Graph Properties/Rules

Force directed graph. Nodes that are linked together are “charged” together in clumps.

Radial directed graph. Nodes are sorted into rings. The inner rings contain nodes with a higher packet/bytecount. Nodes are also clumped based on DNS.

Grid graph. This layout only appears when a search is being run. No links are shown.

Nodes are sorted into rows. The rows at the top have nodes with a higher packet/byte count.

List View of the graph.

Displays node in a table.

List view of packets.

Displays packets in a table.

Some nodes will have a blue or a red orange look. Blue links are multicast, orange are broadcast.

Multicast if first 8 bytes of IP are between 233 and 239 exclusive.

Broadcast if any IP segment is 255.

Double clicked Nodes will show all neighboring nodes and links in green (regardless if multi/broad cast).

The node’s stroke (border) will be black.

Double clicked nodes will have a green blur around the node and text.

Double clicking an already searched node will change to default styling.

Neighboring nodes and links have a darker stroke.

The input is based on regex, so if the input is 10.5, nodes with *10.5* should be rectangles, and the IP label has a orange blur.

Neighboring nodes and links that have been part of a double click search or a matched regex search, have a dashed and magenta stroke.

When hovering over a node, nodes with matching MAC addresses will be highlighted blue.

Neighboring nodes and links that have been part of a double click search or a matched regex search, have a dashed and magenta stroke.

Malicious Nodes are nodes that appear on the Talos IP list website. (Refer to Malicious Nodes)

These nodes have a red blur.

Sometimes many of the styling’s will overlap.

At least one of the styling rules must be present if there are multiple matches on a node.

Sometimes many of the styling’s will overlap.

At least one of the styling rules must be present if there are multiple matches on a node.