Server vznikl za podpory Grantové agentury ČR.
Knime and Wireshark Data ExplorationVydáno dne 06. 05. 2015 (5655 přečtení)
The goal of this article is to present possibilities and practical experiments with network data exploration in KNIME
Knime analytics platform is a powerful platform to perform data analysis. It provides many extensions that represent individual nodes in a graphical environment. These nodes can be used in fast modeling, analysis and data mining combination. In this paper, we join the use of the program KNIME and captured packets in the Wireshark program in order to show advanced options and possibility in data exploration and view.
Keywords: data; knime; packet; wireshark; analysis
Analysis of the data communication is an integral part of today's communication systems. This analysis provides the detection of data behavior as well as ensures the security in networks. For such purpose are used lot of techniques, programs and implemented algorithms in network hardware and software. For the data mining and exploration can be also used the analytic platform KNIME . We decided to explore a data flow captured by Wireshark . In such way is possible to deploy extra algorithm to a data analysis, which is included in KNIME. In this example WEKA supplement  has been used. We used in our analysis, in intention to show potential use of KNIME, data from the laboratory of communication technology. For this case we configured as CISCO telephony to communicate thru H3X as well analog telephony connected to SMC PBX10. In this network Wireshark has been running to capture the communication of mentioned nodes.
Detailed system and network setup
The whole communication of the laboratory had been saved to a .csv file by Wireshark. This file was later analyzed in KNIME. In this case LineEye-580 FX was used, as shown in figure 1.
Fig. 1 Simplified network setup.
SMCDSP-205 phone , connected to SMCPBX10 digital private branch exchange, was used for the setup of communication in the network. Second one, phone SMCDSP-205 was connected thru HUB “Superstack”, as shown in figure 1. The HUB device forwarded communication to all own ports. A computer with installed Wireshark was listening to one of HUB’s port. It did a simple network probe. The second scenario, as shown in figure 1 on the right site, it is almost similar to the first one. Main difference is that the LineEye-580-FX device is connected as a network probe instead of the HUB. LineEye device uses USB 2.0 interface to communicate with any PC. At the final step the entire communication of the laboratory was captured in addition to the two previous scenarios. These data had been also used for an analysis and to filter proper communication.
KNIME data analysis
Main dialog window of KNIME program consists of nodes with their own functions. Our analysis diagram, as is shown in picture 2, consists of file reader, color manager and plot diagrams nodes. Each single node has special functions as follow:
• File reader is designed for reading data from *.csv file, which are captured and stored in computer.
Fig. 2 KNIME workflow schema.
The aim of these tests was to verify the communication in the access network on various platforms through the trunk and the subsequent analysis of data on the network. This communication was addressed only in the context of wire bonds on the basis of known communication protocols and software clients using communication via the switchboard SMCPBX10. PBX digital, analog and software were used in the laboratory for further tests.
Analysis of the operation carried out in the same manner. In the analysis any unwanted traffic were traced. The analysis software was possible to interactively monitor incoming and outgoing traffic based on ports of each connected device, the type of protocols that use the device, if more efficient filters by parameters. For local networks it was proved to be very effective observation mainly due to the rapid detection of potential DDoS or other cyber-attacks.
Results of the monitoring network can be seen on the graphic representation of the overall network analysis. As is evident from Figure 3, the most overhanded protocol was RTP protocol through which communication on the network proceeded. To record the values from the network were performed operations call dialing, call and hang from one to multiple sources at the same time. Percentages of other protocols appeared to be of little importance.
Fig. 3 Graph of network traffic
In Figure 4, the spread chart show from which source device operations were generated and which protocols thereto were used. Spread chart is designed to graphically show that on the network does not occur unwanted communication. If in the monitored network devices began to generate unauthorized traffic or equipment that generates the extreme values of operation, the operator conducting surveillance can immediately conclude that there is non-standard situations on networks and might discredit this problem.
Fig. 4 Distracted presentation of used protocols, depending on the source addresses.
When the operator records a non-standard behavior, then is possible in the tool KNIME to indicate this communication in any type of graph and subsequently filter as shown in Figure 5. Sorting and subsequent filtering can be addressed based on destination IP addresses, source, based on the report and other adjustable or programmable parts, thanks to the openness of the system KNIME.
Fig. 5 Highlighted RTP packet
More structured way how to gain insight into the used protocols in relation to time can be in various use of forms and types of graphs. As shown in figure 5, the RTP protocol was dominating as expected. The call in this case was exchanged between two phones via digital PBX SMC SMCPBX10.
Fig. 6 Structure of used protocols
Summary and Conclusions
The intention of this article was to provide insights into alternative ways of data analysis. To this software KNIME was used with its individual modules. The article presents the results descibing data analysis, surveilance and seucity audit example in laboratory network including multiple protocols communication.
Research described in this paper was financed by the National Sustainability Program under grant LO1401. For the research, infrastructure of the SIX Centre was used. This work was also supported by the project FEKT-S-14-2352: Research of electronic, communication and information systems.
 KNIME.com AG.; KNIME: Open for innovation [online]. 2015 [cit. 2015-04-27]. Available from: https://tech.knime.org/home.
Autor: B. Novotný
Pracoviště: Vysoké učení technické v Brně
Projekty a aktuality
Výzkum a vývoj nového komunikačního systému s vícekanálovým přístupem a mezivrstvovou spoluprací pro průmyslové aplikace TA02011015
Vývoj adaptabilních datových a procesních systémů pro vysokorychlostní, bezpečnou a spolehlivou komunikaci v extrémních podmínkách VG20122014095
Výzkum a vývoj datového modulu 10 Gbit/s pro optické a mikrovlnné bezdrátové spoje, FR-TI2/621
Sítě s femtobuňkami rozšířené o řízení interference a koordinaci informací pro bezproblémovou konektivitu, FP7-ICT-2009-4 248891
Ochrana člověka a techniky před vysokofrekvenčním zářením, FI-IM5/202
Radou pro výzkum a vývoj jako recenzovaný časopis
Pokročilá optimalizace návrhu komunikačních systémů pomocí neuronových sítí, GA102/07/1503
01.07.2006: Doplnění sekce pro registrované
12.04.2005: Zavedeno recenzování článků
30.03.2005: Výzkumný záměr
Výzkum perspektivních informačních a komunikačních technologií MSM6840770014
29.11.2004: Přiděleno ISSN
04.11.2004: Spuštění nové podoby Access serveru
Optimalizace přenosu dat rychlostí 10 Gbit/s, GA102/04/0773
Specifikace kvalitativních kritérií a optimalizace prostředků pro vysokorychlostní přístupové sítě, NPV 1ET300750402
Omezující faktory při širokopásmovém přenosu signálu po metalických párech a vzájemná koexistence s dalšími systémy, GA102/03/0434
Tento web site byl vytvořen prostřednictvím phpRS - redakčního systému napsaného v PHP jazyce.
Na této stránce použité názvy programových produktů, firem apod. mohou být ochrannými známkami
nebo registrovanými ochrannými známkami příslušných vlastníků.