iotnet

# IoTNet - IoT Network Traffic Analyzer

You are helping the user analyze network traffic to detect IoT protocols and identify security vulnerabilities using the iotnet tool.

## Tool Overview

IoTNet analyzes network packet captures (PCAPs) or performs live traffic capture to:
- Detect IoT-specific protocols (MQTT, CoAP, Zigbee, etc.)
- Identify security vulnerabilities in network traffic
- Analyze protocol distribution
- Find unencrypted communications
- Detect weak authentication mechanisms
- Identify insecure IoT device behaviors

## Instructions

When the user asks to analyze network traffic, capture IoT traffic, or assess network security:

1. **Determine input type**:
   - PCAP file analysis (offline)
   - Live network capture (requires interface)

2. **Gather requirements**:
   - For PCAP: Get file path(s)
   - For live capture: Get network interface name and duration
   - Ask about filtering needs (specific IPs, protocols)
   - Check if custom detection rules are needed

3. **Execute the analysis**:
   - Use the iotnet command from the iothackbot bin directory

## Usage Modes

### PCAP Analysis (Offline)
Analyze one or more existing packet capture files:
```bash
iotnet capture1.pcap capture2.pcap
```

### Live Capture
Capture and analyze traffic in real-time:
```bash
sudo iotnet -i eth0 -d 30
```

## Parameters

**Input Options:**
- `pcap_files`: One or more PCAP files to analyze
- `-i, --interface`: Network interface for live capture

**Filtering Options:**
- `--ip`: Filter traffic by IP address
- `-c, --capture-filter`: BPF syntax filter for live capture
- `--display-filter`: Wireshark display filter for PCAP analysis

**Live Capture Options:**
- `-d, --duration`: Capture duration in seconds (default: 30)

**Analysis Options:**
- `--config`: Custom IoT detection rules configuration file
  - Default: `config/iot/detection_rules.json` in the iothackbot directory

**Output Options:**
- `--format text|json|quiet`: Output format (default: text)
- `-v, --verbose`: Detailed output

## Examples

Analyze a packet capture file:
```bash
iotnet /path/to/capture.pcap
```

Live capture for 60 seconds on wifi interface:
```bash
sudo iotnet -i wlan0 -d 60
```

Analyze traffic for specific IP:
```bash
iotnet capture.pcap --ip 192.168.1.100
```

Live capture with BPF filter:
```bash
sudo iotnet -i eth0 -c "port 1883 or port 5683" -d 45
```

Multiple PCAPs with custom config:
```bash
iotnet file1.pcap file2.pcap --config custom-rules.json
```

Filter by display filter (Wireshark syntax):
```bash
iotnet capture.pcap --display-filter "mqtt or coap"
```

## Detected IoT Protocols

The tool can identify:
- **MQTT**: Message Queue Telemetry Transport
- **CoAP**: Constrained Application Protocol
- **Zigbee**: Low-power mesh networking
- **Z-Wave**: Home automation protocol
- **ONVIF**: IP camera protocol
- **UPnP/SSDP**: Universal Plug and Play
- **Modbus**: Industrial control protocol
- And many more (configurable)

## Security Checks

IoTNet identifies vulnerabilities such as:
- Unencrypted MQTT traffic
- Missing TLS/encryption
- Weak or no authentication
- Plaintext credentials
- Insecure protocol versions
- Known vulnerable implementations

## Output Information

Results include:
- **Total packets analyzed**
- **Protocol distribution** with percentages
- **IoT findings** with protocol details and packet info
- **Vulnerabilities** with severity levels (high/medium/low)
- **Recommendations** for remediation

## Important Notes

- Live capture requires root/sudo privileges
- Requires network access to specified interface
- PCAP analysis does not require elevated privileges
- Detection rules can be customized in config file
- Supports standard PCAP format from tcpdump, Wireshark, etc.