WiFi Analyser — Security Write-up

01 — How it works

From one click to
full network visibility

You set a CIDR range, click Full Scan, and the tool runs all six modules in sequence — device discovery, WiFi enumeration, latency testing, port scanning, security analysis, and export — updating the live dashboard as results arrive.

STEP 01 —

Set your target range

Enter a CIDR notation subnet (e.g. 192.168.1.0/24). The tool validates the range, calculates the number of usable host addresses, and confirms it is ready to scan. You can target a /24 home network or a larger /20 enterprise subnet.

ipaddress.IPv4Network

STEP 02 —

ARP broadcast — find every device

Scapy crafts raw Ethernet frames with ARP payloads and broadcasts them across the subnet. Every live device must reply with its MAC address to maintain network connectivity — meaning even firewalled devices are discovered. Results include IP, MAC, and hostname.

scapy srp() / ARP

STEP 03 —

WiFi enumeration and signal strength

The tool calls OS-native WiFi scanning commands — nmcli on Linux, the airport utility on macOS — and parses the output. Every visible SSID is listed with signal strength as a percentage, encryption type (WPA2, WPA3, Open), and channel number.

subprocess / nmcli / airport

STEP 04 —

Parallel ping latency test

Each discovered device is pinged using Python's threading module — all hosts are tested simultaneously, not sequentially. This reduces total scan time from minutes to seconds. Average RTT is reported in milliseconds, along with online/offline status per device.

threading + subprocess ping

STEP 05 —

TCP connect port scan

For each discovered device, the tool attempts a TCP three-way handshake on ten common service ports using Python's socket library. A successful connection means the port is open. No nmap is required — this is portable across any Python environment without root for the scan itself.

socket.connect_ex()

STEP 06 —

Auto-flag and export

Results are cross-referenced against a set of security rules — insecure ports, open WiFi, exposed databases. Findings appear in a dedicated panel. The full dataset — devices, ping, ports — is merged and available as a downloadable CSV spreadsheet for further analysis or SIEM ingestion.

rule engine + csv export

03 — Security write-up

Technical security analysis

01 What this tool does and why

WiFi Analyser is a network reconnaissance and visibility tool built for authorised network assessment. In a SOC context, maintaining an accurate inventory of devices on your subnet, knowing which ports are exposed, and identifying insecure protocols are baseline requirements that precede any meaningful threat detection work.

The tool fills the gap between heavyweight enterprise scanners and raw command-line utilities — it provides structured, exportable output through a browser interface without requiring a commercial licence or cloud dependency.

02 ARP scanning — why not ping sweep

The tool uses ARP scanning rather than ICMP ping sweeps for device discovery. Many devices — particularly IoT hardware, mobile phones, and printers — block ICMP at the host firewall level. ARP operates at Layer 2 and cannot be blocked by a host-level firewall: any device that has communicated on the subnet must respond to ARP requests to maintain IP-to-MAC binding.

# Layer 2 ARP broadcast — finds firewalled devices
arp_request = ARP(pdst="192.168.1.0/24")
broadcast   = Ether(dst="ff:ff:ff:ff:ff:ff")
answered, _ = srp(broadcast / arp_request, timeout=2)

for sent, received in answered:
    ip  = received.psrc   # IP from ARP reply
    mac = received.hwsrc  # MAC from Ethernet frame

Sudo/root privileges are required because raw Ethernet frame crafting operates below the OS networking stack. This is expected and documented — the tool clearly states this requirement.

03 TCP connect scan — design rationale

The port scanner uses TCP connect scanning — a full three-way handshake — rather than SYN stealth scanning. This is a deliberate ethical choice: SYN scanning is designed to evade detection and is inappropriate for an authorised audit tool. TCP connect scanning is noisier but more honest, and it accurately represents what an attacker with a standard foothold would find.

All hosts are scanned in parallel using Python's threading module, reducing total scan time from O(hosts × ports × timeout) to O(ports × timeout). A threading lock protects the shared results list from race conditions.

# Parallel scan — one thread per host
def scan_ports(ip, ports):
    for port in ports:
        sock = socket(AF_INET, SOCK_STREAM)
        sock.settimeout(0.5)
        if sock.connect_ex((ip, port)) == 0:
            open_ports.append(port)  # port is open

04 Security findings and severity classification

The tool auto-classifies findings by severity and surfaces them in a dedicated panel. The rules mirror the logic used in enterprise SIEM alerting systems like Splunk and Microsoft Sentinel.

Critical — Port 23

Telnet service exposed

Transmits all data including credentials in plaintext over the network. Any device on the same subnet can passively intercept sessions. No legitimate use case on a modern network.

High — Port 21

FTP service exposed

Like Telnet, FTP sends credentials unencrypted. Vulnerable to both passive sniffing and active MITM. Should be replaced with SFTP (port 22) or FTPS.

High — Open WiFi

Unencrypted SSID detected

An SSID with no WPA2/WPA3 encryption allows any nearby device to join the network and intercept all unencrypted traffic. Should require at minimum WPA2-PSK.

Medium — Port 3306

MySQL exposed on network

A MySQL port visible to the subnet means the database accepts connections from all hosts, not just the application server. Should be bound to localhost or tunnelled via SSH.

Info — Port 22

SSH service (expected)

SSH is encrypted and its presence is expected on servers and network devices. No flag is raised, but fail2ban and key-based authentication are recommended.

Info — Unknown hostname

Unidentified device on subnet

Devices where reverse-DNS returns "Unknown" may be unregistered, IoT, or rogue. Cross-referencing MAC vendor OUI prefixes helps classify them.

05 Relevance to SOC analyst work

The skills demonstrated here map directly to day-one SOC analyst tasks. Network asset inventory — knowing exactly which devices exist and what services they expose — is a prerequisite for anomaly detection in any SIEM environment.

Tool feature	SOC / industry equivalent
ARP device discovery	Asset inventory, CMDB update, NAC baseline
Port scan + service detection	Vulnerability scanning (Nessus, Qualys, Rapid7)
Security flag rule engine	SIEM detection rule authoring (SPL, KQL, Sigma)
CSV export	Log ingestion, SIEM correlation, evidence packaging
Latency monitoring	Network performance baselining, NPM tools
WiFi SSID enumeration	Rogue AP detection, wireless IDS

"Visibility is the foundation of security. You cannot protect what you cannot see — and this tool exists to make the invisible visible."

— Alex Philip, MSc Information Security, Royal Holloway

06 Ethical and legal boundaries

This tool is designed exclusively for use on networks the operator owns or has explicit written authorisation to test. Unauthorised network scanning is a criminal offence under the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (USA), and the Information Technology Act 2000 (India).

The tool deliberately omits features that would lower the bar for misuse: there is no SYN stealth scanning, no OS fingerprinting, no vulnerability exploitation, and no credential harvesting. Every scan it performs leaves clear traces in network logs — it is a visibility tool, not an attack framework.

WiFiAnalyser

From one click to
full network visibility

Flask REST API +
vanilla JS dashboard

Technical security analysis

WiFiAnalyser

From one click tofull network visibility

Flask REST API +vanilla JS dashboard

Technical security analysis

From one click to
full network visibility

Flask REST API +
vanilla JS dashboard