Intelligent network traffic analysis with machine learning anomaly detection. Analyse intelligente du trafic reseau avec detection d'anomalies par apprentissage automatique.
Features · Installation · Usage · Detection · API
LEGAL DISCLAIMER / AVERTISSEMENT LEGAL
This tool is designed exclusively for authorized network security monitoring and educational purposes. Unauthorized interception of network traffic is illegal in most jurisdictions. Always obtain proper authorization before monitoring any network.
Cet outil est concu exclusivement pour la surveillance securisee autorisee du reseau et a des fins educatives. L'interception non autorisee du trafic reseau est illegale dans la plupart des juridictions. Obtenez toujours une autorisation appropriee avant de surveiller tout reseau.
┌──────────────────────────────────────────────────────────────────────┐
│ PacketSniffer-AI Engine │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌───────────────────────────┐ │
│ │ CLI Layer │ │ Reporter │ │ Analysis Dashboard │ │
│ │ (argparse) │ │ JSON/HTML/TXT│ │ Timeline, Alerts │ │
│ └──────┬───────┘ └──────┬───────┘ └───────────┬───────────────┘ │
│ │ │ │ │
│ ┌──────▼─────────────────▼───────────────────────▼───────────────┐ │
│ │ Anomaly Detector │ │
│ │ ┌─────────────────┐ ┌──────────────────────────────────────┐ │ │
│ │ │ Rule-Based │ │ ML-Based │ │ │
│ │ │ - Port Scans │ │ - Isolation Forest (Unsupervised) │ │ │
│ │ │ - DNS Tunneling │ │ - Random Forest (Supervised) │ │ │
│ │ │ - DDoS Detection │ │ - Feature Scaling & Normalization │ │ │
│ │ │ - C2 Beaconing │ │ - Model Persistence (pickle) │ │ │
│ │ │ - Data Exfil │ │ │ │ │
│ │ └─────────────────┘ └──────────────────────────────────────┘ │ │
│ └────────────────────────────┬───────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────▼───────────────────────────────────┐ │
│ │ Feature Extractor │ │
│ │ Flow Features | Payload Features | Temporal Features | DNS │ │
│ │ 40+ features: entropy, IAT stats, periodicity, port analysis │ │
│ └────────────────────────────┬───────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────▼───────────────────────────────────┐ │
│ │ Packet Sniffer Core │ │
│ │ Live Capture (Scapy) | PCAP Read/Write | Protocol Parsing │ │
│ │ Flow Tracking (5-tuple) | Session Reconstruction | BPF Filter │ │
│ │ TCP/UDP/ICMP/DNS/HTTP/TLS Parsing | SNI Extraction │ │
│ └────────────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────┘
- Deep Packet Inspection: Full parsing of TCP, UDP, ICMP, DNS, HTTP, and TLS protocols
- TLS SNI Extraction: Extract Server Name Indication from TLS ClientHello handshakes
- Flow Tracking: 5-tuple based flow reconstruction with detailed statistics
- ML Anomaly Detection:
- Isolation Forest: Unsupervised anomaly detection trained on traffic features
- Random Forest: Supervised classification when labeled data is available
- Rule-Based Detection:
- Port Scans: SYN scan, NULL scan, XMAS scan, FIN scan
- DNS Tunneling: Entropy analysis, query length, subdomain depth
- DDoS: SYN flood detection, volume-based anomaly
- C2 Beaconing: Periodic connection detection with jitter analysis
- Data Exfiltration: Upload volume anomaly detection
- 40+ Network Features: Extracted per flow for ML classification
- Rich Reporting: JSON, HTML, and text reports with severity scoring
- PCAP Support: Read/write standard PCAP files
- BPF Filters: Berkeley Packet Filter support for targeted capture
- Top Talkers Analysis: Identify highest-volume sources and destinations
- Inspection Approfondie des Paquets: Analyse complete TCP, UDP, ICMP, DNS, HTTP et TLS
- Extraction SNI TLS: Extraction du Server Name Indication depuis les handshakes TLS ClientHello
- Suivi des Flux: Reconstruction de flux basee sur 5-tuple avec statistiques detaillees
- Detection d'Anomalies ML:
- Isolation Forest: Detection non supervisee entrainee sur les features du trafic
- Random Forest: Classification supervisee avec donnees etiquetees
- Detection par Regles:
- Scans de Ports: SYN scan, NULL scan, XMAS scan, FIN scan
- Tunneling DNS: Analyse d'entropie, longueur des requetes, profondeur sous-domaines
- DDoS: Detection SYN flood, anomalie volumetrique
- Beaconing C2: Detection de connexions periodiques avec analyse de gigue
- Exfiltration de Donnees: Detection d'anomalie de volume d'upload
- 40+ Features Reseau: Extraites par flux pour classification ML
- Rapports Riches: JSON, HTML et texte avec scoring de severite
- Support PCAP: Lecture/ecriture de fichiers PCAP standard
- Filtres BPF: Support Berkeley Packet Filter pour capture ciblee
| Attack Type | Method | Indicators |
|---|---|---|
| SYN Scan | Rule-based | Multiple SYN without ACK to different ports |
| NULL Scan | Rule-based | TCP packets with no flags |
| XMAS Scan | Rule-based | FIN+PSH+URG flags combination |
| FIN Scan | Rule-based | Only FIN flag set |
| DNS Tunneling | Hybrid | High entropy queries, long names, deep subdomains |
| SYN Flood DDoS | Rule-based | High rate of SYN packets to single target |
| Volume DDoS | Rule-based | Bytes/second exceeding threshold |
| C2 Beaconing | ML + Rules | Regular inter-arrival times, low jitter |
| Data Exfiltration | Rule-based | Abnormal upload/download ratio |
| Statistical Anomaly | ML | Isolation Forest outlier detection |
# Clone the repository
git clone https://github.com/ayinedjimi/PacketSniffer-AI.git
cd PacketSniffer-AI
# Install dependencies
pip install -r requirements.txt
# Install in development mode
pip install -e .- Python 3.9+
- Scapy 2.5+ (for packet capture/parsing)
- scikit-learn 1.3+ (for ML detection)
- Root/sudo privileges (for live capture only)
# Capture on default interface
sudo packetsniffer-ai capture -c 1000
# Capture with BPF filter and export
sudo packetsniffer-ai capture -i eth0 -f "tcp port 80 or tcp port 443" \
-c 5000 --output-json report.json --output-html report.html# Basic analysis
packetsniffer-ai analyze capture.pcap
# Analysis with custom model
packetsniffer-ai analyze capture.pcap --model trained_model.pkl \
--output-json results.json --output-html report.html# Train on normal traffic PCAPs
packetsniffer-ai train normal1.pcap normal2.pcap -o model.pkl
# Train with custom parameters
packetsniffer-ai train *.pcap -o model.pkl \
--contamination 0.05 --estimators 200packetsniffer-ai flows capture.pcap --top 50from packetsniffer_ai.sniffer import PacketSniffer
from packetsniffer_ai.detector import AnomalyDetector
from packetsniffer_ai.reporter import AnalysisReporter
# Analyze PCAP
sniffer = PacketSniffer()
stats = sniffer.read_pcap("capture.pcap")
# Detect anomalies
flows = list(sniffer.flows.values())
detector = AnomalyDetector()
detector.fit_unsupervised(flows)
alerts = detector.detect_anomalies(flows, sniffer.packets)
# Generate report
reporter = AnalysisReporter(sniffer.packets, flows, alerts, stats)
reporter.export_html("report.html")
reporter.print_summary()- TcpSnooper - TCP traffic sniffing and analysis
- NetFlowLiteCollector - Lightweight NetFlow collector
- HashCracker-GPU - GPU-accelerated hash cracking
Ayi NEDJIMI
- Website: ayinedjimi-consultants.fr
- GitHub: github.com/ayinedjimi
- HuggingFace: huggingface.co/AYI-NEDJIMI
This project is licensed under the MIT License - see the LICENSE file for details.
PacketSniffer-AI - Built for security professionals, by Ayi NEDJIMI
For authorized network security monitoring and educational purposes only.