Skip to content

Feature: Cross-Platform Support (Scapy), IPv6 Dissection, and Stateful Ping Flood IDS#13

Open
Alisson-San wants to merge 1 commit into
buckyroberts:masterfrom
Alisson-San:master
Open

Feature: Cross-Platform Support (Scapy), IPv6 Dissection, and Stateful Ping Flood IDS#13
Alisson-San wants to merge 1 commit into
buckyroberts:masterfrom
Alisson-San:master

Conversation

@Alisson-San

Copy link
Copy Markdown

Hello! First of all, thank you for providing such a solid and educational baseline project. We recently used this repository as the foundation for an advanced Computer Networks university project.To meet our academic requirements and improve the tool's real-world applicability, we refactored the capture engine to support Windows and transformed the passive sniffer into an active, stateful Intrusion Detection System (IDS). We'd love to contribute these upgrades back to the community.🚀 Key Features & ChangesCross-Platform Compatibility:Replaced the Linux-only socket.AF_PACKET implementation with the scapy library's sniff() function.The project now runs natively on Windows (via Npcap) and Linux/WSL. We maintained your original protocol dissection classes by extracting the raw bytes (raw(packet)) from Scapy to feed your existing architecture.Stateful Ping Flood Detection (IDS):Added active monitoring for ICMP (IPv4) and ICMPv6 (IPv6) Echo Requests.Implemented a Time Window (Sliding Window) algorithm using Python's deque. Instead of just counting packets, the system calculates the time delta ($\Delta T$) between packets to identify anomalous Rate Limiting (default PoC threshold: 10 packets in <= 3.0 seconds).IPv6 & Extension Headers Traversal:Created a new ipv6.py module to parse IPv6 packets.Implemented a dynamic byte-traversal algorithm to navigate through IPv6 Extension Headers (Routing, Fragment, etc.). It calculates the offset (Hdr Ext Len + 1) * 8 to accurately locate the encapsulated ICMPv6 payload, preventing evasion techniques.Memory Management (Garbage Collection):Added a background cleanup routine that periodically purges inactive IP addresses from the tracking dictionary, preventing RAM exhaustion during long-term monitoring.Structured Logging (JSONL):Security alerts are now simultaneously displayed in the console (in red) and exported to a security_alerts.jsonl file, making the tool ready for SIEM and analytical dashboard ingestion.🧠 Technical Architecture OverviewThe security module acts strictly as an IDS (not an IPS) to avoid accidental Denial of Service on legitimate NAT networks. It reads eth.proto, identifies the network layer, traverses headers until it finds icmp.type == 8 or icmpv6.type == 128, and manages timestamps in a defaultdict(deque).🧪 How to TestInstall requirements: pip install scapyRun the application as Administrator/Root: sudo python3 sniffer.pyLegitimate Traffic (False Positive Test):Run a standard ping: ping 8.8.8.8Expected: The sniffer prints the packet tree but does NOT trigger an alert (1 packet/sec does not break the time window).Flood Attack (Anomaly Test):From another terminal, run an aggressive ping: sudo ping -f <TARGET_IP> or ping -i 0.2 <TARGET_IP>Expected: The queue fills up instantly, the $\Delta T \le 3.0s$ condition is met, the critical alert banner is displayed, and the event is logged to the .jsonl file.Thank you again for the great starting point. Let us know if you need any adjustments or further documentation on these changes!Signed-off-by: Alisson Rodrigo dos Santos & Julio César Zeni Finatto

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant