Skip to content

BeauDevCode/Secure-Network-Monitoring-Tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
monitor.py
monitor.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Secure Network Monitoring Tool

Lightweight Python IDS prototype for live packet monitoring, rule-based anomaly detection, and JSON security alerts.

Python Scapy License

Overview

Secure Network Monitoring Tool is a Linux-focused intrusion detection prototype built with Python and Scapy. It captures live packets from a selected network interface, tracks source-IP activity in a rolling time window, and raises alerts for suspicious traffic patterns such as port scans, high traffic bursts, and connections to high-risk ports.

The project is intended as a cybersecurity portfolio project. It demonstrates packet capture, stateful traffic tracking, configurable thresholds, rate-limited alerting, and structured JSON logs.

Features

  • Live packet capture with Scapy
  • Rolling time-window traffic analysis
  • Port scan detection based on unique destination ports per source IP
  • Suspicious TCP/UDP port monitoring
  • High-traffic anomaly detection
  • Alert cooldowns to reduce duplicate noise
  • JSON-lines alert logging
  • CLI-configurable thresholds and log path

Detection Methodology

The detection engine is intentionally rule-based and transparent:

  1. Track recent packet timestamps for each source IP.
  2. Track unique TCP destination ports contacted by each source IP.
  3. Alert when a source IP exceeds the configured scan or traffic threshold.
  4. Alert when traffic touches configured suspicious ports.
  5. Apply cooldowns so repeated alerts do not flood the terminal or log file.

Installation

Linux is recommended because live packet capture usually requires elevated permissions.

sudo apt update
sudo apt install python3-pip
pip3 install -r requirements.txt

Usage

sudo python3 monitor.py -i eth0

Optional parameters:

sudo python3 monitor.py -i eth0 --time-window 10 --scan-threshold 20 --traffic-threshold 150 --cooldown 30 --logfile alerts.json

Example Alerts

[ALERT] Possible port scan detected from 192.168.1.15
[ALERT] Suspicious TCP connection from 192.168.1.15 to port 4444

JSON log entry:

{
  "timestamp": "2026-02-05T12:14:33.104321",
  "type": "port_scan",
  "message": "Possible port scan detected from 192.168.1.15"
}

Testing Methodology

The tool was designed for controlled lab testing with:

  • nmap for port scan simulation
  • netcat for suspicious port connection testing
  • local traffic generation for high-volume detection validation

Only test on networks and machines you own or are authorized to assess.

Limitations

  • Rule-based detection only; no machine-learning or behavioral baseline model
  • No deep packet inspection of encrypted TLS payloads
  • No distributed scan correlation across multiple source IPs
  • Not optimized for high-throughput enterprise monitoring
  • Requires appropriate permissions for packet capture

Future Improvements

  • Add unit tests for the IDS.analyze detection engine.
  • Add configurable suspicious port lists.
  • Add Docker or systemd deployment options.
  • Add IP reputation enrichment.
  • Add dashboard output or SIEM-friendly forwarding.

License

MIT

About

Developed a Python-based network monitoring tool on Linux that captures live packet data, detects suspicious traffic patterns such as port scans and abnormal connections using rule-based analysis, and generates real-time alerts with logged security events.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages