Behavioral network exploit detector for macOS home networks. Uses tcpdump
as a capture backend and analyzes live traffic for interaction-level anomalies
that indicate exploitation in progress — not hash or signature matching.
Most IDS tools match packet content against a database of known-bad signatures.
This tool takes a different approach: it watches how hosts are behaving and
flags traffic patterns that are structurally consistent with attacks regardless
of payload content. Every finding includes verbatim tcpdump evidence so you
can judge it yourself.
The pipeline has three stages:
tcpdump (subprocess) ──► TcpdumpParser ──► DetectionEngine ──► Report
raw text output per-packet 15 stateful .txt
streamed live structs detectors
| # | Module | Technique | Severity |
|---|---|---|---|
| 1 | Port Scan | ≥15 unique dst-ports from one source in 10s | HIGH |
| 2 | SYN Flood | ≥40 half-open SYNs/sec from one source | CRITICAL |
| 3 | ARP Poisoning | IP→MAC flips, gratuitous reply storms | CRITICAL |
| 4 | DNS Tunneling | Labels >40 chars, Shannon entropy ≥3.8, query flood | HIGH |
| 5 | ICMP Anomaly | Payloads >256B (tunneling), flood rate | HIGH |
| 6 | TCP Flag Abuse | Xmas (FPU), NULL scan, RST/FIN flood | HIGH |
| 7 | Lateral Movement | One internal host contacting ≥8 others in 15s | HIGH |
| 8 | C2 Beaconing | Regular-interval SYNs to same external host (CV ≤0.15) | CRITICAL |
| 9 | Data Exfiltration | >5MB outbound to single external IP in 60s | HIGH |
| 10 | Connection Flood | >50 new connections/sec to single dst:port | CRITICAL |
| 11 | Slow Loris | ≥10 simultaneous half-open connections to same server | HIGH |
| 12 | HTTP Exploit Probes | SQLi, directory traversal, Log4Shell, Shellshock in payload | CRITICAL/HIGH |
| 13 | Cleartext Credentials | HTTP Basic Auth, FTP PASS, Telnet password in plaintext | HIGH |
| 14 | SSL Downgrade | SSLv2/3 hello negotiation (POODLE/BEAST vectors) | HIGH |
| 15 | LLMNR / NBT-NS Abuse | Responder-style poisoner activity on ports 5355/137 | MEDIUM |
| 16 | NTP / SSDP Amplification | monlist probes, SSDP M-SEARCH recon | HIGH/LOW |
- macOS (tested on Ventura / Sonoma)
- Python 3.8 or later
- Xcode Command Line Tools (provides
tcpdumpand the system Python stub) sudo/ root access for packet capture- No third-party Python libraries required
xcode-select --installClick Install in the dialog that appears (not "Get Xcode"). Takes ~5 minutes.
# Capture for 2 minutes on the auto-detected interface (default)
sudo python3 net_exploit_detector.py
# Specify interface and duration
sudo python3 net_exploit_detector.py -i en0 -d 300
# Print findings to stdout as they are detected
sudo python3 net_exploit_detector.py -v
# Specify your LAN subnet prefix explicitly
sudo python3 net_exploit_detector.py -n 192.168.1 -d 120
# Write report to a custom filename
sudo python3 net_exploit_detector.py -o /tmp/my_report.txt
# List available interfaces
sudo python3 net_exploit_detector.py --list-interfaces
# Quick shorthand: positional duration argument
sudo python3 net_exploit_detector.py 60| Flag | Default | Description |
|---|---|---|
-i / --interface |
auto-detected | Network interface to capture on |
-d / --duration |
120 |
Capture duration in seconds |
-o / --output |
auto-named | Output report file path |
-n / --network |
auto-detected | Home LAN prefix, e.g. 192.168.1 |
-v / --verbose |
off | Print findings to stdout in real time |
--list-interfaces |
— | Print available interfaces and exit |
The report is written to a plain-text file named
net_exploit_report_YYYYMMDD_HHMMSS.txt (unless overridden with -o).
It contains:
- Capture metadata — interface, duration, packet count, finding counts
- Summary table — all findings grouped by severity with source/destination
- Detailed findings — one block per finding with description and verbatim
tcpdumptraffic evidence - Methodology footnote — explains the behavioral approach and false-positive guidance
Example finding block:
────────────────────────────────────────────────────────────────────────────────
Finding #1 🔴 CRITICAL [C2 Beaconing]
────────────────────────────────────────────────────────────────────────────────
Timestamp : 14:32:07.441803
Source : 192.168.1.42
Destination: 185.220.101.7:443
192.168.1.42 connecting to 185.220.101.7:443 every 30.1s (CV=0.021 ≤ 0.15)
— highly regular interval matches C2 heartbeat pattern
Traffic Evidence:
Interval samples (s): [30.1, 29.9, 30.2, 30.0, 30.1, 30.0, 29.8, 30.2]
Timestamps: [14:27:07, 14:27:37, 14:28:07, 14:28:37, ...]
All detection thresholds are centralized in the Thresholds class near the top
of the script. Adjust them to match your environment before running:
class Thresholds:
PORT_SCAN_UNIQUE_PORTS = 15 # raise if you have legitimate scanners
SYN_FLOOD_RATE = 40 # lower on quiet networks
BEACON_JITTER_TOLERANCE = 0.15 # raise if legitimate apps look like beacons
EXFIL_BYTES_THRESHOLD = 5_000_000 # raise for homes with large cloud sync
DNS_ENTROPY_THRESHOLD = 3.8 # lower = more sensitive to DNS tunneling- Beaconing: software update clients (Dropbox, iCloud, telemetry agents) connect on regular intervals. Check the destination IP before escalating.
- Port scan: network scanners you run yourself (Nmap,
netscan) will trigger this. Use-nto set your LAN prefix so internal→internal sweeps are categorized as lateral movement, not external scans. - Exfiltration: Time Machine, iCloud Drive, and large uploads to known-good services will trigger the bytes threshold. Review the destination IP.
- LLMNR / NBT-NS: This fires on any host answering LLMNR queries, including your own legitimate Windows machines. It is a hint, not a verdict.
Every CRITICAL or HIGH finding is worth a manual lookup of the source IP
(whois, dig -x) before concluding it is malicious.
net_exploit_detector.py
│
├── Thresholds — all tunable detection parameters
├── PacketInfo — dataclass: parsed representation of one packet
├── TcpdumpParser — buffers multi-line tcpdump output → PacketInfo
├── DetectionEngine — 16 stateful behavioral detectors
│ ├── _check_port_scan
│ ├── _check_syn_flood
│ ├── _check_arp
│ ├── _check_dns
│ ├── _check_icmp
│ ├── _check_tcp_flags
│ ├── _check_lateral
│ ├── _check_beaconing
│ ├── _check_exfiltration
│ ├── _check_conn_flood
│ ├── _check_slow_loris
│ ├── _check_http_exploit
│ ├── _check_cleartext_creds
│ ├── _check_ssl_downgrade
│ ├── _check_llmnr_nbt
│ └── _check_amplification
├── Finding — dataclass: one detection result with evidence
├── generate_report() — formats and writes the .txt report
└── main() — CLI argument parsing and capture orchestration
MIT — use freely, modify freely, no warranty.