# Analyze IoT Network Traffic IoT devices often expose insecure protocols, plaintext credentials, and weak authentication in network traffic. This skill guides Claude, Codex, or Claude Code through PCAP and live capture analysis with iotnet. ## Install ```bash npx skillstore add brownfinesecurity/iotnet ``` ## Metadata - - Slug: brownfinesecurity-iotnet - - Version: 1.0.0 - - Author: BrownFineSecurity - - GitHub username: BrownFineSecurity - - License: MIT - - Repository: https://github.com/BrownFineSecurity/iothackbot/tree/master/skills/iotnet - - Ref: master - - Supported tools: Claude, Codex, Claude Code - - Risk level: medium - - Risk factors: external\_commands, network - - Quality score: 71 - - Public page: https://skillstore.pages.dev/skills/brownfinesecurity-iotnet - - Manifest: https://skillstore.pages.dev/api/skills/brownfinesecurity-iotnet/manifest ## Capabilities - Analyze one or more PCAP files with the iotnet command. - Capture live traffic from a named interface for a set duration. - Filter analysis by IP address, BPF capture filters, or display filters. - Identify IoT protocols such as MQTT, CoAP, Zigbee, Z-Wave, ONVIF, UPnP, SSDP, and Modbus. - Report security findings such as plaintext credentials, missing TLS, weak authentication, and insecure protocol versions. - Use custom IoT detection rules from a configuration file. ## Use Cases - Review Device Lab Traffic: Analyze PCAP files from test devices to find plaintext protocols, weak authentication, and risky IoT behavior. - Triage Field Network Captures: Inspect captured traffic from a customer or site investigation and summarize IoT protocol exposure. - Validate Product Security Testing: Run targeted filters for MQTT, CoAP, or device IPs and document findings for remediation work. ## Prompt Templates ### Analyze One Capture ``` Analyze this IoT packet capture with iotnet: [path]. Summarize detected protocols, vulnerabilities, and recommended fixes. ``` ### Filter One Device ``` Use iotnet to analyze [pcap path] for device IP [address]. Focus on plaintext traffic, weak authentication, and unusual protocol use. ``` ### Capture Live Traffic ``` Capture authorized IoT traffic on interface [interface] for [duration] seconds with iotnet. Use filter [filter] and explain any sudo command before running it. ``` ### Use Custom Rules ``` Analyze [pcap paths] with iotnet using custom rules at [config path]. Compare default findings with custom rule findings and prioritize remediation. ``` ## Limitations - Live capture requires root or sudo privileges on the host. - The skill depends on the iotnet command being installed and accessible. - PCAP results depend on the traffic present in the capture file. - It does not replace manual validation of network ownership and authorization. ## Best Practices - Use this skill only on networks and packet captures you are authorized to inspect. - Confirm interface names, durations, filters, and sudo commands before running live capture. - Store PCAP files and findings securely because they may contain credentials or personal data. ## Anti Patterns - Do not run live capture on third-party networks without written authorization. - Do not pass untrusted filter strings or file paths into shell commands without validation. - Do not treat automated findings as final without reviewing packet context and device behavior. ## Security Audit - - Safe to publish: true - - Audited at: 2026-06-28T18:07:20.385\+00:00 - - Summary: Static analysis found many shell command examples and sudo-based live capture instructions. Review confirms these are documentation for an IoT network security tool, not hidden malware, but they can run external commands with user-provided paths, filters, and elevated privileges. Weak cryptography and hardcoded IP indicators appear to be false positives or examples; no prompt injection or exfiltration intent was found. ## Stats - - Views: 175 - - Downloads: 5 - - Favorites: 0 - - Popularity score: 0