An Exploration of Geolocation and Traffic Visualisation Using Network Flows

A network flow is a data record that represents characteristics associated with a unidirectional stream of packets transmitted between two hosts using an IP layer protocol. As a network flow only represents statistics relating to the data transferred in the stream, the effectiveness of utilizing network flows for traffic visualization to aid in cyber defense is not immediately apparent and needs further exploration. The goal of this research is to explore the use of network flows for data visualization and geolocation. A prototype system capable of collecting network flows exported using the NetFlow version 9 protocol was designed and implemented as part of this research to aid in the exploration. This prototype system processes the collected flow records and renders the geolocated results on an web based interactive map. Using conformance testing it is shown that the prototype system is capable of collecting network flows and generating geolocated flow events withing 50 milliseconds of receiving the raw flow records on the test platform. The system also provides functionality for the generation of heatmaps and tools for replaying flow events from the client browser for further visual analysis. A reporter tool has also been developed to produce monthly reports on the collected network flows.