A real-time network packet capture and threat detection tool built with Python and Scapy. Detects port scanning, ARP spoofing, DNS tunneling indicators, and large data transfers — with automated HTML report generation and CSV alert logging for SIEM integration.
Network traffic analysis is a core SOC analyst skill. This tool replicates detection logic used by enterprise IDS/IPS systems — flagging suspicious patterns that would trigger alerts in a real security operations environment. Built to deepen understanding of how network-layer detections work beneath tools like Snort, Zeek, and Suricata.
| Module | What It Detects | Why It Matters in a SOC |
|---|---|---|
| Port Scan Detection | SYN-based scans — ≥10 unique destination ports from one source within 5 seconds | Reconnaissance activity — attacker mapping the network before exploitation |
| ARP Spoof Detection | ARP replies claiming a known IP with a new MAC address | Man-in-the-middle attack — credential interception and session hijacking risk |
| Suspicious DNS Monitoring | Malicious TLDs, blacklisted domains, hostnames >50 chars, DNS flood (>20 queries/5s) | DNS tunneling is a common C2 and exfiltration channel that bypasses HTTP controls |
| Large Data Transfer Alerts | Cumulative outbound traffic >1MB per source in a 30-second window | Insider threat or malware actively exfiltrating data |
Output formats:
- Live terminal alerts with color-coded severity
- Automated HTML report with threat summary, alert log, and visual chart
- CSV alert log for SIEM ingestion or further analysis
Tracks SYN packets (TCP flag 0x02) per source IP. Alert threshold: ≥10 unique destination ports within 5 seconds.
Threshold rationale: Normal host behavior rarely generates SYN packets to 10+ distinct ports in a 5-second window. This threshold is intentionally conservative to reduce false positives from legitimate service discovery while catching active Nmap-style scans.
Builds a trusted IP→MAC table on first ARP reply observation. Any subsequent ARP reply claiming the same IP with a different MAC triggers an ARP_SPOOF alert.
Detection rationale: Legitimate MAC-to-IP mappings rarely change. A new MAC claiming an existing IP is a strong indicator of ARP cache poisoning — the first step in most LAN-based MITM attacks.
Checks DNS queries against:
- Blocklist of known malicious domains
- High-risk TLDs (
.tk,.ml,.onion,.xyz) - Hostname length threshold >50 characters (indicative of DNS tunneling — data encoded in subdomains)
- Query rate threshold >20 queries/5s per source IP (DNS flood or tunneling tool behavior)
Accumulates outbound packet sizes per source IP in a 30-second rolling window. Hosts exceeding 1MB outbound trigger a LARGE_TRANSFER alert.
Threshold rationale: 1MB in 30 seconds is a conservative baseline for flagging anomalous exfiltration. In a tuned production environment this threshold would be adjusted against established host baselines.
| Technique | ID | Detection Module |
|---|---|---|
| Network Service Discovery | T1046 | Port Scan Detection |
| ARP Cache Poisoning | T1557.002 | ARP Spoof Detection |
| DNS | T1071.004 | Suspicious DNS Monitoring |
| Exfiltration Over C2 Channel | T1041 | Large Data Transfer Alerts |
| Protocol Tunneling | T1572 | DNS hostname length detection |
Typical Tier 1 network monitoring scenario:
- Analyst monitors network traffic via SIEM or packet capture
- High-volume SYN packets from single source detected → port scan alert raised
- Analyst investigates source IP → cross-references with asset inventory
- ARP table inconsistency flagged → possible MITM attack on same subnet
- DNS queries reviewed → long hostname flagged as potential tunneling
- Large outbound transfer detected → exfiltration investigation opened
- All alerts exported to CSV → ingested into SIEM for correlation with endpoint logs
- HTML report generated → attached to incident ticket as evidence
[*] Network Traffic Analyzer started on interface [eth0]
[*] Capture duration: 60s | Log: logs/alerts.csv
[PORT_SCAN] 192.168.1.105 -> 192.168.1.1 | 14 unique ports in 5s
[ARP_SPOOF] aa:bb:cc:dd:ee:ff -> 192.168.1.1 | IP changed MAC — possible MITM
[SUSPICIOUS_DNS] 192.168.1.200 -> DNS | Long hostname (62 chars) — possible tunneling
[LARGE_TRANSFER] 192.168.1.105 -> 10.0.0.5 | 1.24 MB outbound in 30s
============================================================
CAPTURE SUMMARY
============================================================
Duration : 60s
Packets : 4,821
Total Alerts : 4
Port Scans : 1
ARP Spoof : 1
Suspicious DNS : 1
Large Transfer : 1
Alert Log : logs/alerts.csv
============================================================
git clone https://github.com/Lovedipsingh/network-traffic-analyzer.git
cd network-traffic-analyzer
pip install -r requirements.txtPacket capture requires root/administrator privileges.
# Capture on default interface for 60 seconds
sudo python3 analyzer.py
# Specify interface and duration
sudo python3 analyzer.py -i eth0 -d 120
# Skip HTML report generation
sudo python3 analyzer.py --no-report| Flag | Description | Default |
|---|---|---|
-i, --interface |
Network interface to capture on | Auto-detect |
-d, --duration |
Capture duration in seconds | 60 |
--no-report |
Skip HTML report generation | False |
network-traffic-analyzer/
├── analyzer.py # Main capture + orchestration engine
├── detections/
│ ├── port_scan.py # SYN-based port scan detection
│ ├── arp_spoof.py # ARP cache poisoning detection
│ ├── dns_monitor.py # DNS anomaly detection
│ └── data_transfer.py # Exfiltration volume monitoring
├── report/
│ ├── report_gen.py # HTML report generator
│ └── output/ # Generated reports saved here
├── logs/
│ └── alerts.csv # CSV alert log (auto-generated)
├── requirements.txt
└── README.md
- Packet capture — Python 3.10+, Scapy
- Detection engine — Custom SYN analysis, ARP table tracking, DNS pattern matching, rolling window volume tracking
- Reporting — HTML report generator, CSV alert logging
- Dependencies — Scapy only; standard library for everything else
MIT License — free to use and modify.
Built by Lovedip Singh — SOC analyst portfolio project.
LinkedIn | GitHub