Go back
Cybersecurity Project

PCAP-Based Network Intrusion Detection System (NIDS)

Offline packet analysis with custom detection rules

A Python NIDS that ingests .pcap files with Scapy, normalises packet metadata, and raises alerts for behaviours such as multi-port scans and traffic to risky services. Output is a skimmable alert stream using [ALERT]/[INFO] lines that analysts can copy straight into tickets.

Capabilities
  • Parses Ethernet/IP layers; extracts TCP/UDP headers and TCP flags.
  • Detects port scans via unique-port fan-out in a short time window.
  • Flags risky services (e.g., SMB/445, RDP/3389, Telnet/23, NTP/123).
  • Emits clear alerts + INFO lines with service names where known.
Flow: PCAP → parser → rules → alerts
Flow: PCAP → parser → rules (scan + risky ports) → alert stream.
Overview

Purpose

Simulate SOC-style triage on captured traffic

The brief: build a NIDS that ingests a PCAP, extracts key fields, applies at least two detection rules, and prints clear alerts for suspicious patterns. I implemented scan detection (unique-port fan-out) and risky-service detection (sensitive/abused ports).

Tools & Technologies

  • Python 3.x, Scapy (rdpcap, layer access)
  • Custom rule engine: TCP SYN/UDP fan-out, risky-port list
  • Knowledge base: common vs suspicious TCP/UDP ports
Process

How it works

Parse → Detect → Report
  1. Parse PCAP. For each packet: capture timestamp, L2/L3/L4, src/dst, sport/dport, and TCP flags (if present). Normalise to a dict for easier counting.
  2. Detect port scans. Count unique destination ports per (src,dst,proto) within a short window; flag when counts exceed a threshold (default ≥10). TCP focuses on SYNs to reduce noise.
  3. Detect risky services. Alert on connections to sensitive or commonly abused services (e.g., SMB/445, RDP/3389, Telnet/23, NTP/123).
  4. Emit alerts. Print concise [ALERT]/[INFO] lines with IPs, ports, protocol and reason. Group long port lists with an ellipsis for readability.
Data model & thresholds
  • Packet record: { ts, l3, l4, src, dst, sport, dport, tcp_flags }
  • Port scan: ≥10 unique dport to the same dst (per protocol) in a short window.
  • Risky services: match against curated TCP/UDP sets (SMB, RDP, Telnet, NTP, etc.).
Edge cases & performance
  • Ignores incomplete layers to avoid KeyErrors on odd packets.
  • De-duplicates ports per (src,dst) to prevent inflated counts.
  • Truncates long port lists for skimmable console output.

Run & Usage

One prompt, immediate alerts
# From project root
python main.py

# Prompt:
# Please enter the pcap file to be scanned:
# (example) example.pcap

# The system parses the PCAP and streams [ALERT]/[INFO] lines.

Example Output

Readable alerts for quick triage
Example alert stream - short
Example alert stream - long

Reflection

What I learned & next steps
  • Takeaway: simple, explainable rules (SYN fan-out + risky services) catch noisy attacker behaviour quickly.
  • Challenges: de-duplicating ports per flow, handling mixed TCP/UDP captures, and keeping console output skimmable.
  • Future improvements: CSV/JSON export, time-windowed thresholds, per-host summaries, and optional intel enrichment.
Go back

Copyright ©2025. All rights reserved