We mark on the IP connection card
Good day.
It so happens that at home, as a gateway, I use an ordinary Atom-based computer running Debian. Because of this, it performs a number of additional functions: file dump, torrent rocking, personal repository, etc. But this is not important. The presence of a torrent client implies a relatively large number of connections, and the idea arose: “would it be possible to visualize all this?”.
A solution was found quite quickly: xplanet (allows you to draw an image of the earth with markers on it) + geoip (IP -> coordinates).
The project is hosted at github.com/appliedsec/pygeoip . There is no problem with the installation, the only thing is that you need to download the database separately: www.maxmind.com/download/geoip/database/GeoLiteCity.dat.xz (which you can learn from the project wiki) and deliver python-six separately. I have a test distribution branch on the gateway, and this package is in the repository (in a stable branch it is not there, you have to swing it with your hands). Other distributions are more likely to have it in repositories.
This API allows you to receive various information, for example: city name, country, index, etc., but we are only interested in coordinates.
Was installed from repository. The first thing you need to do after installation is to tweak the config (I located it in: / etc / xplanet / config / default), namely, specify the name of the file with markers that we will indicate on the map, as a parameter at startup indicate the locations of File is not possible. To do this, in the [Earth] section, we indicate:
')
Now you can go to the collection of all in a single unit. A list of all connections can be obtained with the command:
Small explanations: -n - displays the IP address, not the name, t - tcp connections, p - displays the name and PID of the process (in order to see the names of all processes, and not just their own, you will have to use sudo). Then you should filter out all unnecessary (headers and ipv6):
Below is a small script that will do some of the work.
Now it's the turn of the python script that will do the rest of the work.
Now you can enjoy the result or look at an example of what comes out. Connections without PID'ov - all sorts of TIME_WAIT and others.
This implementation is not without flaws. For example, colors are repeated in a circle and when entering the second or even the third circle, the sizes of the markers may not be displayed correctly, because color is part of the key. Whatever happens, it is necessary to generate unique colors, but with a small number of processes this approach has a right to exist.
If continuous drawing of the map is required, then it is possible to run xplanet without restriction on the number of launches and without reference to the terminal. Then it is enough to update the file with markers only (for example, cron) with a certain periodicity.
However, this example may serve as a good basis for a more complex / simple implementation.
It so happens that at home, as a gateway, I use an ordinary Atom-based computer running Debian. Because of this, it performs a number of additional functions: file dump, torrent rocking, personal repository, etc. But this is not important. The presence of a torrent client implies a relatively large number of connections, and the idea arose: “would it be possible to visualize all this?”.
A solution was found quite quickly: xplanet (allows you to draw an image of the earth with markers on it) + geoip (IP -> coordinates).
Customization
geoip
The project is hosted at github.com/appliedsec/pygeoip . There is no problem with the installation, the only thing is that you need to download the database separately: www.maxmind.com/download/geoip/database/GeoLiteCity.dat.xz (which you can learn from the project wiki) and deliver python-six separately. I have a test distribution branch on the gateway, and this package is in the repository (in a stable branch it is not there, you have to swing it with your hands). Other distributions are more likely to have it in repositories.
This API allows you to receive various information, for example: city name, country, index, etc., but we are only interested in coordinates.
xplanet
Was installed from repository. The first thing you need to do after installation is to tweak the config (I located it in: / etc / xplanet / config / default), namely, specify the name of the file with markers that we will indicate on the map, as a parameter at startup indicate the locations of File is not possible. To do this, in the [Earth] section, we indicate:
marker_file=[ ]
')
Putting it all together
Now you can go to the collection of all in a single unit. A list of all connections can be obtained with the command:
netstat -ntp Small explanations: -n - displays the IP address, not the name, t - tcp connections, p - displays the name and PID of the process (in order to see the names of all processes, and not just their own, you will have to use sudo). Then you should filter out all unnecessary (headers and ipv6):
sudo netstat -ntp | grep tcp | grep -v :: Below is a small script that will do some of the work.
#!/bin/sh # , netstat'a STAT_FILE=`mktemp` # MARKER_FILE="ipm" sudo netstat -nutp | grep tcp | grep -v :: > $STAT_FILE # ./net_draw.py $STAT_FILE > $MARKER_FILE # . # -output p.jpg - # -geometry 1920X1080 - # -projection rectangular - , . # -longitude 15 - ( "") # -num_times 1 - 1 # -quality 100 - xplanet -output p.jpg -geometry 1920X1080 -projection rectangular -longitude 15 -quality 100 -num_times 1 # rm $STAT_FILE Now it's the turn of the python script that will do the rest of the work.
#!/usr/bin/env python # -*- coding: utf-8 -*- import pygeoip import sys input_file = sys.argv[1] # gi = pygeoip.GeoIP("GeoLiteCity.dat") marker_map = {} # - # : class Col: def __init__(self): # , self.c_id = 0 # self.color_map = {} # self.colors = ["White", "Red", "Green", "Yellow", "Purple", "Brown", "Blue", "Pink", "Gray", "Orange"] def get_color(self,id): if id in self.color_map: return self.color_map[id] self.color_map[id] = self.colors[self.c_id] self.c_id = self.c_id + 1 # , if self.c_id == len(self.colors): self.c_id = 0 return self.color_map[id] c_c = Col() i_f = open(input_file, 'r') for l in i_f: # fields = l.split() # IP pos = fields[4].find(':') ip = fields[4][:pos] gi_pos = gi.record_by_addr(ip) # name = fields[6] # , None if gi_pos != None: color = c_c.get_color(name) marker_id = "%5.2f %5.2f \"\" color=%s" % (gi_pos['latitude'], gi_pos['longitude'],color) # , , 2 if marker_id in marker_map: marker_map[marker_id] = marker_map[marker_id] + 1 else: marker_map[marker_id] = 2 # for mid in marker_map: print (mid + " symbolsize=%d" % marker_map[mid]) # , x, y - x = 0 y = 50 for key in c_c.color_map: print ("%5.2f %5.2f \"%s\" color=%s" % (x, y, key, c_c.color_map[key])) x = x - 2.5 y = y + 0 Now you can enjoy the result or look at an example of what comes out. Connections without PID'ov - all sorts of TIME_WAIT and others.
This implementation is not without flaws. For example, colors are repeated in a circle and when entering the second or even the third circle, the sizes of the markers may not be displayed correctly, because color is part of the key. Whatever happens, it is necessary to generate unique colors, but with a small number of processes this approach has a right to exist.
If continuous drawing of the map is required, then it is possible to run xplanet without restriction on the number of launches and without reference to the terminal. Then it is enough to update the file with markers only (for example, cron) with a certain periodicity.
However, this example may serve as a good basis for a more complex / simple implementation.
Source: https://habr.com/ru/post/143504/
All Articles