Skip to content

feat: Node type prediction for network diagram (DNS server, web server, client, etc.) #19

Closed
#20
Closed
feat: Node type prediction for network diagram (DNS server, web server, client, etc.)#19
#20
@NotYuSheng

Description

@NotYuSheng
NotYuSheng
opened on Mar 27, 2026

Summary

Enhance the network diagram with automatic node type classification, so users can visually identify what role each IP plays — DNS server, web server, SSH server, client/workstation, router, etc.

Motivation

Currently nodes are only classified as client, server, both, or unknown based on a simple port < 1024 heuristic. This gives little actionable insight. With port-frequency analysis across all conversations, we can reliably predict the service type of each node.

Approach

All required data (srcPort, dstPort, protocol) is already available in the conversation API response — no backend changes needed.

During graph construction in networkService.ts, track a server-port frequency map per node (i.e. when a node appears as the destination, record which port it was receiving on). After processing all conversations, classify each node by its dominant inbound port+protocol against a well-known service lookup table.

Node types to detect

Type Signal
dns-server Frequent inbound UDP/53 or TCP/53
web-server Frequent inbound TCP/80 or TCP/443
ssh-server Frequent inbound TCP/22
ftp-server Frequent inbound TCP/21
mail-server Frequent inbound TCP/25 or 587
dhcp-server Frequent inbound UDP/67
ntp-server Frequent inbound UDP/123
database-server Frequent inbound TCP/3306, 5432, 1433
router Client-only node with many distinct peers
client Mostly initiates connections (high ephemeral ports)
workstation Mixed protocols, no dominant server port

Proposed changes

  • frontend/src/features/network/types/index.ts — add nodeType field to NodeData
  • frontend/src/features/network/services/networkService.ts — implement port-frequency classification alongside existing finalizeNodeRole
  • NodeDetails panel — display detected node type with supporting evidence
  • Node icon/badge in the graph view to reflect node type visually

Acceptance criteria

  • Each node has a nodeType derived from conversation data
  • Node details panel shows the detected type and what port/protocol drove the classification
  • Node icons or badges reflect the type in the diagram
  • Classification degrades gracefully to unknown when signals are ambiguous

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions