A distributed network observability platform that uses ESP32-based packet sniffers and a cloud-native backend to monitor Wi-Fi network behavior in real-time, with advanced anomaly detection, IDS capabilities, and complete DevOps orchestration.
Unlike traditional tools such as Wireshark, this system focuses on metadata analysis (MAC, RSSI, timing) instead of payload inspection, ensuring privacy while enabling comprehensive network security monitoring. The system combines edge computing with cloud-native streaming architecture to detect network anomalies, rogue access points, and suspicious devices in real-time.
Key Innovation: Multi-layer protocol analysis from Layer 1 (802.11 physical frames) through Layer 7 (application-level APIs) with distributed processing across Kubernetes clusters.
- 802.11 MAC Frame Capture & Analysis
- Decoding MAC frame headers (Frame Control, Duration/ID, Sequence numbers)
- Extracting Management frames (Beacon, Probe Request/Response, Authentication)
- Data frame analysis for traffic patterns
- OUI (Organizationally Unique Identifier) Lookup
- Device vendor identification from MAC addresses
- OUI database maintenance and updates
- Rogue device detection through OUI anomalies
- ESP32 Promiscuous Mode Implementation
- Raw packet capture and frame buffering
- Timestamp synchronization and RSSI collection
- HTTP/TCP Protocol Handling
- RESTful API design for data endpoints
- TCP connection state tracking and anomaly detection
- Payload analysis for Layer 7 anomalies
- Kafka Pub-Sub Architecture
- Event-driven streaming pipeline with topic partitioning
- Consumer group management for distributed processing
- High-throughput packet metadata streaming
- Offset management and fault tolerance
- Distributed Data Processing
- Real-time aggregation and transformation
- Stateful stream processing for anomaly detection
- Windowing operations for temporal analysis
- Intrusion Detection System (IDS)
- MAC spoofing pattern recognition
- Unauthorized access point detection
- Traffic anomaly flagging
- Rogue AP Detection
- Beacon frame spoofing identification
- Unauthorized SSID broadcasting detection
- Evil twin access point identification
- RSSI Analysis
- Signal strength profiling for device locations
- Unexpected signal strength patterns
- Device location tracking and anomalies
- Traffic Anomaly Detection
- Spike detection algorithms
- Unusual device behavior identification
- Protocol violation detection
- REST API Design & Implementation
- Client-server communication architecture
- Standardized endpoint design for device queries, alerts, and analytics
- Stateless API design for horizontal scaling
- JSON over HTTP
- Data serialization format for ingestion and retrieval
- Schema validation and versioning
- Error response standardization
- Backend Data Access Layer
- Query optimization for large-scale device databases
- Pagination and filtering mechanisms
- Real-time data aggregation endpoints
- Container Networking
- Multi-container service communication via Docker Compose
- Service discovery and inter-pod networking in Kubernetes
- Network policies for security isolation
- Kubernetes Ingress Configuration
- External traffic routing to frontend and backend services
- Load balancing across service replicas
- TLS termination for secure communication
- Host-based routing for multi-service architecture
- Observability & Monitoring
- Prometheus metrics collection from all services
- Grafana dashboard setup for real-time visualization
- Log aggregation and distributed tracing
- Health checks and service readiness probes
- Performance metrics and alerting
- Provide real-time visibility into Wi-Fi networks from Layer 1 to Layer 7
- Enable distributed packet monitoring using IoT devices at the edge
- Build a scalable backend using streaming architecture with Kafka
- Detect security anomalies and threats:
- Rogue access points and unauthorized devices
- MAC spoofing and device impersonation
- Traffic spikes and unusual behavior patterns
- Signal strength anomalies and location tracking inconsistencies
- Demonstrate enterprise DevOps practices using containerization, orchestration, and observability
- Provide forensic-grade packet metadata for security analysis
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EDGE LAYER (Layer 1-2) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ
β β ESP32 Sniffer 1 β β ESP32 Sniffer 2 β β ESP32 Sniffer N β
β β (802.11 Frames) β β (MAC + RSSI) β β (OUI Lookup) β
β ββββββββββ¬ββββββββββ ββββββββββ¬ββββββββββ ββββββββββ¬ββββββββββ
β β β β
βββββββββββββΌββββββββββββββββββββββΌββββββββββββββββββββββΌββββββββββββ
β β β
βββββββββββββββββββββββΌββββββββββββββββββββββ
β
βββββββββββββββΌβββββββββββββββ
β HTTP/JSON Ingestion API β (Layer 7)
β (Node.js Express) β
β ββ POST /packets β
β ββ Validation β
β ββ Rate Limiting β
βββββββββββββββ¬βββββββββββββββ
β
βββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββ
β STREAMING LAYER (Layer 4) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Apache Kafka (Pub-Sub Architecture) β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β packet-metadata β [Partition 0, 1, 2, 3...] β β β
β β β alerts β [Alert Partition] β β β
β β β devices β [Device State Partition] β β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββ
β PROCESSING LAYER (Anomaly Detection & IDS) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Processing Service (Kafka Consumer) β β
β β ββ RSSI Analysis (Location & Signal Tracking) β β
β β ββ Rogue AP Detection (Beacon Analysis) β β
β β ββ MAC Spoofing Detection (Behavior Profiling) β β
β β ββ Traffic Anomaly Detection (Spike Detection) β β
β β ββ IDS Ruleset Application β β
β βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββββΌβββββββββ
β MongoDB β (Storage Layer)
β ββ Devices β
β ββ Packets β
β ββ Alerts β
β ββ Analytics β
ββββββββββ¬βββββββββ
β
ββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββ
β API & SERVICES LAYER (REST API) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Backend API (Node.js Express) β β
β β GET /devices - All monitored devices β β
β β GET /devices/:id - Device details & RSSI history β β
β β GET /alerts - Security alerts & anomalies β β
β β GET /stats - Network statistics β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββ
β PRESENTATION LAYER β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ββββββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ β
β β Frontend (React) β β Monitoring Stack β β
β β ββ Device Dashboard β β ββ Prometheus Metrics β β
β β ββ RSSI Chart Visualization β β ββ Grafana Dashboards β β
β β ββ Alert Management β β ββ Log Aggregation β β
β β ββ Real-time Stats β ββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ESP32 devices operate in promiscuous mode to capture all Wi-Fi frames:
- 802.11 MAC Frame Structure Analysis
- Frame Control byte: Type (Management/Data/Control) and Subtype extraction
- Sequence number tracking for duplicate detection
- Address fields: TA (Transmitter), RA (Receiver), SA (Source), DA (Destination)
- Frame body: Authentication tokens, beacon content, probe responses
- RSSI & Timestamp Collection
- Signal strength profiling per device and location
- Microsecond-precision timestamps for latency analysis
- OUI Resolution
- MAC address vendor identification
- Device type inference from manufacturer patterns
ESP32 β Ingestion API via HTTP POST requests:
{
"mac_address": "aa:bb:cc:dd:ee:ff",
"rssi": -45,
"frame_type": "beacon",
"ssid": "NetworkName",
"timestamp": 1672531200000,
"channel": 6,
"flags": ["encrypted", "hidden_ssid"]
}Producer: Ingestion API publishes normalized JSON to Kafka topics
- Topic:
packet-metadata- All captured frames- Partitioned by MAC address hash for device-level ordering
- Retention: 24 hours
- Consumer Groups:
- Processing service consumes for anomaly detection
- Analytics service for historical analysis
- Multiple consumer instances for horizontal scaling
Kafka Consumer processes frames with stateful operations:
- Builds signal strength profiles for each device
- Detects sudden signal loss (device disconnection)
- Identifies location anomalies (device in unexpected location)
- Flags impossible jumps in signal strength (spoofing indicator)
- Tracks beacon frame patterns per SSID
- Flags multiple devices claiming same SSID with different MACs (Evil Twin)
- Analyzes timing inconsistencies in beacon intervals
- Detects beacon frame spoofing based on vendor OUI
- Maintains behavioral profiles per MAC address
- Flags impossible state transitions (e.g., device jumping between distant APs instantly)
- Detects MAC address reuse patterns
- Correlates with RSSI and temporal data
- Windowed spike detection on packet rates
- Unusual protocol combinations
- Data frame volume anomalies
Processed data persisted for forensics and analytics:
devices: {_id, mac, oui, vendor, first_seen, last_seen, rssi_history}
alerts: {_id, type, severity, mac, timestamp, reason}
packets: {_id, mac, rssi, frame_type, timestamp}
Backend provides standardized HTTP endpoints for frontend:
GET /devices β Array of all tracked devices
GET /devices/:mac/stats β Device's RSSI, traffic stats
GET /alerts β Sorted security alerts
GET /alerts/:id β Alert details with evidence
GET /anomalies β Current detected anomalies
Protocol: JSON over HTTP, stateless request/response model
React dashboard consumes REST API:
- Real-time device table with vendor info
- RSSI trend charts (location tracking)
- Alert notification system
- Network topology visualization
Ensure you have the following installed:
- Docker (v20.10+)
- Docker Compose (v2.0+)
- Kubernetes (kubectl v1.24+) - Optional, for K8s deployment
- Node.js (v16+) - For local development
- Python 3.8+ - For OUI database download script
This runs all services locally for development and testing:
# Navigate to project root
cd IoT-Network-Monitor
# Create necessary volumes
mkdir -p data/mongodb data/kafka
# Start all services
docker-compose -f infra/docker-compose.yml up -d
# Verify services are running
docker-compose -f infra/docker-compose.yml psServices Started:
- Kafka (localhost:9092)
- MongoDB (localhost:27017)
- Ingestion API (localhost:3001) - Receives ESP32 packets
- Backend API (localhost:3002) - REST endpoints
- Processing Service (background) - Anomaly detection
- Frontend (localhost:80) - React dashboard
- Prometheus (localhost:9090) - Metrics
- Grafana (localhost:3000) - Visualization
Check Service Health:
# Ingest API status
curl http://localhost:3001/health
# Backend API status
curl http://localhost:3002/health
# Access Frontend
open http://localhost
# Prometheus metrics
open http://localhost:9090
# Grafana dashboards (default: admin/admin)
open http://localhost:3000For production-scale deployment with orchestration, networking, and observability:
kubectl apply -f infra/k8s/namespace.yamlkubectl apply -f infra/k8s/mongo/deployment.yml
kubectl wait --for=condition=ready pod -l app=mongo -n iot-monitoring --timeout=300skubectl apply -f infra/k8s/kafka/deployment.yml
kubectl wait --for=condition=ready pod -l app=kafka -n iot-monitoring --timeout=300s# Ingestion API (receives ESP32 data)
kubectl apply -f infra/k8s/ingestion-api/deployment.yml
# Backend API (serves REST endpoints)
kubectl apply -f infra/k8s/backend-api/deployment.yml
# Processing Service (anomaly detection)
kubectl apply -f infra/k8s/processing-service/deployment.yml
# Frontend (React dashboard)
kubectl apply -f infra/k8s/frontend/deployment.yml# Check all pods are running
kubectl get pods -n iot-monitoring
# View pod logs (e.g., ingestion-api)
kubectl logs -n iot-monitoring -l app=ingestion-api --tail=50 -f
# Port forward for local access
kubectl port-forward -n iot-monitoring svc/ingestion-api 3001:3001
kubectl port-forward -n iot-monitoring svc/backend-api 3002:3002
kubectl port-forward -n iot-monitoring svc/frontend 3000:80# Apply Ingress configuration (update domain/IPs as needed)
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: iot-monitor-ingress
namespace: iot-monitoring
spec:
rules:
- host: iot-monitor.local
http:
paths:
- path: /api/ingestion
pathType: Prefix
backend:
service:
name: ingestion-api
port:
number: 3001
- path: /api
pathType: Prefix
backend:
service:
name: backend-api
port:
number: 3002
- path: /
pathType: Prefix
backend:
service:
name: frontend
port:
number: 80
EOF
# Verify ingress
kubectl get ingress -n iot-monitoring- Download Arduino IDE: https://www.arduino.cc/en/software
- Add ESP32 board: Preferences β Additional Boards Manager URLs
- Add:
https://raw.githubusercontent.com/espressif/arduino-esp32/gh-pages/package_esp32_index.json
- Add:
- Install ESP32 boards from Board Manager
Edit esp32/sniffer/sniffer.ino:
// Replace with your network details
const char* SSID = "YourNetworkSSID";
const char* PASSWORD = "YourPassword";
const char* INGESTION_SERVER = "http://192.168.1.100:3001/packets"; // IP of ingestion API
// Capture interval (milliseconds)
const unsigned long CAPTURE_INTERVAL = 5000;
// Promiscuous mode callback will send captured frames to ingestion API via HTTP- Connect ESP32 via USB
- Select board: Tools β Board β ESP32 Dev Module
- Select port: Tools β Port β /dev/ttyUSB0 (or COM port on Windows)
- Click Upload
# Check Serial Monitor (9600 baud) for debug output
# Should show: "Capturing frames...", "Sent to ingestion API: <mac>"
# Monitor ingestion API logs
kubectl logs -n iot-monitoring -l app=ingestion-api -f
# Verify data in MongoDB
kubectl exec -it mongo-pod -n iot-monitoring -- mongo
# Inside mongo shell:
> use iot_network
> db.packets.find().limit(5)# Frontend
cd frontend
npm install
# Ingestion API
cd ../services/ingestion-api
npm install
# Backend API
cd ../backend-api
npm install
# Processing Service
cd ../processing-service
npm installTerminal 1: Start Kafka & MongoDB (Docker)
docker-compose -f infra/docker-compose.yml up kafka mongoTerminal 2: Ingestion API
cd services/ingestion-api
npm start
# Listens on http://localhost:3001Terminal 3: Backend API
cd services/backend-api
npm start
# Listens on http://localhost:3002Terminal 4: Processing Service
cd services/processing-service
npm start
# Subscribes to Kafka topicsTerminal 5: Frontend
cd frontend
npm run dev
# Listens on http://localhost:5173Before running, download the latest OUI database for MAC address vendor identification:
cd scripts
node download-oui.js
# Output: oui.json (50MB+) downloaded and cachedSimulate multiple ESP32 sniffers sending frame data:
cd scripts
node esp32-simulator.js --count 5 --interval 2000 --server http://localhost:3001This generates realistic packet metadata and sends to the ingestion API.
curl -X POST http://localhost:3001/packets \
-H "Content-Type: application/json" \
-d '{
"mac_address": "aa:bb:cc:dd:ee:ff",
"rssi": -45,
"frame_type": "beacon",
"ssid": "TestNetwork",
"timestamp": '$(date +%s000)',
"channel": 6,
"flags": ["encrypted"]
}'# Publish to Kafka directly
docker-compose -f infra/docker-compose.yml exec kafka \
kafka-console-producer --broker-list localhost:9092 --topic packet-metadata# Access Prometheus UI
open http://localhost:9090
# Query service metrics:
# - http_request_duration_seconds
# - kafka_consumer_lag
# - mongodb_connections
# - anomaly_detection_duration_seconds# Access Grafana
open http://localhost:3000
# Default: admin / admin
# Dashboards available:
# - Network Health Overview
# - Device Activity Timeline
# - Alert History
# - Kafka Consumer Lag# View all service logs
docker-compose -f infra/docker-compose.yml logs -f
# View specific service logs
docker-compose -f infra/docker-compose.yml logs -f backend-api# Stop Docker Compose services
docker-compose -f infra/docker-compose.yml down
# Remove volumes (warning: deletes data)
docker-compose -f infra/docker-compose.yml down -v
# Scale down Kubernetes deployment
kubectl scale deployment/ingestion-api --replicas=0 -n iot-monitoringPOST /packets
Content-Type: application/json
{
"mac_address": "aa:bb:cc:dd:ee:ff",
"rssi": -45,
"frame_type": "beacon|data|auth",
"ssid": "NetworkName",
"timestamp": 1672531200000,
"channel": 6,
"flags": ["encrypted", "hidden_ssid"]
}
Response: 200 OK
GET /devices
Response: [{id, mac, vendor, first_seen, last_seen}, ...]
GET /devices/:mac/stats
Response: {mac, vendor, packet_count, avg_rssi, last_rssi, alerts}
GET /alerts
Response: [{id, type, severity, mac, timestamp, reason}, ...]
GET /anomalies
Response: [{id, type, mac, rssi, description, severity}, ...]
- Privacy-First: No payload inspection, only metadata analysis
- Network Segmentation: Kubernetes network policies isolate services
- RSSI-based Anomaly Detection: Detect spoofing attempts
- MAC Address Validation: OUI verification against known vendors
- Rate Limiting: Ingestion API protects against DDoS
- Encrypted Communications: HTTPS support for all APIs
- Access Control: Backend API authentication (JWT support)
- Horizontal Scaling: All services deployable as multiple replicas in K8s
- Kafka Partitioning: Packet topics partitioned by MAC for parallelism
- MongoDB Indexing: Optimized queries on mac_address, timestamp
- Load Balancing: K8s ingress distributes traffic
- Resource Limits: CPU/Memory constraints per container
- Observability: Complete metrics, logs, and traces
1. Modify code in services/*
2. Test locally with Docker Compose
3. Verify with ESP32 simulator
4. Deploy to Kubernetes
5. Monitor with Grafana/Prometheus
6. Iterate based on metrics
- 802.11 Specification: IEEE 802.11-2020
- Kafka Documentation: https://kafka.apache.org
- Kubernetes Networking: https://kubernetes.io/docs/concepts/services-networking/
- MongoDB Aggregation: https://docs.mongodb.com/manual/aggregation/
- Prometheus Monitoring: https://prometheus.io/docs/
MIT License - See LICENSE file for details React dashboard displays:
- Active devices
- RSSI trends
- Alerts
- Operate in promiscuous mode
- Capture Wi-Fi packet metadata
- Lightweight and distributed
- Receives HTTP POST data from ESP32
- Validates and forwards to Kafka
- Stateless and horizontally scalable
- Handles high-throughput data ingestion
- Decouples producers and consumers
- Enables scalability and fault tolerance
-
Consumes Kafka messages
-
Implements anomaly detection logic:
- New device detection
- Device disappearance
- RSSI fluctuation anomalies
- Traffic spikes
- Stores processed device data
- Enables querying and historical analysis
-
Provides REST endpoints:
/devices/alerts
-
Acts as bridge between data layer and frontend
-
Built with React
-
Displays:
- Real-time device list
- Signal strength trends
- Alerts panel
- All services containerized using Docker
-
Deployed on Kubernetes:
- Deployments
- Services
- Ingress
-
Automated using GitHub Actions:
- Build
- Test
- Deploy
-
Metrics exposed from services:
packets_received_totaldevices_detectedanomalies_detected
-
Monitoring stack:
- Prometheus β Metrics collection
- Grafana β Visualization dashboards
- No payload inspection (privacy-safe)
- Only metadata is processed
- TLS used for backend communication
- Kubernetes RBAC for access control
- Cannot decrypt HTTPS traffic
- ESP32 hardware limitations (memory, CPU)
- Limited to Wi-Fi-based monitoring
- Accuracy depends on deployment density
- Machine Learning-based anomaly detection
- RSSI-based location estimation
- Integration with Istio for Kubernetes traffic observability
- Cloud deployment (AWS/GCP/Azure)
- Mobile dashboard application
This system demonstrates a modern DevOps + Networking solution by combining:
- IoT-based packet sniffing
- Streaming architecture
- Microservices design
- Kubernetes deployment
- Real-time observability
It provides a scalable and privacy-aware approach to network monitoring suitable for smart environments and research applications.
Omkar Patil, Smrutikant Parida, Paras Sarode, Omar Khan, Kushal Kurkure