The main goal of this tool is to quickly analyze a pcap file in order to provide short metrics for the network and look for DDoS indicators. It currently detects only DNS and ICMP based attacks.
We strongly recommend the usage of pipenv. From the root project folder, run:
pipenv install
pipenv shell
python netlyzer/main.py -h
Please remember to insert your API keys into the config.yml file.
-
Check IPs and Domains against both VT and AbuseIPDB
python netlyzer/main.py -f ddos.pcap --check vt abuseipdb -
Plot fancy graphics:
python netlyzer/main.py -f ddos.pcap --graph -
Show verbose reading of packets:
python netlyzer/main.py -f ddos.pcap -v
Netlyzer was developed from scratch using basically Python3.6, scapy and visualizing modules. It parses the packets and looks for heuristics that might indicate malicious activities. Currently, Netlyzer will only check DNS and ICMP.
The tool is divided into the following componentes
- Network Summary
- Network Viewer (netview)
- Malicious Checker (malchk)
The network summary component answers the following questions:
- How many DNS and ICMP packets are there in the capture?
- Which are the most active source IPs?
- Which are the most active dest IPs?
- Which are the most used domain names?
The netview component provides visualization for the gathered metrics. Currently, it is responsible for plotting results tables and IP activity graph.
The malchk component checks the IPs and domains agains external databases for detecting malicious entities. It currently uses Virus Total and AbuseDBIP APIs.
