DAVIX Visualization Workshop

DAVIX Visualization

Workshop

Jan P. Monsch [email protected]

About

l

Jan P. Monsch l

Currently l

Senior Security Analyst l l l

Technical Reviewer @ Pearson Education

DAVIX Project Initiator & Lead Engineer

On program committee for the International

Workshop on Visualization for Cyber Security l

Just finished post-grad school. Hurray!

l

M.Sc. in Security and Forensic Computing

@ Dublin City University

Workshop Preparation

l

Recommended setup l

VMware Player 6.5 or VMware Fusion l

Get DAVIX VMware image l

Requires 4 GB of disk and 1 GB of RAM l

USB Stick, DVD l

On some media the image is zipped l

Directly unzip from the DVD l

Boot, login (root:toor), run X (xconf; startx)

Agenda

l

Security Visualization l

Introduction DAVIX l

Walk-Through DAVIX l

Hands-on Lab l

Visualization Contest

Prizes

l

1 st prize l l

1x Applied Security

Visualization Book

1x Security Metrics

Book l

2 nd prize l

1x Applied Security

Visualization Book

Contest Task

l

Analyze the attack(s) in the l l

Jubrowska capture and spty database l

Use any visualization technique you like to document the a particular the attacks l

Not limited to DAVIX l

Document the case (Text, images, video, …) l l

Tell a story in your submission

Make it an interesting read / view

Agenda

l




Hands-on Lab l


Information vs.

Scientific Visualization [1]

l

Information visualization l visualize large collections of abstract data l

Scientific visualization l representation of data with geometric structure

Visualization

l

Ben Shneiderman l

“The purpose of viz is insight, not pictures.” [2]

Security Visualization Resources

l

Security visualization is quite a new field [3, 4, 5] l

Applied part of information visualization

Security Visualization Community

www.secviz.org

www.vizsec.org

Visualization

l

Analyzing floods of data in tabular or textual form is tedious l

Humans must sequentially scan such data [6,7]

Visualization [6,7]

l l

Visualization exploits the human's visual perceptive capabilities and parallel processing l l l

Size

Shape

Distance l

Color

Easy to spot l l patterns irregularities

Data Types [7]

l

Data types l l l

Ordinal l

Has a sequence l e.g. day of week

Nominal l l

Has no sequence e.g. types of fishes

Quantitative l

Can be measured l e.g. length, time, weight, temperature, speed, …

Visualization Effectiveness [7]

l

Each data type has its most effective way of visualization

Information Seeking Mantra [8]

l

Ben Shneiderman's information seeking mantra l l l

"Overview, Zoom and

Filter – Details on

Demand.

Overview, Zoom and


Demand.

Overview, Zoom and


Demand…"

Details on Demand

Zoom and Filter

Overview

Information Visualization Process [4]

Agenda

l




Hands-on Lab l


Initial Situation

l

Many free visualization tools l

But installation is often cumbersome l

Compiler version and library issues l

Code difficult to build or broken l

Diverse runtime environments:

Java, Perl, Ruby, Python, Windows Applications l

Huge hurdle for people to get start with security visualization

Mission Statement

l

DAVIX shall l provide the audience with a workable and integrated tools set, l enable them to immediately start with security visualization and l motivate them to contribute to the security visualization community.

Inside the DAVIX Live CD

l

Live Linux CD system based on SLAX 6 [3] l l l

Software packages are modularized

Easy customizable

Runs from CD/DVD, USB stick or hard drive l

Collection of free tools for processing & visualization l l

Tools work out of the box

No compilation or installation of tools required l

Comes with documentation [9] l l

Quick start description for the most important tools

Links to manuals and tutorials

DAVIX 1.0.1 Tools

l

Capture l

Network Tools l l l

Argus

Snort

Wireshark l

Logging l syslog-ng l

Fetching Data l wget l l ftp scp l

Processing l

Shell Tools l awk, grep, sed l

Visualization

Preprocessing l

AfterGlow l

LGL l

Extraction l

Chaosreader l

Data Enrichment l l geoiplookup whois, gwhois l

Visualization l

Network Traffic l l

EtherApe

InetVis l tnv l

Generic l

AfterGlow l l l l l l

Cytoscape

Graphviz

LGL Viewer

Mondrian

R Project

Treemap

Interface Issue

l

Each visualization tool has its own file format interfaces

PCAP

?

?

l

Data must be converted to match the import interfaces l

These adapters are mostly self-written snippets of code

Viz Tool 1

CSV TM3

?

Viz Tool 2 Viz Tool 3 Viz Tool 4

Agenda

l




Hands-on Lab l


User Interface

l

Menu organized around Info Viz Process

Capture

Process

Visualize l

Tools often cover more than one category l

Afterglow

à Process, Visualize l

Additional tools/services l

Apache, MySQL, NTP

PDF User Manual [9]

l

Content l

Quick start guide l l

Network setup information

Tool usage examples l l

Links to online resource

Customizing DAVIX

User Manual in the Menu

l

The manual is browsable by chapter … l

… or individual tool chapters

Agenda

l




Hands-on Lab l


Overview

l l

Lab built around

Info Viz Process

DAVIX Tools l

Processing l

Wireshark / tshark [10] l l awk [11], sed, uniq p0f [12], Snort [13] l

Visualization l l

AfterGlow [14]

Graphviz [15] l l l l

Treemap [16]

Cytoscape [17]

R Project [18]

GGobi [19]

Problem

Definition

Details on Demand

Visualize

Overview

Filter

Problem Definition

l

Type of Traffic?

l

Network Topology?

l

Gateway?

l l

Team Server?

Other Team Systems?

l

Activities?

l l

Communication Pattern?

Attacks?

Type of Traffic

Overview: Background

l

CTF DEFCON 12 l

PCAP File l

6 teams l l

1 server per team with vulnerable services

Many team member systems l

Symmetrical setup for all teams.

Overview - Wireshark

l

Basic statistics l

54 MB PCAP file l l l

Date 31.07.2004

41 min of traffic

100’000 packets

Overview: Wireshark

l

Packets Protocols l

Mostly IP l

Mostly TCP l

Some UDP l

Traffic Volume l

Mostly TCP


l

TCP l l

Mostly HTTP

Some DCE RPC

à Windows


l

Traffic Shape l

Constant at begin l

Massive increase towards the end.

tcp.port==80

Network Topology

Visualize: AfterGlow / Graphviz

Possible

Gateways

Not a

Gateway

001_network_topology_gateway.sh

Zoom & Filter: tshark

l

CSV of source/destination IP to source/destination MAC addresses l

0.0.0.0,00:00:86:5b:e9:6a

0.0.0.0,00:04:5a:a2:d4:08

192.168.1.2,00:c0:95:e0:0e:af

192.168.3.2,00:c0:95:e0:0e:af

192.168.4.1,00:c0:95:e0:0e:af

192.168.4.152,00:09:6b:53:8a:81

192.168.4.153,00:c0:95:e0:0e:af

...



l

Extract IP addresses and their MAC addresses l

tshark -r davix_workshop_captures.pcap

-e ip.src -e eth.src –T fields

-E separator=, -R ip > d_ip_mac.csv

l


-e ip.dst -e eth.dst –T fields

-E separator=, -R ip >> d_ip_mac.csv

l

cat d_ip_mac.csv | sort | uniq > d_ip_mac_distinct.csv



l

Visualize CSV file using AfterGlow l

cat d_ip_mac_distinct.csv | afterglow.pl –t > v_ip_mac.dot

l

neato –T png -o v_ip_mac.png

v_ip_mac.dot

l

View resulting image l

gqview



Possible

Gateways

Not a

Gateway

002_network_topology_operating_system.sh

l

Overview: p0f

Other teams come

Results l through NAT

192.168.4.1,FreeBSD 4.7-5.2

(or MacOS X 10.2-10.4)

192.168.4.1,FreeBSD 4.8-5.1

(or MacOS X 10.2-10.3)

192.168.4.1,Linux 2.4-2.6

192.168.4.1,OpenBSD 3.0-3.9

192.168.4.1,Windows 2000 SP4, XP SP1+

192.168.4.1,Windows XP SP1+, 2000 SP3

192.168.4.152,Linux 2.4-2.6

192.168.4.153,Linux 2.4-2.6

192.168.4.154,Linux 2.4-2.6

192.168.4.157,Linux 2.4-2.6

192.168.4.159,Linux 2.4-2.6

192.168.4.160,Linux 2.4-2.6

192.168.4.45,Linux 2.4-2.6

002_network_topology_operating_system.sh

Overview: p0f

l

Identify Involved Operating Systems l

p0f -f /etc/p0f/p0f.fp -s davix_workshop_captures.pcap -N | sed "s/ (up.*$//" | sed "s/:[0-9]* - /,/" | sort | uniq > d_ip_ostype.csv

l

cat d_ip_ostype.csv

l

However, be aware that not ever host's OS can be detected.

Exercise

l

Visualize the OS detection results with Afterglow and neato

Visualize: Visio ;-)

l

Topology Opponents

192.168.1.2

192.168.3.2

192.168.5.2

192.168.6.2

192.168.7.2

00:C0:95:E0:0E:AF

00:0B:5F:69:B2:01

CISCO

192.168.4.1

NAT IP

192.168.4.153

Linux

00:E0:98:08:F7:E2

Visualize: Visio ;-)

l

Our Team

00:0B:5F:69:B2:01

CISCO

00:E0:98:08:F7:E2

192.168.4.2

WIN

192.168.4.3

WIN

192.168.4.33

Linux

192.168.4.35

?Unix?

192.168.4.36

192.168.4.45

Linux

192.168.4.152

Linux

192.168.4.154

Linux

192.168.4.157

Linux

192.168.4.159

Linux

192.168.4.160

Linux

Activities

Linked Graphs

Afterglow / Graphviz

003_activity_connections.sh


l

IP communication between hosts.

l

Legend

Our team

Other teams

NAT IP

Neutral


Zoom & Filter - tshark

l

Extract source & destination IP addresses l


-e ip.src -e ip.dst -Tfields -E separator=,

-R ip > d_ipsrc_ipdst.csv

l

Remove duplicate lines l

cat d_ipsrc_ipdst.csv | sort -u > d_ipsrc_ipdst_distinct.csv



l

Visualize CSV file using AfterGlow l l

cat d_ipsrc_ipdst.csv | afterglow.pl -c color1.properties -t > v_ipsrc_ipdst.dot

neato –T png -o v_ipsrc_ipdst.png

v_ipsrc_ipdst.dot

l


gqview



l

AfterGlow p_ipsrc_ipdst.properties

l

color.source="khaki1" if ($fields[0]=~/^192\.168\.4\.1$/); color.source="palegreen" if ($fields[0]=~/^192\.168\.4\..*/); color.source="lightblue" if ($fields[0]=~/^0\.0\.0\.0$/); color.source="lightblue" if ($fields[0]=~/^255\.255\.255\.255$/); color.source="lightblue" if ($fields[0]=~/^198\.123\.30\.132$/); color.source="lightsalmon"

l

color.target="khaki1" if ($fields[1]=~/^192\.168\.4\.1$/); color.target="palegreen" if ($fields[1]=~/^192\.168\.4\..*/); color.target="lightblue" if ($fields[1]=~/^0\.0\.0\.0$/); color.target="lightblue" if ($fields[1]=~/^255\.255\.255\.255$/); color.target="lightblue" if ($fields[1]=~/^198\.123\.30\.132$/); color.target="lightsalmon"



l

IP communication between hosts.

l

Legend

Our team

Other teams

NAT IP

Neutral



l

Zoom Image l

192.168.4.0/24 attacking other teams

004_activity_connections_cluster.sh


l

Clustering nodes to unclutter the graph

004_activity_connections_cluster.sh


l

AfterGlow p_ipsrc_ipdst_cluster.properties

l

Tweak pattern

color.source="khaki1" if ($fields[0]=~/^192\.168\.4\.1$/); color.source="palegreen" if ($fields[0]=~/^192\.168\.4/); color.source="lightblue" if ($fields[0]=~/^0\.0\.0\.0$/); color.source="lightblue" if ($fields[0]=~/^255\.255\.255\.255$/); color.source="lightblue" if ($fields[0]=~/^198\.123\.30\.132$/); color.source="lightsalmon"

l

color.target="khaki1" if ($fields[1]=~/^192\.168\.4\.1$/); color.target="palegreen" if ($fields[1]=~/^192\.168\.4/); color.target="lightblue" if ($fields[1]=~/^0\.0\.0\.0$/); color.target="lightblue" if ($fields[1]=~/^255\.255\.255\.255$/); color.target="lightblue" if ($fields[1]=~/^198\.123\.30\.132$/); color.target="lightsalmon"

l

cluster.source=regex_replace("(\\d\+\\.\\d\+\\.\\d\+)")."/24" if

( match("^(192\.168\.4\.|xxxx)") && !(field() =~

/^192\.168\.4\.1$/) ); cluster.target=regex_replace("(\\d\+\\.\\d\+\\.\\d\+)")."/24" if

( match("^(192\.168\.4\.|xxxx)") && !(field() =~

/^192\.168\.4\.1$/) );

Add cluster instruction

005_activity_connections_volume.sh


l

But who is the most active IP?

l

Size of nodes dependent on packet volume to represent activity.



l

AfterGlow p_ipsrc_ipdst_volume.properties

l

color.source="khaki1" if ($fields[0]=~/^192\.168\.4\.1$/); color.source="palegreen" if ($fields[0]=~/^192\.168\.4\..*/); color.source="lightblue" if ($fields[0]=~/^0\.0\.0\.0$/); color.source="lightblue" if ($fields[0]=~/^255\.255\.255\.255$/); color.source="lightblue" if ($fields[0]=~/^198\.123\.30\.132$/); color.source="lightsalmon" size.source=$sourceCount{$sourceName}; maxnodesize=1;

l

color.target="khaki1" if ($fields[1]=~/^192\.168\.4\.1$/); color.target="palegreen" if ($fields[1]=~/^192\.168\.4\..*/); color.target="lightblue" if ($fields[1]=~/^0\.0\.0\.0$/); color.target="lightblue" if ($fields[1]=~/^255\.255\.255\.255$/); color.target="lightblue" if ($fields[1]=~/^198\.123\.30\.132$/); color.target="lightsalmon" size.target=$targetCount{$targetName};



l

Visualize CSV file using AfterGlow l

cat d_ipsrc_ipdst.csv | afterglow.pl -t -c p_ipsrc_ipdst_volume.properties > v_ipsrc_ipdst_volume.dot

l

neato –T png -o v_ipsrc_ipdst_volume.dot

v_ipsrc_ipdst_volume.png

l


gqview



l

Most active talker is l

192.168.4.160

007_activity_dnsquery.sh


l

Which domain names are resolved?

l

Afterglow allows for a chain of 3 nodes to be visualized l l l

Source

Event

Target l

Call afterglow.pl without –t for a 3 column visualization

007_activity_dnsquery.sh


l

AfterGlow p_ipsrc_ipdst_dnsqryname.properties

l

color.source="khaki1" if ($fields[0]=~/^192\.168\.4\.1$/); color.source="palegreen" if ($fields[0]=~/^192\.168\.4\..*/); color.source="lightblue" if ($fields[0]=~/^0\.0\.0\.0$/); color.source="lightblue" if ($fields[0]=~/^255\.255\.255\.255$/); color.source="lightblue" if ($fields[0]=~/^198\.123\.30\.132$/); color.source="lightsalmon"; shape.source="ellipse";

l l

color.event="khaki1" if ($fields[1]=~/^192\.168\.4\.1$/); color.event="palegreen" if ($fields[1]=~/^192\.168\.4\..*/); color.event="lightblue" if ($fields[1]=~/^0\.0\.0\.0$/); color.event="lightblue" if ($fields[1]=~/^255\.255\.255\.255$/); color.event="lightblue" if ($fields[1]=~/^198\.123\.30\.132$/); color.event="lightsalmon"; shape.event="ellipse";

Node shape: box, ellipse,

color.target="lavender"; shape.target="box";

diamond, triangle, …

Node types: source, event, target

Exercise

l l l

Analyze TCP activity ip.src

à ip.dst à tcp.dstport

ip.src

à tcp.dstport à ip.dst

l l l l

Analyze HTTP request activity ip.src

à ip.dst à http.request.method | http.request.uri

ip.src

à http.request.method | http.request.uri à ip.dst

ip.dst

à tcp.dstport à http.request.method | http.request.uri

006_activity_connections_tcp_ports.sh


l

TCP activity l l

Prevent port confusion

tshark… -R "tcp.flags.syn==1 and tcp.flags.ack==0"

Visualize:

008_activity_connections_http.sh

AfterGlow / Graphviz

l

HTTP activity l ip.dst

à tcp.dstport

à http.request.method | http.request.uri

l l

Assemble & trim request method and URI

awk -F, '{print $2 "," $3 "," $4 "_" substr($5,0,10)}'

Activities

Linked Graphs

Graphviz lneato / Cytoscape

Visualize: Graphviz lneato

l

With lneato graphs can be viewed and manipulated interactively.

Birdseye View l l

Command line

lneato v_ipsrc_ipdst_tcpport_syn1_ack0.dot

Visualize: Graphviz lneato

l

Important commands and short cuts l l l l l l l

Right click for menu l

Birdseye view u

à undo operation select node + d

à delete node l (lowercase L)

à layout modified graph

L

à load and layout original graph z

à zoom out

Z

à zoom in

Visualize:

Cytoscape

l

Bioinformatics

Visualization

Tool l

Supports different layout algorithms l

Graph merging

Visualize: Cytoscape

Visualize: Cytoscape

l

Important functions l l

File\Import\Network from

(Text/MS Excel)…

Layout\yFiles\...

l l

Layout\Cytoscape Layouts l

VizMapper

TM tab in control panel

Modify graph presentation

Activities

Treemap

009_activity_connections_treemap.sh

Visualize: Treemap



l

TM3 formatted file l

IP Src

STRING

0.0.0.0

192.168.1.2

192.168.3.2

192.168.3.2

192.168.4.1

192.168.4.1

192.168.4.1

192.168.4.1

192.168.4.1

192.168.4.1

192.168.4.1

192.168.4.1

192.168.4.152

IP Dest

STRING

Count

INTEGER

255.255.255.255

4

192.168.4.160

192.168.4.153

2833

2052

192.168.4.160

192.168.4.152

192.168.4.153

192.168.4.154

192.168.4.157

192.168.4.159

192.168.4.160

192.168.4.2

192.168.4.3

192.168.4.1

2

246

115

45

15

480

174

7022

39

273



l

Extract source/destination IP & packet count l


-e ip.src -e ip.dst –T fields

–E separator=/t -R "ip" | sort | uniq -c | awk '{print $2 "," $3 "," $1}'

> d_ipsrc_ipdst_pktcount.csv



l

Convert CSV to TM3 format l

cat d_ipsrc_ipdst_pktcount.csv | awk -F, 'BEGIN

{ print "IP Src\tIP Dest\tCount"; print "STRING\tSTRING\tINTEGER"

}

{ print $1 "\t" $2 "\t" $3

}' > v_ipsrc_ipdst_pktcount.tm3



l

Open TM3 file in

Treemap l

In Legend tab l l l

Set Label to count

Set Size to count

Set Color to IP Dest l

In Hierarchy tab l l

Add IP Src to Hierarchy

Add IP Dest to Hierarchy



Exercise

l

Analyze TCP activity with Treemap l ip.src, ip.dst, tcp.dstport, count per tcp port l

Interesting questions l l

Most called TCP port per source IP?

Most called TCP port per destination IP?

Attacks

Snort

Zoom & Filter: Snort

011_activity_attacks.sh

l

Extract Snort alerts l

snort -c /etc/snort/snort.bleeding.conf

-r davix_workshop_captures.pcap

l

Convert Snort alerts to CSV file l

cat /var/log/snort/alert | snortalert2csv.pl "sip dip name" | sort –u > d_ipsrc_ipdst_attackname_distinct.csv

Zoom & Filter: Snort

l

Snort CSV file

011_activity_attacks.sh

l

192.168.4.1,192.168.4.2,(http_inspect) BARE BYTE UNICODE ENCODING

192.168.4.1,192.168.4.2,BLEEDING-EDGE PHPNuke general SQL injection attempt

192.168.4.1,192.168.4.2,BLEEDING-EDGE WEB-MISC Poison Null Byte

192.168.4.1,192.168.4.3,(http_inspect) OVERSIZE CHUNK ENCODING

192.168.4.1,192.168.4.3,BLEEDING-EDGE SCAN NMAP -sA (1)

192.168.4.152,192.168.7.2,(http_inspect) OVERSIZE CHUNK ENCODING

192.168.4.152,192.168.7.2,(http_inspect) WEBROOT DIRECTORY

TRAVERSAL

192.168.4.152,192.168.7.2,BLEEDING-EDGE PHPNuke general SQL injection attempt

192.168.4.152,192.168.7.2,BLEEDING-EDGE SCAN NMAP -sA (1)

192.168.4.152,192.168.7.2,BLEEDING-EDGE WEB-MISC Poison Null Byte

Activities

Statistics based Tools

R Project / GGobi

Visualization: R

l

R is an open source statistics suite l

Lots of features for l l statistic analysis charting l

Example scatter plot l sequence of TCP

SYN packets against

TCP destination port

012_activity_tcpdstport_r.sh

013_activity_multivariate_connections_ggobi.sh

Visualization: GGobi

l

Visualization tool for multidimensional data analysis.

l l

Linked views

Brushing l

Visualizations l

Bar charts l l

Scatter plots

Parallel coordinates

013_activity_multivariate_connections_ggobi.sh

Visualization: GGobi

l

Parallel coordinates l

Compact visualization of multiple variables

Agenda

l




Hands-on Lab l


Prizes

l

1 st prize l

1x Applied Security

Visualization Book l

1x Security Metrics

Book l

2 nd prize l

1x Applied Security

Visualization Book

Task

l

Analyze the attack(s) in the l l l

Jubrowska capture and spty database

Use any visualization technique you like to document the a particular the attacks l

Not limited to DAVIX l

Document the case (Text, images, video, …) l l

Tell a story in your submission

Make it an interesting read / view

Submission Details

l

Submission conditions l l l l deadline: Friday, October 30 12:00 (noon) CET submit to: [email protected]

single submission by multiple persons possible released under l l text, images, …: creative commons license: BY-SA code: BSD, MIT or GPL license l

Winner announcement and prize handover l

Friday, October 30 around 17:00 CET l

Legal recourse is excluded

Contest Kick Start

l

The DAVIX VM contains a copy of the

Jubrowska capture split up in 14 files l

/root/jubrowska/jubrowska-capture_1_part* l

The most important fields were extracted with l

/root/jubrowska/extract.sh

l

Most extracts are compressed l

Use zcat to read the d_*.csv files l

In case you require the original files l http://2009.hack.lu/index.php/InfoVisContest

Contest Kick Start

l

Clever filtering and clustering is a must l

Most visualization tools do not scale that well!

l

Tools which might be interesting to use l

Processing (part of DAVIX) [20], code_swarm [25] l l l

SIMILE Timeline & Timeplot Widget [21, 22]

Google Maps [23]

Open Flash Chart [24] l

If you have tool related questions, please approach me at the conference venue.

l

Good Luck!

Q & A

Customized visualization workshops are available as in-house training!

Contact: [email protected]

References I

1.

Visualization (Computer Graphics). Wikipedia. http://en.wikipedia.org/wiki/Visualization_(computer_graphics).

2.

Shneiderman B. Keynote VizSec. 2008.

3.

Conti G. Security Data Visualization.

No Starch Press, 2007.

4.

Marty R. Applied Security Visualization.

Pearson Education, 2008.

5.

Jaquith A. Security Metrics. Pearson Educatoin, 2007.

6.

Few S. Now You See It: Simple Visualization Techniques for

Quantitative Analysis. Analytics Press, 2009.

7.

Mackinlay J.D., Winslow K. Designing Great Visualizations.

Tableau Software, 2009.

8.

Shneiderman B. The Eyes Have It: A Task by Data Type

Taxonomy for Information Visualization. IEEE Visual Languages. pp. 336 – 343. 1996.

9.

Monsch J. P., Marty R. DAVIX Manual 1.0.1. 2008. http://82.197.185.121/davix/release/davix-manual-1.0.1.pdf

References II

10.

Wireshark / tshark Manual http://www.wireshark.org/docs/wsug_html/

11.

awk Tutorial http://www.grymoire.com/Unix/Awk.html

12.

p0f http://lcamtuf.coredump.cx/p0f.shtml

13.

Snort Manual http://www.snort.org/docs/snort_htmanuals/htmanual_282/

14.

AfterGlow Manual http://afterglow.sourceforge.net/manual.html

15.

Graphviz Documentation http://www.graphviz.org/Documentation.php

16.

Treemap Manual http://www.cs.umd.edu/hcil/treemap/doc4.1/toc.html

17.

Cytoscape Online Tutorials http://cytoscape.org/cgi-bin/moin.cgi/Presentations

References III

18.

The R Manuals http://cran-r.project.org/manuals.html

19.

GGobi Manual, 2006 http://www.ggobi.org/docs/manual.pdf

20.

Processing http://processing.org

21.

SIMILE Timeline Widget http://www.simile-widgets.org/timeline/

22.

SIMILE Timeplot Widget http://www.simile-widgets.org/timeplot/

23.

Google Maps API http://code.google.com/apis/maps/

24.

Open Flash Chart http://teethgrinder.co.uk/open-flash-chart/

25.

code_swarm http://code.google.com/p/codeswarm/