Home

Network Analysis Lab

Back to Work
PythonFlaskNetworkingTCP/IPForensicsSecurity
Source Code

Overview

A hands-on network forensics laboratory built for packet capture analysis, multi-layer protocol dissection, and real-time traffic anomaly detection.

Built from scratch in pure Python with zero external parsing dependencies (no Scapy, no libpcap bindings). Every byte of every header is parsed manually against relevant RFCs, providing deep visibility into the TCP/IP stack.

Network Analysis Lab preview
Network Analysis Lab detail

Key Features

  • Pure-Python packet parser covering Ethernet, IPv4, TCP, UDP, ICMP, HTTP, DNS, and ARP
  • Bidirectional 5-tuple flow reconstruction and TCP state machine tracking
  • 10 anomaly detection rules including port scans, SYN floods, ARP spoofing, and DNS exfiltration
  • Interactive Flask dashboard with Chart.js for traffic timelines and protocol distribution
  • Synthetic traffic generator for testing attack scenarios and clean browsing

Technical Approach

The project follows a streaming architecture allowing O(1) memory usage for arbitrarily large packet captures, processing one packet at a time.

Protocol headers are unpacked using Python's struct module. The anomaly detector acts as a stateful rule engine with time-windowed rate checks and deduplication, mirroring real-world SOC Level 1 methodologies.

Outcomes

  • Deep foundational understanding of binary protocol parsing and endianness handling
  • Built a robust threat detection engine and full-stack forensics tool without relying on standard networking libraries
  • Achieved 100% test pass rate with 42 unit and integration tests across 5 test suites