My First ambitious python script, hope yall have some use with this. "Keeping Your Network Safe, One Packet at a Time"

1. Overview
2. Features
3. System Architecture
   • Packet Capture
   • Threat Analysis
   • Nmap Integration
   • Logging and Reporting
4. Installation
   • Prerequisites
   • Setup Instructions
5. How to Use
   • Configuration
   • Running the Tool
6. Detailed Functionality
   • DNS Tunneling Detection
   • ARP Spoofing Detection
   • IP/MAC Spoofing Detection
   • SYN Scan Detection
   • Unusual Traffic Pattern Detection
7. Example Outputs
   • Terminal Output
   • Log File Example
   • Nmap Scan Results
8. Real-Life Applications
9. Known Limitations
10. Future Work
11. FAQs
12. Contributing
13. License

The Network Traffic Monitoring and Threat Detection Tool is a Python-based application that provides real-time analysis of network traffic to identify potential security threats. It combines packet capture (pyshark) with network vulnerability scanning (nmap) to offer a robust and actionable security monitoring solution.

This tool is designed for:

• System Administrators: To monitor network health and identify malicious activities.
• Cybersecurity Analysts: To detect threats like ARP spoofing, DNS tunneling, and SYN scans.
• Educators: As a practical demonstration of network security concepts.

• Real-Time Monitoring: Captures live network packets from the specified interface.
• Threat Detection:
  • DNS tunneling (long queries or high request frequency).
  • ARP spoofing (conflicting IP/MAC mappings).
  • SYN scans (common reconnaissance technique).
  • Spoofed IP/MAC addresses.
  • Unusual internal traffic patterns.
• Integrated Nmap Scanning: Automatically scans flagged IPs to identify open ports and vulnerabilities.
• Comprehensive Logs: Saves all detected activities and Nmap results for auditing.

• Modify detection thresholds (e.g., query lengths, ARP mappings).
• Update the interface or packet count for specific use cases.

This tool operates in four main stages:

• Uses the pyshark library to capture packets from a specified interface.
• Captures TCP, UDP, ARP, and DNS packets for analysis.

• Applies heuristic rules to identify anomalies, such as:
  • Long DNS queries (>225 characters).
  • IP/MAC mismatches.
  • SYN flags without corresponding ACKs.

• Suspicious source IPs are scanned using Nmap to uncover:
  • Open ports.
  • Services running on the host.
  • Potential vulnerabilities.

• Detailed logs are saved in suspicious_activity.log.
• Logs include timestamps, detected threats, and Nmap results.

• Python 3.x: Ensure Python is installed on your system.
• Wireshark/tshark: Install Wireshark, and ensure tshark is in your PATH.
• Nmap: Install Nmap for scanning flagged IPs.
• Required Python libraries:

  pip install pyshark python-nmap

1. Clone the repository:

   git clone https://github.com/irfanbroo/Netwarden.git
   cd Netwarden

2. Install dependencies:

   pip install -r requirements.txt

Modify the script to specify your desired network interface:

capture = pyshark.LiveCapture(interface='Wi-Fi')

Set detection thresholds in the corresponding functions:

• DNS Tunneling:

  if len(query) > 225:

• High DNS Query Frequency:

  if dns_tracker[src_ip] > 50:

Run the script using:

python netwarden.py

• Monitors DNS queries for unusual characteristics:
  • Query lengths >225 characters.
  • High-frequency requests (>50 queries per source IP).

• Tracks IP/MAC mappings.
• Flags packets where the observed MAC address doesn’t match the expected one for a given IP.

• Compares source IPs and MAC addresses against a known mapping.
• Flags mismatches as potential spoofing.

• Identifies TCP packets with only the SYN flag set.
• Commonly used in reconnaissance scans.

• Detects traffic with unexpected internal IP ranges or patterns.

Suspicious activity detected:
- DNS Tunneling: Potential DNS tunneling detected: maliciousquery.example.com
- ARP Spoofing: IP 192.168.1.2 seen with MAC aa:bb:cc:dd:ee:ff, expected ff:ee:dd:cc:bb:aa
- SYN Scan: From 192.168.1.5
Performing Nmap scan on 192.168.1.5...

DNS Tunneling: Potential DNS tunneling detected: maliciousquery.example.com
ARP Spoofing: IP 192.168.1.2 seen with MAC aa:bb:cc:dd:ee:ff, expected ff:ee:dd:cc:bb:aa
SYN Scan: From 192.168.1.5

Nmap Scan Results:
192.168.1.5:
  Ports:
    22 (SSH): Open
    80 (HTTP): Open

Host: 192.168.1.5
Open Ports:
  - 22 (SSH)
  - 80 (HTTP)
  - 443 (HTTPS)

1. Enterprise Security Monitoring: Detect and respond to potential threats in real-time.
2. Incident Response: Investigate anomalies and generate actionable insights.
3. Educational Tools: Demonstrate network security techniques.

• Encrypted Traffic: Cannot analyze HTTPS or other encrypted protocols.
• False Positives: May occasionally flag benign traffic as suspicious.
• Performance: Heavy traffic volumes may impact performance.

• Add support for HTTPS decryption.
• Introduce anomaly detection using machine learning.
• Build a web-based dashboard for real-time visualization.

A: The script may require administrative privileges to capture packets.

A: Yes, specify your Wi-Fi interface in the configuration.

Contributions are welcome! Please submit a pull request or open an issue to discuss potential changes.

This project is licensed under the MIT License. See the LICENSE file for more details.