The Shoki Packet Hustler

Features Documentation FAQ Screenshots Warnings To The Unwary Download Feedback


The packet hustler (or hustler(1)) is a tool for visualisation of IP network data. In particular, it is intended to be useful in allowing an analyst to visually identify patterns in network traffic.

The code comprising hustler(1) was originally written as a diagnostic/testing widget for use with cluster analysis code being written for the shoki NIDS. It is difficult to evaluate the `goodness' of a new n-dimensional cluster model without some way of visualising the data; hustler(1) started out as a way of looking at what all the cluster numbercrunching was doing.

The clustering code is still being worked on, but it is believed that the current incarnation of hustler(1) is interesting in its own right. Later versions will hopefully include more automated analysis widgetry, rather than merely being a graphical frontend for doing (largely manual) analysis.

In the current rev, hustler(1) will probably be primarily of interest to analysts interested in developing statistical models of network traffic. It's also a pretty cool toy for just looking at network traffic.

For the record, the name has a threefold derivation, presented in no particular order:


Hustler(1) was introduced in shoki-0.2.0 and some of the things it does are:


For a general information about hustler(1), read the FAQ.

The most detailed information available about hustler(1) is the packet hustler manual. Contributions, corrections, and updates are welcome.

In addition, new users may find the general shoki documentation informative.


In addition to the screenshots that are a part of this document, some images of the hustler(1) interface and plots can be found in the packet hustler manual.

Warnings To The Unwary

First of all, as of the time of this writing hustler(1) doesn't actually do much of anything. Beyond the underlying signature matching which is done (via shoki filter rules), hustler(1) doesn't actually do any analysis. It won't tell you when something is suspicious. It just shows you the data, and you need to be able to do the analysis yourself.

The code is also pretty new. Read: probably chock full 'o bugs.

The code also has lots of dependencies on third party libraries. In particular, it relies on a lot of GUI stuff (GTK+, gtkglext, and OpenGL). In general, you probably won't have all of the dependencies installed on the machine(s) that normally handle your NIDS data. This means that in order to use hustler(1), you'd have to either install a bunch of stuff on your NIDS box(-en), or move the data to some other host. Neither of these alternatives is particularly attractive.

There is very little interface chrome, and no online help in the application. Translation: it aint' very user friendly.

It is pretty resource hungry. A lot of packet data is kept in memory, so as you increase the number of packets (and the number of filters), your memory usage goes up.


The source for hustler(1) is part of the shoki source distribution. It's available from the shoki files list on SourceForge.


Any and all comments, questions, and suggestions (about hustler(1) or about shoki in general) are welcome. Don't hesitate to send mail to or directly to the primary author

[Shoki Homepage] []