🕵️ Silent Sniffer: Catching SYN Scans and ARP Spoofing with Python


So it begins
🚨 What’s the Problem?
Some of the most dangerous attacks don’t make a lot of noise. Instead, they quietly scan your network or impersonate other devices to intercept your traffic. Two examples of this are:
SYN scanning, where a device sends a burst of TCP connection attempts to find open ports.
ARP spoofing, where a machine sends fake ARP replies to hijack traffic.
To detect this kind of stealthy behavior, a Python script was built to analyze .pcap
(packet capture) files and automatically flag suspicious patterns.
You can download a .pacp file from the internet.
đź”§ How It Works
The script uses the dpkt
library to read through the captured packets and look for:
SYN scanners: Any IP that sends more than 5 SYN packets (with no ACK flag), and receives very few or no SYN-ACK responses.
ARP spoofers: Any MAC address that sends multiple ARP replies that were never requested.
This helps identify machines that might be probing the network or impersonating others.
đź§Ş Real Example (Simplified)
When analyzing a captured file, the tool produces output like this:
SYN scanners:
128.3.23.117
128.3.23.5
ARP spoofers:
80:0b:98:3b:b9:ec
7c:d1:c3:94:9e:b8
In this case:
The IPs
128.3.23.117
and128.3.23.5
were flagged for sending multiple SYNs without completing handshakes — a common sign of port scanning.The MACs
80:0b:98:3b:b9:ec
and7c:d1:c3:94:9e:b8
sent over 5 ARP replies each, none of which were requested — a red flag for spoofing.
đź’» How to Set It Up (with Virtual Environment)
To keep your environment clean and avoid version conflicts, it’s best to use a Python virtual environment:
1. Create a Virtual Environment
python3 -m venv venv
2. Activate the Environment
On Linux/macOS:
source venv/bin/activate
On Windows:
venv\Scripts\activate
You’ll know it worked if your terminal shows (venv)
before the prompt.
3. Install Dependencies
pip install dpkt
▶️ Run the Detector
With everything set up, run the script:
python3 detector.py sample.pcap
The tool will scan the packet file and print any suspicious IP and MAC addresses it detects.
đź§ Why It Matters
This tool makes it easy to catch early signs of malicious activity hidden in network traffic. Whether you're monitoring a real system or learning about cybersecurity, analyzing packets gives you valuable insights into what’s really going on under the hood.
A light take on network security. Till next time folks happy coding.
Subscribe to my newsletter
Read articles from kelvin beno directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

kelvin beno
kelvin beno
I am a developer from Kenya, passionate about Building software that can shape and change lives for the better