Network Traffic

Visualize network traffic flow from source IPs to destination IPs to identify which IP addresses are communicating with each other and the volume of data being transferred. Useful for detecting data exfiltration, bandwidth consumption patterns, or identifying high-traffic communication pairs.

Visualization: the diagram visualizes data flowing from src_ip to dst_ip fields. It displays source IP addresses on the left and destination IP addresses on the right, drawing connecting lines —or edges— between them. Edge thickness represents the volume of data transferred between each IP pair. Hover over the lines to show size volume and percentage of each edge:

Sankey diagram showing a use case of Network Traffic

Figure 229. Network Traffic


Sample input data:

dst_ippkt_sizeprotocolsrc_iptimestamp
10.0.0.501500TCP192.168.1.1002025-08-11T00:01:23Z
10.0.0.512000UDP192.168.1.1002025-08-11T00:01:24Z
10.0.0.501000TCP192.168.1.1012025-08-11T00:01:25Z
10.0.0.523000TCP192.168.1.1022025-08-11T00:01:26Z
10.0.0.501800UDP192.168.1.1002025-08-11T00:01:27Z

Query:

logscale
sankey(source=src_ip, target=dst_ip, weight=sum(pkt_size))

Query breakdown:

  1. The sankey() function takes source IP addresses as the starting nodes and destination IP addresses as the ending (target) nodes.

  2. Aggregates the total packet size for each source-destination pair. The sum of packet sizes determines the edge thickness (thicker lines = more data transferred).

Configuration:

  1. From the Search page, type your query in the Query Editor → click Run

  2. Choose Sankey in the Widget selector

  3. Click the style icon : this opens the Format panel on the side where some properties are already configured by default based on the query result.

  4. Modify the properties to obtain the look and feel in this example, such as:

  5. Set Stack sorting as label to show the series sorted by label name. Sorting them by size instead will create a diagram that looks like this:

    Sankey diagram showing a use case of Network Traffic visualized by size

    Figure 230. Network Traffic Visualization per Size


  6. Keep the labels inside the diagram by setting Label position as inside.

  7. In Series formatting, choose red as the color for series you particularly want to highlight.

You can further customize this widget by setting more properties, see Sankey Property Reference.