SNMP Network Scanner & Analyzer

This script automates scanning, sniffing, parsing, and analyzing SNMPv3 data.

Requirements

• Python 3.x
• Python Libraries: Listed in requirements.txt (pip install -r requirments.txt)
• System Tools: zmap, tshark (Wireshark)
• Permissions: Script often requires sudo for network operations (zmap, tshark).

Project Structure

• config/: Holds essential (static) input files like enterprise-numbers.txt, excluded_vendors.txt, and snmp3_161.pkt.
• outputs/: Where all generated results and parsed data are stored.
• graphs/: Useful graphs from the analysis.
• ip_lists/: Lists with IP addresses in the Netherlands, split into multiple files for parallel scanning.
• script.py: Main script used for scanning, parsing scan results and IP to vendor mapping.
• cve_matching.py: Util script used for fetching CVEs from the NIST CVE API.
• analyse_asn.py: Script to compute AS pie chart and stats
• ip_counting.py: Script to count the total number of IPs scanned.

How to Use

The script operates in different modes via command-line arguments:

1. Scan Mode (scan): Performs a ZMap scan and TShark sniff simultaneously.

   • Usage:

   sudo python3 script.py scan <path_to_ip_list_file>

   • <path_to_ip_list_file>: A text file containing IP addresses to scan.
   • Note: If using a virtual environment, make sure the correct python executable is called when running with sudo:

   sudo venv/bin/python3 script.py scan <path_to_ip_list_file>

   • Outputs:
     • outputs/tshark/tshark_<ip_list_name>_<date>.csv: The SNMP reply packets as captured from tshark
     • outputs/zmap/zmap_<ip_list_name>_<date>.csv: The Zmap output of the scan

2. Parse TShark Output (parse): Parses raw TShark CSV output into a more structured format.

   • Usage:

   python3 script.py parse <tshark_output_file_path>

   • <tshark_output_file_path>: Path to a CSV file generated by TShark (e.g., in outputs/tshark/).
   • Outputs:
     • outputs/parsed/parsed_<ip_list_name>_output_<date>.csv: The parsed output of the given tshark output file.

3. Enterprise Count Analysis (enterprise_count): Processes parsed data, filters, and generates vendor reports.

   • Usage:

   python3 script.py enterprise_count <folder_with_parsed_csvs> <reboot_threshold_seconds>

   • <folder_with_parsed_csvs>: Path to a folder containing parsed CSVs (e.g., outputs/parsed/).
   • <reboot_threshold_seconds>: An integer, only includes devices with uptime greater than this value in seconds.
   • Outputs:
     • outputs/results/combined_enterprise_output.csv: A list of all IPs with engine and vendor information. Used for analysis.
     • outputs/results/combined_enterprise_output_timed.csv: A list of all IPs with engine and vendor information filtered based on <reboot_threshold_seconds>
     • outputs/results/vendor_counts_combined.csv: A file with IP count per vendor.
     • outputs/results/vendor_counts_combined_timed.csv.csv: A file with IP count per vendor filtered based on <reboot_threshold_seconds>.

4. Parse AS Results (parse_asn): Get ASN/WHOIS information for a list of IP's.

   • Usage:

   python3 script.py parse_asn <path_to_ip_list_file>

   • <path_to_ip_list_file>: The filepath to a textfile containing a column of IP addresses to get AS data for.
   • Outputs:
     • outputs/zmap/zmap_enrichment_only_<date>.csv: IP Whois results for all IPs in the list. Used for analysis.

Input Files

• config/snmp3_161.pkt (ZMap probe payload for SNMPv3)

• config/enterprise-numbers.txt: Mapping of Enterprise Numbers to Vendor names.

• config/ip_to_as_06_10.csv.txt: Mapping of IPs to AS numbers for all IPs scanned until 06/10/2025

• config/excluded_vendors.txt: Vendors excluded during Enterprise Count analysis and the analysis notebook.

• config/all_vendors_cves.csv: All fetched CVEs for identified vendors, used in analysis.py to cache fetched CVEs.

• config/ASN_count.txt.txt: Number of IPs per AS, top 10 ASes were also mapped to their network type manually.

• IP list for scan mode.

• Generated CSVs from previous steps (e.g., TShark output for parse mode, parsed output for enterprise_count mode).

Output Files

Generated in the outputs/ directory and its subfolders (outputs/zmap/, outputs/tshark/, outputs/parsed/, outputs/results/):

• Raw TShark capture CSVs (outputs/tshark/)
• Raw ZMap scan result CSVs (outputs/zmap/)
• Enriched ZMap with AS results CSVs (outputs/zmap/)
• Parsed TShark output CSVs (outputs/parsed/)
• Consolidated and filtered enterprise reports (outputs/results/)
• Vendor count reports (outputs/results/)
• Reboot time filtered reports (outputs/results/)