A real-time network packet capture and analysis tool with anomaly detection capabilities. Built for cybersecurity professionals, network engineers, and security researchers.
- Real-time Packet Capture: Live network traffic monitoring with rich terminal UI
- Protocol Analysis: Automatic detection and classification of TCP, UDP, ICMP, and HTTP traffic
- Anomaly Detection: Identifies suspicious patterns including:
- Port scanning attempts
- High connection rates (potential DDoS)
- Access to vulnerable services (RDP, Telnet, SMB)
- Unusual protocol distributions
- Comprehensive Reporting: Generates JSON, CSV, and HTML reports with interactive visualizations
- BPF Filtering: Supports Berkeley Packet Filter syntax for targeted capture
- Efficient Processing: Handles thousands of packets per second with minimal overhead
- Python 3.8 or higher
- Root/Administrator privileges (required for packet capture)
- Linux, macOS, or Windows WSL
# Clone repository
git clone https://github.com/coramb2/network-traffic-analyzer.git
cd network-traffic-analyzer
# Setup virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Run 60-second capture with full analysis
sudo venv/bin/python3 network_monitor.py -t 60 --html --summary --alerts# 30-second capture with HTML report
sudo venv/bin/python3 network_monitor.py -t 30 --html# Monitor only HTTP/HTTPS traffic
sudo venv/bin/python3 network_monitor.py -f "tcp port 80 or tcp port 443" -c 1000
# Capture DNS queries
sudo venv/bin/python3 network_monitor.py -f "udp port 53" -t 60
# Monitor SSH connections
sudo venv/bin/python3 network_monitor.py -f "tcp port 22" -t 120 --alerts# Complete analysis with anomaly detection and all report formats
sudo venv/bin/python3 network_monitor.py -t 120 --html --csv --alerts --summary# List available interfaces
ip link show
# Capture on specific interface
sudo venv/bin/python3 network_monitor.py -i eth0 -t 60 --htmlThe analyzer provides a live dashboard showing:
- Total packets captured and capture rate (packets/second)
- Protocol distribution (TCP/UDP/ICMP percentages)
- Top 10 most active IP addresses
- Top 10 destination ports with service identification
JSON Report (traffic_analysis.json)
- Comprehensive traffic statistics
- Protocol breakdowns
- Top IP addresses and ports
- Recent packet details
CSV Export (traffic_data.csv)
- Packet-level data with timestamps
- Source/destination IPs and ports
- Protocol information
- Ready for import into analysis tools
HTML Dashboard (traffic_report.html)
- Interactive charts and visualizations
- Protocol distribution pie charts
- Sortable tables for IPs and ports
- Security alerts (if any detected)
The built-in anomaly detection engine identifies:
- Port Scanning: Detects when a single IP accesses 20+ different ports
- High Connection Rates: Flags potential DDoS attacks (50+ connections/second)
- Suspicious Services: Monitors access to commonly exploited services:
- RDP (3389), Telnet (23), SMB (445)
- MSSQL (1433), VNC (5900), NetBIOS (137-139)
- Traffic Anomalies: Identifies unusual protocol distributions
- Large Packets: Detects potential data exfiltration via oversized UDP packets
- Scapy 2.5.0: Powerful Python packet manipulation library
- Rich 13.7.0: Modern terminal UI with live updates
- Python Threading: Non-blocking packet processing
- BPF (Berkeley Packet Filter): Industry-standard packet filtering
network-traffic-analyzer/
βββ analyzer.py # Main packet capture and real-time analysis
βββ detector.py # Anomaly detection engine
βββ reporter.py # Multi-format report generation (JSON/CSV/HTML)
βββ network_monitor.py # Integrated CLI application
βββ requirements.txt # Python dependencies
βββ README.md # Documentation
- Network Security: Protocol analysis, threat detection, traffic pattern recognition
- Python Development: Threading, CLI design, error handling, optimized data structures
- System Programming: Low-level packet capture, BPF filtering
- Data Visualization: Real-time dashboards, HTML reporting with Chart.js
Problem: PermissionError: Operation not permitted
Solution: Packet capture requires root privileges
sudo venv/bin/python3 network_monitor.py -t 60Problem: Filter too restrictive or wrong interface
Solutions:
# Remove filter to test
sudo venv/bin/python3 network_monitor.py -t 30
# Try different interface
sudo venv/bin/python3 network_monitor.py -i lo -t 30
# Generate traffic (in another terminal)
ping google.comProblem: Specified network interface doesn't exist
Solution: List available interfaces
# Linux
ip link show
# Or use default interface (don't specify -i flag)
sudo venv/bin/python3 network_monitor.py -t 60This project demonstrates understanding of:
- OSI Model: Operates at Layer 3 (Network) and Layer 4 (Transport)
- TCP/IP Protocol Suite: TCP, UDP, ICMP, HTTP analysis
- Network Security: IDS/IPS fundamentals, threat detection
- Packet Analysis: Deep packet inspection techniques
Potential additions:
- Machine learning-based anomaly detection
- GeoIP lookup for traffic origin mapping
- PCAP file import/export
- Real-time alerting (email/Slack/webhook)
- Database storage for historical analysis
- Web-based dashboard
MIT License - Free to use for learning and portfolio purposes
Cora Baldwin
- GitHub: @coramb2
- LinkedIn: Cora Baldwin
Recent Software Engineering graduate (BA) with minor in Business Engineering Technology from a D1 university. Passionate about cybersecurity, network engineering, and building practical security tools.
β Star this repo if you found it useful!
π§ Questions or feedback? Open an issue or connect on LinkedIn