--- title: Argus description: Passive network sniffer with deep packet inspection section: craft tags: [project, security] genre: reference stability: stable lastUpdated: 2026-04-18 url: https://fardiniqbal.com/docs/craft/projects/argus --- A passive network sniffer that detects HTTP, TLS, and DNS on any port through payload inspection — not port-number guessing. Extracts TLS SNI with a dual-strategy parser, identifies automation tools like curl and wget, and flags queries to internal infrastructure TLDs. ## What it is [#what-it-is] Argus captures packets from live interfaces or pcap files and identifies protocols by inspecting payload bytes rather than relying on port numbers. This catches HTTP servers on port 8080, DNS on port 5353, or TLS on port 993 — cases where port-based identification fails. It adds behavioral layers on top: automation-tool detection via User-Agent analysis, and internal-infrastructure flagging for DNS queries to `.local`, `.corp`, and `.internal` TLDs. ## By the numbers [#by-the-numbers] | Metric | Value | | ------------------- | ---------------------------------------------------- | | Protocols detected | 3 (HTTP, TLS, DNS) | | Detection method | Payload inspection (port-independent) | | Test cases | 12 (standard/non-standard × protocol × variant) | | TLS parsing | Dual strategy (Scapy + manual binary SNI extraction) | | Automation patterns | 8 (curl, wget, python-requests, httpie, etc.) | | Infrastructure TLDs | 3 (`.local`, `.corp`, `.internal`) | ## Architecture [#architecture] ``` Packet Capture | v Protocol Dispatch / | \ UDP TCP: TCP: payload GET/POST/PUT 0x16 0x03 | | | v v v DNS HTTP TLS Handler Handler Handler | | | Domain Host + SNI Extraction + INTERNAL Method + / \ flag AUTOMATION Scapy Manual flag Parser Binary Parser ``` ## Key features [#key-features] * **Port-independent protocol detection** — identifies HTTP by checking for method keywords (`GET`, `POST`, `PUT`) at the start of TCP payloads, TLS by the handshake signature (`0x16 0x03 ... 0x01`), and DNS by parsing raw UDP payloads as DNS wire format. * **Manual TLS ClientHello binary parser** — walks the handshake extensions using `struct.unpack` to extract the Server Name Indication (SNI) extension when Scapy's built-in TLS parser fails. Handles type-length-value encoding of TLS extensions directly. * **Automation tool detection** — matches User-Agent strings against 8 known patterns (curl, wget, python-requests, python-urllib, python-httpx, libwww-perl, go-http-client, httpie) and flags matched requests. * **Internal infrastructure detection** — flags DNS queries to `.local`, `.corp`, and `.internal` TLDs, indicating internal network services. * **BPF filter support** — tcpdump-style packet filtering pushed to the capture layer for performance. ## What makes it stand out [#what-makes-it-stand-out] * **Port-independent by design.** Most network monitors classify traffic by port number and miss services on non-standard ports. Argus reads payload bytes, so a TLS handshake on port 993 is still a TLS handshake. * **Dual-strategy SNI extraction.** When Scapy's parser fails on a ClientHello, a manual binary parser walks the extension list byte by byte to recover the SNI — no silent gaps. * **12 validated test cases** covering all combinations of standard/non-standard ports, with/without detection flags, across all three protocols. ## Stack [#stack] | Layer | Technology | | -------------- | ---------------------------------------- | | Language | Python 3.11+ | | Network | Scapy (packet capture + parsing) | | Cryptography | `cryptography` (TLS certificate parsing) | | Binary parsing | `struct` (manual TLS extension walking) | ## Links [#links] * **Source:** [https://github.com/FardinIqbal/argus](https://github.com/FardinIqbal/argus)