Skip to main content
WorkProjects

Argus

Passive network sniffer with deep packet inspection

stable
View raw

A passive network sniffer that detects HTTP, TLS, and DNS on any port through payload inspection — not port-number guessing. Extracts TLS SNI with a dual-strategy parser, identifies automation tools like curl and wget, and flags queries to internal infrastructure TLDs.

What it is

Argus captures packets from live interfaces or pcap files and identifies protocols by inspecting payload bytes rather than relying on port numbers. This catches HTTP servers on port 8080, DNS on port 5353, or TLS on port 993 — cases where port-based identification fails. It adds behavioral layers on top: automation-tool detection via User-Agent analysis, and internal-infrastructure flagging for DNS queries to .local, .corp, and .internal TLDs.

By the numbers

MetricValue
Protocols detected3 (HTTP, TLS, DNS)
Detection methodPayload inspection (port-independent)
Test cases12 (standard/non-standard × protocol × variant)
TLS parsingDual strategy (Scapy + manual binary SNI extraction)
Automation patterns8 (curl, wget, python-requests, httpie, etc.)
Infrastructure TLDs3 (.local, .corp, .internal)

Architecture

Packet Capture
      |
      v
Protocol Dispatch
  /    |    \
UDP   TCP:   TCP:
payload GET/POST/PUT   0x16 0x03
  |      |              |
  v      v              v
 DNS    HTTP           TLS
Handler Handler      Handler
  |      |              |
Domain   Host +        SNI Extraction
+ INTERNAL  Method +    /          \
flag     AUTOMATION   Scapy     Manual
         flag         Parser    Binary Parser

Key features

  • Port-independent protocol detection — identifies HTTP by checking for method keywords (GET, POST, PUT) at the start of TCP payloads, TLS by the handshake signature (0x16 0x03 ... 0x01), and DNS by parsing raw UDP payloads as DNS wire format.
  • Manual TLS ClientHello binary parser — walks the handshake extensions using struct.unpack to extract the Server Name Indication (SNI) extension when Scapy's built-in TLS parser fails. Handles type-length-value encoding of TLS extensions directly.
  • Automation tool detection — matches User-Agent strings against 8 known patterns (curl, wget, python-requests, python-urllib, python-httpx, libwww-perl, go-http-client, httpie) and flags matched requests.
  • Internal infrastructure detection — flags DNS queries to .local, .corp, and .internal TLDs, indicating internal network services.
  • BPF filter support — tcpdump-style packet filtering pushed to the capture layer for performance.

What makes it stand out

  • Port-independent by design. Most network monitors classify traffic by port number and miss services on non-standard ports. Argus reads payload bytes, so a TLS handshake on port 993 is still a TLS handshake.
  • Dual-strategy SNI extraction. When Scapy's parser fails on a ClientHello, a manual binary parser walks the extension list byte by byte to recover the SNI — no silent gaps.
  • 12 validated test cases covering all combinations of standard/non-standard ports, with/without detection flags, across all three protocols.

Stack

LayerTechnology
LanguagePython 3.11+
NetworkScapy (packet capture + parsing)
Cryptographycryptography (TLS certificate parsing)
Binary parsingstruct (manual TLS extension walking)

VulnSocial

Intentionally vulnerable PHP social network for hands-on web-security research

tcpscan

SYN scanner with 6-type service fingerprinting

On this page

What it isBy the numbersArchitectureKey featuresWhat makes it stand outStackLinks