Advanced packet sniffer/analyzer and IDS with several options to conduct network monitoring and threat analysis
Schnoz is a tool that I wrote in Python to monitor network traffic and analyze potential threats. I compiled all of the small scripts regarding network analysis to create a multirange tool. Please make sure that you have scapy downloaded - pip install scapy
When running the code, there are four options that a user can choose from:
Active Sniffing (1): Sniffs local traffic on a specified interface. Users must specify their intended interface based on ifconfig and Get-NetAdapter. Users can choose any argument(s)
File Sniffing (2): Sniffs pcap files. Users can choose any argument(s)
Alert Mode (3): Sniffs through a specified interface or file for suspicious activity, alerting on potential malicious traffic. After choosing an interface or pcap file, the script then accepts either a wordlist or the schnozlist to alert off of. An alert will be printed with the packet summary if a term in either list is present in network traffic. I based the schnozlist on keywords that I’ve seen in CTFs, but more terms can be added if needed.
HTTP Analysis (4): Analyzes HTTP packets (requests and responses) through an interface or a file. If -k is not specified, the script will print out all HTTP events. Only the argument of -k will work for this option.
Except for the keyword argument (-k), the arguments are only intended to be used with options 1 and 2. Only Windows and Linux are currently supported (Linux users must comment out line 6)
| Argument | Description |
|---|---|
-P |
Filters for protocol. Can use with -s y |
-p |
Filters for port. Can use with -s y |
-k |
Filters for a keyword and prints events |
-o |
Saves file. Specify file name |
-s y |
Prints summaries of all events |
-s t |
Prints summaries of TCP events |
-s u |
Prints summaries of UDP events |
-s h |
Prints summaries of HTTP events |
Active Scanning:
File Sniffing:
Alert Mode:
HTTP Analysis:
I am planning on expanding this program