Network Security / Python Projects

Network Traffic Monitoring and SSH Detection with Python

by

Introduction

Network security is one of the most critical priorities in the digital world. Ensuring network security involves not only protecting against external attacks but also detecting suspicious activities occurring internally. Effective network traffic monitoring and SSH tunneling detection are crucial in achieving this. Techniques like tunneling can be used to bypass security measures or leak data. In this article, we will develop a security tool using Python to monitor live network traffic and detect SSH tunneling activities.

Learning Objectives

After reading this article, you will have learned:

  • Methods for monitoring and analyzing network traffic with Python.
  • How to detect SSH tunneling activities.
  • The use of powerful network analysis tools such as Pyshark and Scapy.
  • Steps to develop real-time network security applications.

Purpose of This Project

The main goal of this project is to monitor live SSH traffic on a network to detect potentially malicious tunneling activities. This tool allows security professionals to analyze network traffic, identify suspicious activities, and take immediate action.

Amazon Product
Mastering Scapy: A Comprehensive Guide to Network Analysis

Mastering Scapy: A Comprehensive Guide to Network Analysis

you will find yourself equipped with the skills to analyze, diagnose, and even manipulate network traffic. This book aims to transform you from a passive observer to an active participant in the digital conversation that occurs ceaselessly in the network wires and airwaves around us

-10% $10 on buymeacoffee

General Overview of Modules

The modules used in this project provide powerful tools for monitoring and analyzing network traffic with Python:

  • Pyshark: A Python wrapper for Wireshark that makes it easy to capture and analyze network traffic.
  • Scapy: A comprehensive tool for creating, sending, capturing, and analyzing network packets.
  • Argparse: Allows for parameter handling from the command line, providing a flexible and dynamic user experience (SSH Commands and Usages Cheat Sheet).
  • Time: Used for time-related calculations during code execution, such as determining the duration of a process.

Let’s Start Coding

In this section, we will explain the Python code needed to monitor network traffic and detect SSH tunneling step-by-step. We will provide a detailed look at what each part of the code does.

#!/usr/bin/python
# -*- coding: utf-8 -*-

These first two lines set up the necessary configurations for the Python script:

  • #!/usr/bin/python: Specifies the Python interpreter. This line allows the script to be executed directly from the terminal.
  • # -*- coding: utf-8 -*-: Specifies the character encoding for the file. utf-8 supports a wide range of characters
import time
from collections import defaultdict
import argparse
import pyshark
from colorama import Fore, Style, init

These lines import the necessary modules used in the script:

  • time: Provides time-related functions.
  • defaultdict: From the collections module, it creates dictionaries with default values.
  • argparse: Handles command-line parameters and manages them.
  • pyshark: Used for capturing and analyzing network traffic (Network Traffic Monitoring and Analysis with Scapy).
  • colorama: Allows for colored output in the console, making the output more readable
init(autoreset=True)  # Automatically reset color after each print statement

The init function from the colorama module ensures that colors are automatically reset after each print statement, preventing color mixing between outputs.

class NetworkCompromiseAssessment:
    def __init__(self, interface):
        self.interface = interface
        self.ssh_counter = defaultdict(int)
        self.capture = pyshark.LiveCapture(interface=self.interface)

The NetworkCompromiseAssessment class is the core class used for monitoring and analyzing network traffic:

  • __init__(self, interface): The constructor method for the class. It takes a network interface (interface) parameter used to monitor traffic on that interface (What is Ngrok and How to Use It and Pyngrok Library).
  • self.ssh_counter: A dictionary used to count SSH tunneling events, recording each SSH connection.
  • self.capture: A pyshark.LiveCapture object that captures network packets from the specified interface
Amazon Product
Programming Symbols Stickers Programming Symbols Stickers Programming Symbols Stickers Programming Symbols Stickers

Pearson Computer Networking

The 8th Edition of the popular Computer A Top Down Approach builds on the authors’ long tradition of teaching this complex subject through a layered approach in a “top-down manner.”

-59% $40.74 on Amazon 
def detect_ssh_tunneling(self, packet):
        if hasattr(packet, 'SSH') and hasattr(packet, 'TCP') and (
                packet['TCP'].sport > 1024 or packet['TCP'].dport > 1024):
            msg = f"[+] Suspicious activity detected: SSH Tunneling"
            print(msg)
            print(packet)

The detect_ssh_tunneling method analyzes network packets and detects SSH tunneling activities:

  • hasattr(packet, 'SSH') and hasattr(packet, 'TCP'): Checks if the packet contains SSH and TCP protocols.
  • packet['TCP'].sport > 1024 or packet['TCP'].dport > 1024: Determines if the source or destination port number is greater than 1024, indicating a potentially suspicious SSH tunneling.
  • print(msg): Prints a message when suspicious activity is detected.
  • print(packet): Prints the details of the detected packet
def live_capture(self):
        print(f"Starting live capture on {self.interface}...")
        try:
            for packet in self.capture.sniff_continuously():
                self.detect_ssh_tunneling(packet)
        except KeyboardInterrupt:
            print("\n[!] Capture stopped by user.")
            return

The live_capture method starts capturing packets live on the specified network interface:

  • print(f"Starting live capture on {self.interface}..."): Indicates the start of the capture process ().
  • self.capture.sniff_continuously(): Continuously captures packets on the specified interface.
  • self.detect_ssh_tunneling(packet): Performs SSH tunneling detection for each packet.
  • except KeyboardInterrupt: Catches the exception if the user stops the capture process (Ctrl + C), and safely terminates the capture
if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Live Network SSH Traffic Monitor")
    parser.add_argument("-i", "--interface", type=str, required=True, help="Network interface to capture traffic from (e.g., eth0)")
    args = parser.parse_args()

    assessment = NetworkCompromiseAssessment(args.interface)
    assessment.live_capture()

This block is the main structure used to run the script from the command line:

  • if __name__ == "__main__":: Ensures that this code runs only when the script is executed directly.
  • argparse.ArgumentParser: Retrieves the network interface name (interface) from the command line.
  • NetworkCompromiseAssessment(args.interface): Initializes the class with the specified interface.
  • assessment.live_capture(): Starts the live packet capture.

Conclusion

In this article, we developed a security tool that monitors live network traffic and detects SSH tunneling. This tool allows for the immediate detection of suspicious activities crucial for network security. Such tools provide network administrators and security professionals with the capability to address security threats quickly and effectively. In the future, these tools can be further developed and extended to include broader protocol analyses.

cyber securitynetwork securitynetwork with scapyprogrammerprogrammingpython projects

Leave a Reply