The Shoki Packet Hustler
Introduction
The packet hustler (or hustler(1)) is a tool for visualisation of IP
network data. In particular, it is intended to be useful in allowing
an analyst to visually identify patterns in network traffic.
The code comprising hustler(1) was originally written as a diagnostic/testing
widget for use with cluster analysis code being written for the shoki
NIDS. It is difficult to evaluate the `goodness' of a new n-dimensional
cluster model without some way of visualising the data; hustler(1) started
out as a way of looking at what all the cluster numbercrunching was doing.
The clustering code is still being worked on, but it is believed that the
current incarnation of hustler(1) is interesting in its own right. Later
versions will hopefully include more automated analysis widgetry, rather
than merely being a graphical frontend for doing (largely manual) analysis.
In the current rev, hustler(1) will probably be primarily of interest
to analysts interested in developing statistical models of network traffic.
It's also a pretty cool toy for just looking at network traffic.
For the record, the name has a threefold derivation, presented in no
particular order:
- Names like `packet browser' or `packet navigator' tended to
suggest themselves, but were rejected as sounding misleadingly
like a web-based widget.
- Plots involving lots and lots of packets, using the default
colour scheme, tend to end up looking like something created
by an astronomy widget. This (somehow or other) suggested a
reference to Jack Horkheimer's old PBS series `Jack Horkheimer:
Star Hustler'. The show is currently called `Jack Horkheimer:
Star Gazer', the name change presumably related to...
- The obvious porn magazine reference. In this case, the
idea of `packet porn'---staring at packets presented in suggestive
poses but not actually being able to do anything with them---seemed
oddly appropriate.
Hustler(1) was introduced in shoki-0.2.0 and some of the things it does
are:
- Plot any three user-specified packet variables against each
other simultaneously: as three 2-d plots (x-y, x-z, and y-z)
and as a 3d isometric view
- Plots using derived variables (i.e., relatives times,
running averages, u.s.w.)
- Highlighting and selecting via shoki filter rules (which can
include libpcap-style filter expressions as well as POSIX extended
regular expressions, among other things)
- Grouping of packets via cluster analysis. Clusters can then
be inspected/manipulated individually
- Fast Fourier Transformation (via the fftw library) of
packet variables
- Phase space plots of individual variables
For a general information about hustler(1), read the FAQ.
The most detailed information available about hustler(1) is the
packet hustler manual. Contributions,
corrections, and updates are welcome.
In addition, new users may find the general
shoki documentation informative.
In addition to the screenshots that are
a part of this document, some images of the hustler(1) interface and
plots can be found in the
packet
hustler manual.
First of all, as of the time of this writing hustler(1) doesn't
actually do much of anything. Beyond the underlying signature
matching which is done (via shoki filter rules), hustler(1) doesn't
actually do any analysis. It won't tell you when something is suspicious.
It just shows you the data, and you need to be able to do the analysis
yourself.
The code is also pretty new. Read: probably chock full 'o bugs.
The code also has lots of dependencies on third party libraries. In
particular, it relies on a lot of GUI stuff (GTK+, gtkglext, and OpenGL).
In general, you probably won't have all of the dependencies installed on
the machine(s) that normally handle your NIDS data. This means that in
order to use hustler(1), you'd have to either install a bunch of stuff on
your NIDS box(-en), or move the data to some other host. Neither of
these alternatives is particularly attractive.
There is very little interface chrome, and no online help in the application.
Translation: it aint' very user friendly.
It is pretty resource hungry. A lot of packet data is kept in memory,
so as you increase the number of packets (and the number of filters), your
memory usage goes up.
The source for hustler(1) is part of the shoki source distribution. It's
available from
the shoki
files list on SourceForge.
Any and all comments, questions, and suggestions (about hustler(1) or about
shoki in general) are welcome. Don't hesitate to send mail to
shoki@meshuggeneh.net or
directly to the primary author
spb@meshuggeneh.net.
[Shoki Homepage]
[shoki@meshuggeneh.net]