Network Traffic

Visualize network traffic flow from source IPs to destination IPs to identify which IP addresses are communicating with each other and the volume of data being transferred. Useful for detecting data exfiltration, bandwidth consumption patterns, or identifying high-traffic communication pairs.

Visualization: the diagram visualizes data flowing from src_ip to dst_ip fields. It displays source IP addresses on the left and destination IP addresses on the right, drawing connecting lines —or edges— between them. Edge thickness represents the volume of data transferred between each IP pair. Hover over the lines to show size volume and percentage of each edge:

Screenshot showing a Sankey diagram widget displaying network traffic flow between source IP addresses on the left and destination IP addresses on the right, with colored bands representing connection volumes and data transfer sizes, and Format Sankey panel visible on the right showing axes, colors, stack sorting, labels, and series formatting options

Figure 235. Network Traffic


Sample input data:

dst_ippkt_sizeprotocolsrc_iptimestamp
10.0.0.501500TCP192.168.1.1002025-08-11T00:01:23Z
10.0.0.512000UDP192.168.1.1002025-08-11T00:01:24Z
10.0.0.501000TCP192.168.1.1012025-08-11T00:01:25Z
10.0.0.523000TCP192.168.1.1022025-08-11T00:01:26Z
10.0.0.501800UDP192.168.1.1002025-08-11T00:01:27Z

Query:

logscale
sankey(source=src_ip, target=dst_ip, weight=sum(pkt_size))

Query breakdown:

  1. The sankey() function takes source IP addresses as the starting nodes and destination IP addresses as the ending (target) nodes.

  2. Aggregates the total packet size for each source-destination pair. The sum of packet sizes determines the edge thickness (thicker lines = more data transferred).

Configuration:

  1. From the Search page, type your query in the Query Editor → click Run

  2. Choose Sankey in the Widget selector

  3. Click the style icon : this opens the Format panel on the side where some properties are already configured by default based on the query result.

  4. Modify the properties to obtain the look and feel in this example, such as:

  5. Set Stack sorting as label to show the series sorted by label name. Sorting them by size instead will create a diagram that looks like this:

    Screenshot showing a Sankey diagram widget displaying network traffic flow between source IP addresses on the left and destination IP addresses on the right, with band widths representing traffic size volumes and color-coded flows connecting specific IP pairs, and Format Sankey panel visible on the right showing axes, colors, stack sorting, and labels configuration options

    Figure 236. Network Traffic Visualization per Size


  6. Keep the labels inside the diagram by setting Label position as inside.

  7. In Series formatting, choose red as the color for series you particularly want to highlight.

You can further customize this widget by setting more properties, see Sankey Property Reference.