IotShark： A dedicated platform for monitoring and analyzing IoT traffic

IoTShark aims to provide a nearly fully automated solution and monitor researchers' IoT devices by running a script. Researchers only need to select the devices they want to monitor, and this program will handle the rest of the heavy work by launching ARP attacks, setting packet forwarding, and using a man-in-the-middle packet sniffer. It also has an easy-to-use and interactive Web UI, allowing users to filter packets based on port, type, and timestamp to better understand the volume and timing of the transmitted data.

In addition to this, IoTShark can also perform data classification for certain types of data, such as heartbeat messages, data transmission, and exceptions, etc.

Tool Download

Researchers can use the following command to directly clone the source code of this project to their local machine:

git clone https://github.com/sahilmgandhi/IotShark.git

Tool Usage

Note that the normal operation of this tool requires the installation of Python 3 environment.

Firstly, run the following command to install the necessary dependencies for this tool:

$pip3 -r requirements.txt

Next, set up IP forwarding:

$sudo sysctl net.inet.ip.forwarding=1

Finally, run IoTShark using the following command:

sudo python3 mitm_main.py

Main program script

Create a Python Virtual environment and then install the relevant dependency components packages:

virtualenv --python=`which python3` venv

source venv/bin/activate

python -r requirements.txt

Ensure that your local host has enabled packet forwarding, which is very important for implementing man-in-the-middle attacks. On macOS, we can complete the configuration with the following command:

sudo sysctl net.inet.ip.forwarding=1

After the configuration is completed, we can run the main program script 'mitm_main.py'.

The main program script of the current version will complete the following tasks:

1. Scan all hosts in the target subnet, the subnet is configured through the -s parameter;

2. Scan the hardware manufacturer and operating system information of each host;

3. Perform an ARP attack between the selected host and the gateway router;

4. Output the captured data in a graphical form to the user, this feature needs to be enabled through the -f parameter;

After the ARP attack is completed, we can use WireShark to test the captured traffic between the target devices, and the filter settings are as follows:

(ip.src==192.168.0.215 or ip.dst==192.168.0.215) and tcp.port != 443

Data file format

The captured data will be stored in csv file format, and the data structure format is as shown below:

{timestamp, incoming_bytes, outgoing_bytes, srcport, dstport, transfer_protocol, connection_protocol, srcip, dstip}
    123123213, 0, 240, 36, 80, 65124, HTTP, UDP, 192.168.0.215, 104.24.4.5
    123123240, 300, 0, 800, 443, 65125, HTTPS, TCP, 104.24.4.5, 192.168.0.215

Project address

IoTShark：【GitHub link】

* Reference source:sahilmgandhiFB editor Alpha_h4ck compiled, please indicate the source as FreeBuf.COM when reproduced