LTMON
Overview
LEDGE Traffic Monitor (LTMON) was developed from the work done by Grenville Armitage and Warren Harrop (for example see the paper "Real-Time Collaborative Network Monitoring and Control Using 3D Game Engines for Representation and Interaction," VizSEC'06 Workshop on Visualization for Computer Security, Virginia, USA, October-November 2006.) and is intended as a first attempt to display network traffic information in a 3D environment using already released 3D game engines as a base. We consider this beneficial because it presents a cheap, easy way to display network statistics. Other benefits include:
- The 3D engine is stable and has been tested thoroughly already.
- Allows for multiple users to view the same data with no additional coding.
- It makes the operation of viewing network statistics much easier, as more people are familiar with popular 3D game engines.
- Lowers the skill level needed in network technicians in order to diagnose problems in the network.
- Cuts down development time.
LTMON is made up of a Quake III Arena modification (ltmon_3Ds_mod), a sniffing program (ltmon_3DSniffer.c) and a specially designed Quake III Arena map (ltmon_worldmap.pk3). Its purpose is to demonstrate the possibilities that are present in displaying network traffic details inside a commercial 3D game environment. This tool allows you to join a Quake III Arena server and see which parts of the world are sending data to your machine. LTMON captures packets from network devices (or a saved tcpdump file), determines the country of origin of these packets and alters the size of a pole representing the data rate for that country. Using a specified filter rule, you can single out web traffic, game traffic, bit torrent traffic or anything else you wish, selecting specific hosts, protocols or ports.
The result is a 3D environment that you can freely fly around in with a 2D representation of the world on the ground below. Poles protrude from each country to show how many packets per second match the filter rule supplied. Below are some screen shots taken when a sample tcpdump file was read in from the current CAIA game server.
Screenshots
Main screen shot.
A close up of view of activity from Europe.
Another user joins and can explore the world, in real-time, with the first user.
Program Outline
LTMON is made up of a number of different parts. This is to give the user more control over what type of traffic is displayed in the map. Shown below is an outline of the different parts that make up the program and how they interact with one another. The ltmon_3DSniffer program and ltmon_ 3Ds_mod can be run on the same computer, or on separate machines as shown below. In both cases they must always access the same set of specific country files which contain the heights for each country platform. The actual height is not the packet per second rate, but a scaled PPS rate. This is so that small PPS rates are still easily viewable in the Quake III Arena map ltmon_worldmap.pk3 whilst large values do not go too far out of view.
The ltmon_3DSniffer reads in packets matching its source IP address against the GeoLite Country data file to determine which country it comes from. After this, the number of packets received for that specific country is increased and the next packet is read in. Once every update rate (default of 2 seconds) the ltmon_3DSniffer program calculates the individual countries packet per second rate. This number is converted into a height value and placed in the corresponding country file. The Quake III Arena mod ltmon_3Ds_mod continuously reads in each country height value and updates the ltmon_worldmap accordingly. With both programs running in unison the overall view is produced to let you see exactly what countries are contributing to the traffic being received. In order to calculate the PPS values, LTMON uses a moving window average which average the PPS values over the sampling rate (default of 1 minute).
Future Work
Other future possibilities for tools such as this may include:
- A graphical representation of the time in the map by presenting clocks, or, possibly manipulating the lighting to present day/night times
- More rooms that display different types of data.
- The ability to have a greater varieties of data being input into the program and displayed in 3D.
Authors and Acknowledgments
- The Quake III Arena based traffic monitoring tool has been developed by Alexander Shoolman with help from Grenville Armitage and Warren Harrop.
- This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
- Images used in the Quake III Arena map provided were taken from the ESA website. These images include the map of the world as well as the map of Europe. http://www.esa.int
- This project has been made possible in part by a grant from the Cisco University Research Program Fund at Community Foundation Silicon Valley.
Download:
- Download just the README.txt file from here.
- Download the entire LTMON_V0.1.tgz package from here. (5.6MB)
- Download just the map used in the LTMON package from here. (5.1MB)
Go back to the L3DGE project main page
|