Feature: Cross-Platform Support (Scapy), IPv6 Dissection, and Stateful Ping Flood IDS#13
Open
Alisson-San wants to merge 1 commit into
Open
Feature: Cross-Platform Support (Scapy), IPv6 Dissection, and Stateful Ping Flood IDS#13Alisson-San wants to merge 1 commit into
Alisson-San wants to merge 1 commit into
Conversation
… receive the latest features.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello! First of all, thank you for providing such a solid and educational baseline project. We recently used this repository as the foundation for an advanced Computer Networks university project.To meet our academic requirements and improve the tool's real-world applicability, we refactored the capture engine to support Windows and transformed the passive sniffer into an active, stateful Intrusion Detection System (IDS). We'd love to contribute these upgrades back to the community.🚀 Key Features & ChangesCross-Platform Compatibility:Replaced the Linux-only socket.AF_PACKET implementation with the scapy library's sniff() function.The project now runs natively on Windows (via Npcap) and Linux/WSL. We maintained your original protocol dissection classes by extracting the raw bytes (raw(packet)) from Scapy to feed your existing architecture.Stateful Ping Flood Detection (IDS):Added active monitoring for ICMP (IPv4) and ICMPv6 (IPv6) Echo Requests.Implemented a Time Window (Sliding Window) algorithm using Python's deque. Instead of just counting packets, the system calculates the time delta ($\Delta T$ ) between packets to identify anomalous Rate Limiting (default PoC threshold: 10 packets in <= 3.0 seconds).IPv6 & Extension Headers Traversal:Created a new ipv6.py module to parse IPv6 packets.Implemented a dynamic byte-traversal algorithm to navigate through IPv6 Extension Headers (Routing, Fragment, etc.). It calculates the offset (Hdr Ext Len + 1) * 8 to accurately locate the encapsulated ICMPv6 payload, preventing evasion techniques.Memory Management (Garbage Collection):Added a background cleanup routine that periodically purges inactive IP addresses from the tracking dictionary, preventing RAM exhaustion during long-term monitoring.Structured Logging (JSONL):Security alerts are now simultaneously displayed in the console (in red) and exported to a security_alerts.jsonl file, making the tool ready for SIEM and analytical dashboard ingestion.🧠 Technical Architecture OverviewThe security module acts strictly as an IDS (not an IPS) to avoid accidental Denial of Service on legitimate NAT networks. It reads eth.proto, identifies the network layer, traverses headers until it finds icmp.type == 8 or icmpv6.type == 128, and manages timestamps in a defaultdict(deque).🧪 How to TestInstall requirements: pip install scapyRun the application as Administrator/Root: sudo python3 sniffer.pyLegitimate Traffic (False Positive Test):Run a standard ping: ping 8.8.8.8Expected: The sniffer prints the packet tree but does NOT trigger an alert (1 packet/sec does not break the time window).Flood Attack (Anomaly Test):From another terminal, run an aggressive ping: sudo ping -f <TARGET_IP> or ping -i 0.2 <TARGET_IP>Expected: The queue fills up instantly, the $\Delta T \le 3.0s$ condition is met, the critical alert banner is displayed, and the event is logged to the .jsonl file.Thank you again for the great starting point. Let us know if you need any adjustments or further documentation on these changes!Signed-off-by: Alisson Rodrigo dos Santos & Julio César Zeni Finatto