Skip to content
Network traffic sensor
Python JavaScript HTML CSS
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Python 2.6|2.7 License

Tsusen (津波センサー) is a standalone network sensor made for gathering information from the regular traffic coming from the outside (i.e. Internet) on a daily basis (e.g. mass-scans, service-scanners, etc.). Any disturbances should be closely watched for as those can become a good prediction base of forthcoming events. For example, exploitation of a newly found web service vulnerability (e.g. Heartbleed) should generate a visible "spike" of total number of "intruders" on affected network port.

The following set of commands should get your Tsusen sensor up and running (out of the box with default settings and monitoring interface any and HTTP reporting interface on default port 8339):

sudo apt-get install python-pcapy
sudo pip install python-geoip python-geoip-geolite2
cd /tmp/
git clone
cd tsusen/
sudo python 


Sensor's results are stored locally in CSV files on a daily basis (e.g. 2015-10-27.csv) with periodic (flush) write of current day's data (e.g. every 15 minutes). Sample results are as follows:

proto dst_port dst_ip src_ip first_seen last_seen count
TCP 1080 1446188056 1446188056 1
TCP 1080 1446191096 1446191096 1
TCP 1081 1446175412 1446175412 1
TCP 1081 1446183374 1446183374 1
TCP 1081 1446170512 1446170512 1
TCP 1095 1446177047 1446177047 1
TCP 111 1446181028 1446181028 1
TCP 111 1446181035 1446181035 1
TCP 11122 1446198391 1446198391 1
TCP 11211 1446200598 1446200598 1
TCP 135 1446163293 1446163294 3
TCP 135 1446178211 1446178212 3
TCP 135 1446180063 1446180064 3
TCP 135 1446184279 1446195229 6
TCP 135 1446179470 1446202911 9
TCP 135 1446174945 1446195646 9
TCP 135 1446169303 1446183947 6
TCP 135 1446165515 1446202626 5

where proto (e.g. in first entry this is TCP) represents the protocol that has been used by initiator coming from src_ip (e.g. in first entry this is toward our <dst_ip:dst_port> (e.g. in first entry this is service, first_seen represents the time of (that day's first) connection attempt represented in Unix timestamp format (e.g. in first entry this is 1446188056, which stands for Fri, 30 Oct 2015 06:54:16 GMT), last_seen represents (that day's last) connection attempt (e.g. in first entry it's the same as the first_seen value), while the count holds a total number of connection attempts.

Results can be accessed through the HTTP reporting interface (Note: default port is 8339):



This software is provided under under a MIT License. See the accompanying LICENSE file for more information.

You can’t perform that action at this time.