Internet Packet Sniffer is a powerful network traffic analyzer for Windows, built with C++. It captures live network packets, detects malicious activities, and integrates GeoIP tracking using PostgreSQL/PostGIS. This tool is designed for cybersecurity professionals to analyze DDoS attacks, port scans, TLS handshakes, and blocklisted IPs in real-time.
β
Live Packet Capture - Monitors network packets in real-time using Npcap.
β
DDoS & UDP Flood Detection - Alerts when excessive traffic is detected.
β
Port Scan Detection - Identifies potential reconnaissance activities.
β
Blocklisted IP Alerts - Flags known malicious IP addresses.
β
TLS/SSL Detection - Detects encrypted connections.
β
ICMP (Ping) Monitoring - Identifies ping scans and network probing.
β
GeoIP Lookup - Determines the geographical location of IPs.
β
JSON Logging - Stores alerts for post-analysis.
β
Portable & Lightweight - Runs efficiently without additional dependencies.
- Windows 10/11 (64-bit)
- Npcap (for packet capturing)
- PostgreSQL + PostGIS (optional, for GeoIP lookup)
- C++ Compiler (Clang64, MSVC, or MinGW)
- Install Npcap (Ensure "WinPcap API-compatible mode" is checked).
- Install PostgreSQL and PostGIS (if using GeoIP detection).
- Set PostgreSQL password as an environment variable:
setx PG_PASSWORD "your_database_password"
If you want GeoIP tracking, you need to:
- Download GeoLite2 databases (City, Country, ASN) from MaxMind.
- Create a PostgreSQL database and tables:
CREATE DATABASE geoip; \c geoip; CREATE EXTENSION postgis; CREATE TABLE geoip_city ( network CIDR PRIMARY KEY, geoname_id INT, registered_country_geoname_id INT, represented_country_geoname_id INT, is_anonymous_proxy BOOLEAN, is_satellite_provider BOOLEAN ); CREATE TABLE geoip_asn ( network CIDR PRIMARY KEY, autonomous_system_number INT, autonomous_system_organization TEXT ); CREATE TABLE geoname_location ( geoname_id INT PRIMARY KEY, locale_code TEXT, continent_name TEXT, country_name TEXT, subdivision_name TEXT, city_name TEXT, metro_code INT, time_zone TEXT );
- Import GeoIP data from CSV files into the respective tables.
git clone https://github.com/yourusername/internet-packet-sniffer.git
cd internet-packet-sniffer
mkdir build && cd build
cmake ..
cmake --build .Run the application with administrator privileges:
./packet_sniffer.exeExample output:
[INFO] IP Layer:
Src IP: 192.168.1.10 (United States) -> Dest IP: 192.168.1.1
[ALERT] π¨ Possible DDoS from: 203.0.113.5 (Packets: 105)
| Alert Type | Severity | Description |
|---|---|---|
| DDoS Attack | π΄ Critical | High packet rate detected |
| UDP Flood | π΄ High | Unusual UDP packet burst |
| Port Scan | π Medium | Multiple connection attempts detected |
| Blocklisted IP | π΄ Critical | Malicious IP detected |
| TLS Handshake | π‘ Medium | Encrypted connection detected |
| ICMP Ping Scan | π‘ Low | Possible reconnaissance |
- Security Alerts - Stored in JSON format.
- Packet Captures - Saved in
Packet_Captures/with timestamps.
- Run with admin privileges to capture all packets.
- Use a secure PostgreSQL connection for GeoIP queries.
- π GUI Support (for better user experience)
- π More Protocol Analysis (HTTP, DNS, etc.)
- π Machine Learning-based Intrusion Detection
Want to improve this project? Contributions are welcome!
- Fork the repository.
- Create a new branch:
git checkout -b feature-branch
- Commit your changes:
git commit -m 'Add new feature'
- Push to the branch:
git push origin feature-branch
- Create a Pull Request.
This project is licensed under the MIT License.
π Star this repo if you found it useful!
π Report issues via GitHub Issues.
π€ Join discussions in the community.
π Internet Packet Sniffer - Empowering Cybersecurity Enthusiasts! π₯