🕵️ Silent Sniffer: Catching SYN Scans and ARP Spoofing with Python

kelvin benokelvin beno
2 min read

So it begins

🚨 What’s the Problem?

Some of the most dangerous attacks don’t make a lot of noise. Instead, they quietly scan your network or impersonate other devices to intercept your traffic. Two examples of this are:

  • SYN scanning, where a device sends a burst of TCP connection attempts to find open ports.

  • ARP spoofing, where a machine sends fake ARP replies to hijack traffic.

To detect this kind of stealthy behavior, a Python script was built to analyze .pcap (packet capture) files and automatically flag suspicious patterns.
You can download a .pacp file from the internet.

🔧 How It Works

The script uses the dpkt library to read through the captured packets and look for:

  • SYN scanners: Any IP that sends more than 5 SYN packets (with no ACK flag), and receives very few or no SYN-ACK responses.

  • ARP spoofers: Any MAC address that sends multiple ARP replies that were never requested.

This helps identify machines that might be probing the network or impersonating others.

🧪 Real Example (Simplified)

When analyzing a captured file, the tool produces output like this:

SYN scanners:
128.3.23.117
128.3.23.5

ARP spoofers:
80:0b:98:3b:b9:ec
7c:d1:c3:94:9e:b8

In this case:

  • The IPs 128.3.23.117 and 128.3.23.5 were flagged for sending multiple SYNs without completing handshakes — a common sign of port scanning.

  • The MACs 80:0b:98:3b:b9:ec and 7c:d1:c3:94:9e:b8 sent over 5 ARP replies each, none of which were requested — a red flag for spoofing.

đź’» How to Set It Up (with Virtual Environment)

To keep your environment clean and avoid version conflicts, it’s best to use a Python virtual environment:

1. Create a Virtual Environment

python3 -m venv venv

2. Activate the Environment

  • On Linux/macOS:

      source venv/bin/activate

  • On Windows:

      venv\Scripts\activate

You’ll know it worked if your terminal shows (venv) before the prompt.

3. Install Dependencies

pip install dpkt

▶️ Run the Detector

With everything set up, run the script:

python3 detector.py sample.pcap

The tool will scan the packet file and print any suspicious IP and MAC addresses it detects.

🧠 Why It Matters

This tool makes it easy to catch early signs of malicious activity hidden in network traffic. Whether you're monitoring a real system or learning about cybersecurity, analyzing packets gives you valuable insights into what’s really going on under the hood.
A light take on network security. Till next time folks happy coding.

0
Subscribe to my newsletter

Read articles from kelvin beno directly inside your inbox. Subscribe to the newsletter, and don't miss out.

networkingPythonPython 3pipsoftware developmentSecurity

Written by

kelvin beno
kelvin beno

I am a developer from Kenya, passionate about Building software that can shape and change lives for the better