🕵️ Silent Sniffer: Catching SYN Scans and ARP Spoofing with Python

kelvin benokelvin beno
2 min read

So it begins


🚨 What’s the Problem?

Some of the most dangerous attacks don’t make a lot of noise. Instead, they quietly scan your network or impersonate other devices to intercept your traffic. Two examples of this are:

  • SYN scanning, where a device sends a burst of TCP connection attempts to find open ports.

  • ARP spoofing, where a machine sends fake ARP replies to hijack traffic.

To detect this kind of stealthy behavior, a Python script was built to analyze .pcap (packet capture) files and automatically flag suspicious patterns.
You can download a .pacp file from the internet.


đź”§ How It Works

The script uses the dpkt library to read through the captured packets and look for:

  • SYN scanners: Any IP that sends more than 5 SYN packets (with no ACK flag), and receives very few or no SYN-ACK responses.

  • ARP spoofers: Any MAC address that sends multiple ARP replies that were never requested.

This helps identify machines that might be probing the network or impersonating others.


đź§Ş Real Example (Simplified)

When analyzing a captured file, the tool produces output like this:

SYN scanners:
128.3.23.117
128.3.23.5

ARP spoofers:
80:0b:98:3b:b9:ec
7c:d1:c3:94:9e:b8

In this case:

  • The IPs 128.3.23.117 and 128.3.23.5 were flagged for sending multiple SYNs without completing handshakes — a common sign of port scanning.

  • The MACs 80:0b:98:3b:b9:ec and 7c:d1:c3:94:9e:b8 sent over 5 ARP replies each, none of which were requested — a red flag for spoofing.


đź’» How to Set It Up (with Virtual Environment)

To keep your environment clean and avoid version conflicts, it’s best to use a Python virtual environment:

1. Create a Virtual Environment

python3 -m venv venv

2. Activate the Environment

  • On Linux/macOS:

      source venv/bin/activate
    
  • On Windows:

      venv\Scripts\activate
    

You’ll know it worked if your terminal shows (venv) before the prompt.

3. Install Dependencies

pip install dpkt

▶️ Run the Detector

With everything set up, run the script:

python3 detector.py sample.pcap

The tool will scan the packet file and print any suspicious IP and MAC addresses it detects.


đź§  Why It Matters

This tool makes it easy to catch early signs of malicious activity hidden in network traffic. Whether you're monitoring a real system or learning about cybersecurity, analyzing packets gives you valuable insights into what’s really going on under the hood.
A light take on network security. Till next time folks happy coding.

0
Subscribe to my newsletter

Read articles from kelvin beno directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

kelvin beno
kelvin beno

I am a developer from Kenya, passionate about Building software that can shape and change lives for the better