesirable traffic.

Beyond these primary functions, information collected from IDS/IPS systems can also be used to help illustrate and characterize trends, events of interest and incidents through data visualization capabilities.

Laying a Foundation

Information systems generate logs, including security-dedicated systems such as IDS and IPS systems, provided that they are configured to do so. In the case of IDS/IPS, logging can provide interesting insight into what such systems see across the wire. Using a standard packet capture format such as PCAP, several third-party solutions can effectively assist the security professional by reading these packet capture files and rendering graphical representations that can pinpoint problems or trigger follow-up investigations.

PCAP support has to be introduced at the kernel level, and is done by installing components such as libpcap (for Unix/Linux platforms) or WinPcap (for Windows platforms).

Examples of IDS/IPS Data Visualizers

EtherApe is currently a beta-level, open source Unix project that reads live traffic or packet capture files, and renders information in a format that directs attention to relationships between systems. It uses color to attract attention to information of interest, supports name resolution, and can be configured to filter packets so that one can drill down during investigations.

NetGrok is a Java-based implementation that can run on any operating system that supports Java. Also supporting real-time monitoring and reading of packet capture files, this project originating from the University of Maryland sees network communications from the internal network perspective, and performs colour-coding based on the network speed.

TNV is another university-based OS-agnostic data visualizer based on Java. It associates remote hosts on one side of the screen with local hosts on the other, with the details (presented in a tabular format) displayed in between. By selecting a cell in the table, relevant information associated with the entry is highlighted on the screen.


A picture is commonly considered to be worth a thousand words. By harnessing the power of network traffic visualization tools to render sample or suspect data in a single graphical view, the security analyst is not only able to focus a trained eye to areas of interest, but is also able to filter data and perform queries at the touch of a mouse button. Many of today's visualization tools support the PCAP packet capture format, thereby allowing the security analyst to have a suite of such tools at their disposal, with each one providing a unique view of a (network traffic) moment in time.


Tools for visualizing IDS output: Pictures
tnv: computer network traffic visualization tool
EtherApe: A graphical network monitor

Daniel Clark has developed a 3D Java program for viewing Snort logs and has made the source public at http://scanmap3d.sourceforge.net.