SANTA-G Network Traffic Analysis Demonstration

 

Instructions for tutorial users:

It is assumed that the SANTA-G QueryEngine and at least one Sensor have been started in advance. If this is the case follow these steps:

 

            1. Type the following and press enter:

                        > $CG_LOCATION/bin/startupViewer

                The SANTA-G Viewer GUI should appear (see Figure 1).

2. Look at the two drop-down boxes in the control panel at the bottom of the GUI, Sensor Id (2) and File Id (3). Both should contain a list of values. Sensor Id contains the ID of any connected Sensors, and File Id contains the ID of any files the selected Sensor maintains. The third box is the Packet ID (4) textfield. This is used to enter the ID of the packet within the file you wish to view. This should contain the value 0, i.e. the first packet in the file.

 

 

Figure 1: SANTA-G Viewer Packet Display.

 

3. Press the View (5) button. The GUI status display (11) should show “Collecting data, please wait.... After a short time the packet data should be displayed (9).

4. To move to the next packet in the file press the Next (8) button. Again the display will be disabled whilst the data is being collected, after a short time the next packet will be displayed. The packet ID (4) box should now contain the value 1.

5. To return to the previous packet press Previous (7). This moves you back one packet in the file.

6. To view a specific packet you can enter the ID of the packet in the Packet Id field and press View. Enter the value 20 in the Packet Id field and press View. The 21st packet in the file will be displayed (as the ID’s start at zero).

7. Tcpdump appends a header to the start of each log file. As this header will be the same for all packets in the file this panel can be hidden. To view the file header information press the Show/Hide File (1) button. The file panel will be added to the packet display. To remove it a press Show/Hide File again.

8. The Refresh (6) button is used to ‘refresh’ the contents of the Sensor ID drop down box, and the File Id box. If a new Sensor is started, or a Sensor creates a new file, then pressing this button will update the Viewer to show this.

 

Now switch to the Query panel, to do this click on the Query (10) tab at the top of the display. The query panel is split into two halves (see Figure 2), the text area where SQL queries can be entered (1), and the results table (2), where the results of queries are displayed.

 

Figure 2: Query Panel

 

1. To view a summary of the available sensors press the Sensor Info (6) button. This will display a table of the available sensors. Double click on a row of the table to obtain information on that sensor. Close the sensor information panel.

2. Enter the following SQL query into the query text area (1):

SELECT * FROM Packet

WHERE fileId = 0

AND packetId < 10

            3. Press the Execute (3) button.

4. After a short time the results of this query, the contents of the Packet table for the first 10 packets in file ID 0, should be displayed.

5. Using the mouse double click on a row of the table. The display should switch to the packet view and will, after a short delay, display the full packet header for the packet contained in the row selected.

6. Return now to the query panel.

7. It is possible to print a table of results. When a query has completed and the results are displayed in the table press the Print (8) button. This should bring up the standard print dialog.

8. If a query is taking to long to execute it can be aborted by pressing the Cancel (4) button.

9. In order to simplify entering SQL queries a Query Builder has been provided. Press the Query Builder (5) button. The builder should appear in a separate window (see Figure 3).

10. The query builder is divided into 3 sections (1, 3, 5) that allow you to create the SQL SELECT statement. First choose the table to select fields from in the From panel list (4). Click on Ethernet.

 

Figure 3: Query Builder panel

 

11. The list in the Select panel (2) should now have changed to display the available fields in the Ethernet table. Click on the checkboxes beside the ‘Destination Address’, ‘Source Address’ and ‘Packet Type’ labels.

12. Now in the Where panel (5) you can specify the where attributes of the SQL query. Click on the first drop-down box (6) in the row and make sure Sensor ID is selected. Now click on the third drop-down box (7). Its list should contain the values of the available sensor Id’s. Choose one.

13. Now click Add (14). A second row should appear in the Where panel.

14. Again click the first drop-down box (8) and choose File ID. Make sure the second box (9) contains ‘=’ and then enter 0 in the last box (10).

15. Click Add again to create a third row (rows can be removed from this panel by clicking the ‘x’ button in that row).

16. Choose Packet ID in the first drop-down box (11), ‘<’ than in the second (12), and finally enter 50 in the last box (13).

17. Now press Build (18). The builder window should disappear and the constructed query will be displayed in the query text area. To run the query press Execute.

18. To save the query press ‘Query Builder’ again. The builder panel should re-appear still set to the last query built. To save the query press the Save button (16). You will be asked to confirm the save, press OK.

17. To load a query press the Load (17) button. A panel should be displayed with a list of numbers corresponding to previously saved queries. Choose a number from the list and the pre-built query should be displayed. Choose the query you want to load and press OK. To delete a query from the list select it and press Remove.