IoTNet - IoT Network Traffic Analyzer

You are helping the user analyze network traffic to detect IoT protocols and identify security vulnerabilities using the iotnet tool.

Tool Overview

IoTNet analyzes network packet captures (PCAPs) or performs live traffic capture to:

• Detect IoT-specific protocols (MQTT, CoAP, Zigbee, etc.)
• Identify security vulnerabilities in network traffic
• Analyze protocol distribution
• Find unencrypted communications
• Detect weak authentication mechanisms
• Identify insecure IoT device behaviors

Instructions

When the user asks to analyze network traffic, capture IoT traffic, or assess network security:

1. Determine input type:

   • PCAP file analysis (offline)
   • Live network capture (requires interface)

2. Gather requirements:

   • For PCAP: Get file path(s)
   • For live capture: Get network interface name and duration
   • Ask about filtering needs (specific IPs, protocols)
   • Check if custom detection rules are needed

3. Execute the analysis:

   • Use the iotnet command from the iothackbot bin directory

Usage Modes

PCAP Analysis (Offline)

Analyze one or more existing packet capture files:

iotnet capture1.pcap capture2.pcap

Live Capture

Capture and analyze traffic in real-time:

sudo iotnet -i eth0 -d 30

Parameters

Input Options:

• pcap_files: One or more PCAP files to analyze
• -i, --interface: Network interface for live capture

Filtering Options:

• --ip: Filter traffic by IP address
• -c, --capture-filter: BPF syntax filter for live capture
• --display-filter: Wireshark display filter for PCAP analysis

Live Capture Options:

• -d, --duration: Capture duration in seconds (default: 30)

Analysis Options:

• --config: Custom IoT detection rules configuration file
  • Default: config/iot/detection_rules.json in the iothackbot directory

Output Options:

• --format text|json|quiet: Output format (default: text)
• -v, --verbose: Detailed output

Examples

Analyze a packet capture file:

iotnet /path/to/capture.pcap

Live capture for 60 seconds on wifi interface:

sudo iotnet -i wlan0 -d 60

Analyze traffic for specific IP:

iotnet capture.pcap --ip 192.168.1.100

Live capture with BPF filter:

sudo iotnet -i eth0 -c "port 1883 or port 5683" -d 45

Multiple PCAPs with custom config:

iotnet file1.pcap file2.pcap --config custom-rules.json

Filter by display filter (Wireshark syntax):

iotnet capture.pcap --display-filter "mqtt or coap"

Detected IoT Protocols

The tool can identify:

• MQTT: Message Queue Telemetry Transport
• CoAP: Constrained Application Protocol
• Zigbee: Low-power mesh networking
• Z-Wave: Home automation protocol
• ONVIF: IP camera protocol
• UPnP/SSDP: Universal Plug and Play
• Modbus: Industrial control protocol
• And many more (configurable)

Security Checks

IoTNet identifies vulnerabilities such as:

• Unencrypted MQTT traffic
• Missing TLS/encryption
• Weak or no authentication
• Plaintext credentials
• Insecure protocol versions
• Known vulnerable implementations

Output Information

Results include:

• Total packets analyzed
• Protocol distribution with percentages
• IoT findings with protocol details and packet info
• Vulnerabilities with severity levels (high/medium/low)
• Recommendations for remediation

Important Notes

• Live capture requires root/sudo privileges
• Requires network access to specified interface
• PCAP analysis does not require elevated privileges
• Detection rules can be customized in config file
• Supports standard PCAP format from tcpdump, Wireshark, etc.