Skip to content

kruxe-Sx0d/ZeroTraceIDS

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
Advanced-Packet-Parser.py
Advanced-Packet-Parser.py
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Packet Parser Simulator for IDS Training

A lightweight and extensible packet parsing tool designed for Intrusion Detection System (IDS) training and network traffic analysis.
This script captures live traffic or processes PCAP files, extracts HTTP and DNS data, and applies simple heuristic-based IDS rules to detect suspicious activity.

Features

✔ HTTP Parsing

  • Extracts HTTP method, host, path, and User-Agent
  • Logs HTTP request details
  • Detects:
    • SQL Injection patterns
    • Directory Traversal attempts
    • Suspicious User-Agent strings (e.g., scanners/tools)

✔ DNS Parsing

  • Extracts DNS query domains
  • Detects:
    • Known malicious domain patterns
    • Possible DNS tunneling (based on subdomain depth)

✔ IDS Simulation Rules

The parser implements basic IDS logic:

  • SQL Injection detection
  • Directory Traversal detection
  • Suspicious tools (sqlmap, nmap, hydra, metasploit)
  • Malicious DNS queries
  • DNS tunneling heuristics

✔ Logging System

  • Logs stored in packet_parser.log
  • Console output with timestamps
  • Multi-level logging (INFO, WARNING, ERROR, DEBUG)

✔ Capture Modes

  • Live Capture from a network interface
  • Offline Analysis from PCAP files
  • Custom packet count limit
  • Verbose debugging option

Installation

pip install scapy

Usage Guide

Analyze a PCAP file

sudo python3 packet_parser.py -f traffic.pcap

Live traffic capture (default: 100 packets)

sudo python3 packet_parser.py -i eth0

Capture 500 packets

sudo python3 packet_parser.py -i eth0 -c 500

Enable verbose debugging

sudo python3 packet_parser.py -i eth0 -v

Command-Line Arguments

Argument Description
-i, --interface Network interface for live capture
-f, --file PCAP file for offline analysis
-c, --count Number of packets to capture (default 100)
-v, --verbose Enable verbose/debug output

Output Summary

After analysis, the script prints:

  • Total packets processed
  • Number of detected threats
  • Detailed list of:
    • Threat type
    • Timestamp
    • Source IP
    • Domain (DNS threats)
    • Path (HTTP threats)

Example threats include:

  • SQL Injection Attempt
  • Directory Traversal Attempt
  • Suspicious User-Agent
  • Malicious Domain Query
  • Possible DNS Tunneling

Security Notes

  • Live packet sniffing requires root/administrator privileges
  • Log files may contain sensitive network metadata
  • Use this tool only on networks you own or have explicit permission to analyze
  • Intended purely for educational and research purposes

License

MIT License

Disclaimer

This project is designed for security research, IDS training, and educational use.
Misuse of packet sniffing tools on unauthorized networks is illegal.

About

A network traffic parser and mini-IDS designed for security researchers. Detects SQLi, directory traversal, malicious DNS queries, tunneling attempts, and suspicious tool signatures.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages