Open Source Network Monitoring Software

Angry IP scanner is fast and friendly network scanner for Windows, Linux, and Mac. It is very extensible, allowing it to be used for very wide range of purposes, with the primary goal of being useful to network administrators.

Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive. Osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.Osquery queries your devices like a database. Osquery uses basic SQL commands to leverage a relational data-model to describe a device. Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted, which could be an indicator of a suspicious process.

Zeek has a long history in the open source and digital security worlds. Vern Paxson began developing the project in the 1990s under the name “Bro” as a means to understand what was happening on his university and national laboratory networks. Vern and the project’s leadership team renamed Bro to Zeek in late 2018 to celebrate its expansion and continued development. Zeek is not an active security device, like a firewall or intrusion prevention system. Rather, Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.

OSSIM, AlienVault’s Open Source Security Information and Event Management (SIEM) product, provides event collection, normalization and correlation. For more advanced functionality, AlienVault Unified Security Management (USM) builds on OSSIM with these additional capabilities: * Log management * Advanced threat detection with a continuously updated library of pre-built correlation rules * Actionable threat intelligence updates from AlienVault Labs Security Research Team * Rich analytics dashboards and data visualization

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic. New versions of NetworkMiner are released exclusively on www.netresec.com since version 2.0 of NetworkMiner. This page on SourceForge is only kept to provide hosting of older versions of the software. To get the latest version of NetworkMiner, please visit: http://www.netresec.com/?page=NetworkMiner

AirSnort is a wireless LAN (WLAN) tool which cracks encryption keys on 802.11b WEP networks. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

SSHGuard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using several firewall backends, including iptables, ipfw, and pf.

Netdisco is an SNMP-based L2/L3 network management tool designed for moderate to large networks. Routers and switches are polled to log IP and MAC addresses and map them to switch ports. Automatic L2 network topology discovery, display, and inventory.

A network access control (NAC) system featuring a captive-portal for registration and remediation, wired and wireless management, 802.1X support, isolation of devices, integration with IDS; it can be used to secure networks from small to large. NOTE: PacketFence new version are not pushed on that repository anymore. All version from 11.2.0 can be found by changing the PF_VERSION in the URL. https://packetfence-iso.us-ord-1.linodeobjects.com/vPF_VERSION/PacketFence-ISO-vPF_VERSION.iso and ZEN version could be downloaded at by changing the PF_VERSION in the URL. https://packetfence-zen.us-ord-1.linodeobjects.com/vPF_VERSION/PacketFence-ZEN-PF_VERSION.zip Ex: https://packetfence-iso.us-ord-1.linodeobjects.com/v14.0.0/PacketFence-ISO-v14.0.0.iso https://packetfence-zen.us-ord-1.linodeobjects.com/v14.0.0/PacketFence-ZEN-v14.0.0.zip Source code is hosted here: https://github.com/inverse-inc/packetfence Issue tracker is hosted here: https://github.com/inverse-inc/packetfence/issues

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

ngrep strives to provide most of GNU grep's common features,applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. SUPPORT/REPORTING BUGS: please use https://github.com/jpr5/ngrep/issues Thank you!

jpcap is a set of Java classes which provide an interface and system for network packet capture. A protocol library and tool for visualizing network traffic is included. jpcap utilizes libpcap, a widely deployed system library for packet capture.

NOTE: Project has moved to github, including file downloads. SharpPcap is a cross-platform packet capture framework for the .NET environment, based on the famous pcap / WinPcap libraries. It provides an API for capturing, injecting, analyzing and building packets using any .NET language such as C# and VB.NET.

The Nemesis Project is designed to be a command line based, portable human IP stack for UNIX-like and Windows systems. The suite is broken down by protocol, and should allow for useful scripting of injected packets from simple shell scripts.

The Network Tracking Database (NetDB for short) tracks all changes to the MAC address tables on your switches and the ARP tables on your routers over time stored in MySQL. It supports extensive switch, VLAN and vendor code reports from a CLI or Web App. NetDB can generate CSV reports, track the usage of static IP addresses, record neighbor discovery data and much more. There is now a VM "appliance" with easier upgrades available in the Files section. See the http://netdbtracking.sourceforge.net for more details.

CloseTheDoor indentifies all the listening ports TCP/UDP over IPv4/v6 and the associated program files. This will help you to detect security holes and close backdoors when you want to prevent remote attacks.

tcpick is a textmode sniffer; it tracks tcp streams, shows the status, reassembles and saves the data captured in files or displays them in the terminal in different modes (ascii, hex..). There is a color-mode. Useful to get files passively.

Valhala Honeypot is an easy to use honeypot for the Windows System. The software have the following services: http (web), ftp, tftp, finger, pop3, smtp, echo, daytime, telnet and port forwarding. Some services are real, others are a simulation.

A utility for detecting and resisting BIDIRECTIONAL ARP spoofing. It can anti-spoof for not only the local host, but also other hosts in the same subnet. It is as well a handy helper for gateways which don't work well with ARP.

OpenXDAS is an open source implementation of the Open Group's Distributed Auditing Service (XDAS) specification. OpenXDAS provides a complete implementation of the XDAS specification API, including client-side instrumentation and filtering.

Libnids - NIDS E-component, based on Linux kernel. This library provides IP defragmentation, TCP reassembly and port scan detection.

phpLDAPadmin is a web-based LDAP administration tool for managing your LDAP server. With it you can browse your LDAP tree, view LDAP schema, perform searches, create, delete, copy and edit LDAP entries. You can even copy entries between servers.

Xplico is a Network Forensic Analysis Tool (NFAT). The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP, MGCP, MEGACO, RTP), IRC, WhatsApp... Xplico is able to classify more than 140 (application) protocols. Xplico cam be used as sniffer-decoder if used in "live mode" or in conjunction with netsniff-ng. Xplico is used also in CapAnalysis: http://www.capanalysis.net

Abdal Wizard Port Scanner is a free and open-source for TCP scanning

Simple Event Correlator (SEC) is a lightweight event correlator for network management, log file monitoring, security management, fraud detection, and other tasks which involve event correlation.