Probe and monitor local network hosts — ARP, ICMP, TCP, UDP, OS fingerprinting, and network graph.
Project description
sondare
From italian: sonda di rete - network probe
About
sondare is a Python CLI tool for auditing local networks, built on top of Scapy. It provides scanning and fingerprinting methods, each running with multithreaded packet dispatch for speed.
- ARP — discovers all active hosts on the local subnet (cannot be blocked by firewalls)
- ICMP — pings all hosts to check reachability (iOS devices block ICMP by design; use ARP for full discovery)
- TCP — performs a SYN scan on a target host to find open ports; optionally grabs service banners
- UDP — probes UDP ports; reports open (got a UDP reply) or open|filtered (no response) ports
- OS fingerprinting — guesses the OS of a host by analysing TTL and TCP window size in a SYN-ACK response
- TLS/SSL probing — extracts certificate details (CN, issuer, validity, SANs) from HTTPS ports; flags expired and self-signed certs
- Hostname resolution — resolves hostnames via mDNS service browse, SSDP/UPnP, NetBIOS, and PTR records
Requirements
- Python 3.10+
- Root / administrator privileges (required for raw packet access)
- npcap (Windows only)
Installation
pipx (recommended)
sudo pipx install sondare --global
From source
git clone https://github.com/w1ldy0uth/sondare.git
cd sondare
./init.sh
source sondare_venv/bin/activate
init.sh creates a virtual environment, installs all dependencies, and registers the sondare command inside it. On Windows use init.bat and call sondare_venv\Scripts\activate instead.
Usage
sudo sondare <command> [options]
Commands
| Command | Description |
|---|---|
arp |
ARP scan of the local subnet |
ping |
ICMP scan of the local subnet |
tcp |
TCP SYN port scan of a target host |
udp |
UDP port scan of a target host |
os |
OS fingerprint of a target host |
monitor arp |
Watch for ARP traffic; report new hosts and MAC changes |
monitor hosts |
Live host reachability table with auto-discovery |
monitor ports |
Periodically SYN-scan a target and report port state changes |
monitor traffic |
Live packet capture with per-packet protocol breakdown |
graph |
Generate an interactive HTML network graph of the local subnet |
mdns |
Discover mDNS/Bonjour services on the local network |
trace |
Trace the network path to a target host |
tls |
Probe TLS/SSL certificate details on a target host |
Examples
# Discover all hosts via ARP
sudo sondare arp
# Discover hosts and resolve their hostnames (requires PTR records on the network)
sudo sondare arp --resolve_hostname
# Discover live hosts via ICMP with 10s timeout
sudo sondare ping -t 10
# Ping scan with hostname resolution
sudo sondare ping --resolve_hostname
# Note: iOS devices block ICMP by design and won't appear in ping results.
# Use `sondare arp` for complete host discovery including iOS devices.
# Scan ports 1–1024 on a target
sudo sondare tcp --target 192.168.1.1:1-1024
# Scan a single port
sudo sondare tcp --target 192.168.1.1:80
# Grab service banners from open ports
sudo sondare tcp --target 192.168.1.1:1-1024 --banners
# UDP scan of common ports
sudo sondare udp --target 192.168.1.1:1-1024
# Fingerprint a host OS (auto-probes common ports)
sudo sondare os --target 192.168.1.1
# Fingerprint using a known-open port
sudo sondare os --target 192.168.1.1 --port 80
# Watch for new hosts and ARP spoofing attempts
sudo sondare monitor arp
# Monitor all hosts on the subnet (auto-discovers new/departed hosts)
sudo sondare monitor hosts
# Monitor specific hosts every 10s
sudo sondare monitor hosts --hosts 192.168.1.1 192.168.1.50 -i 10
# Watch for port state changes on a target
sudo sondare monitor ports --target 192.168.1.1:1-1024
# Live packet capture (all traffic)
sudo sondare monitor traffic
# Live capture filtered to DNS
sudo sondare monitor traffic --filter "udp port 53"
# Generate a network graph (saved as sondare_graph.html)
sudo sondare graph
# Graph with OS fingerprinting for each discovered host
sudo sondare graph --fingerprint
# Save to a custom path
sudo sondare graph -o /tmp/my_network.html
# Save as structured JSON topology instead of HTML
sudo sondare graph -o topology.json
# Trace the network path to a host
sudo sondare trace --target 8.8.8.8
# Trace with a longer per-hop timeout and a cap of 20 hops
sudo sondare trace --target 8.8.8.8 -t 5 --max-hops 20
# Discover mDNS/Bonjour services (AirPlay, SSH, SMB, Chromecast, HomeKit, …)
sudo sondare mdns
# Browse for longer to catch slower devices
sudo sondare mdns -t 10
# Probe TLS certificate on common HTTPS ports (443 and 8443)
sudo sondare tls --target 192.168.1.1
# Probe a specific port
sudo sondare tls --target 192.168.1.1:8443
# Output results as JSON (supported by all scan commands)
sudo sondare arp --json
sudo sondare ping --json
sudo sondare tcp --target 192.168.1.1:1-1024 --banners --json
sudo sondare mdns --json
sudo sondare tls --target 192.168.1.1 --json
Options
arp:
-t, --timeout Packet timeout in seconds (default: 5)
--resolve_hostname Resolve hostnames via mDNS, SSDP, NetBIOS, and PTR
-v, --verbose Verbose scapy output
--json JSON output
ping:
-t, --timeout Packet timeout in seconds (default: 5)
--resolve_hostname Resolve hostnames via mDNS, SSDP, NetBIOS, and PTR
-v, --verbose Verbose scapy output
--json JSON output
tcp:
--target Target as ip, ip:port, or ip:start-end (default: local machine, ports 1-1000)
-t, --timeout Packet timeout in seconds (default: 3)
-th, --threads Number of threads (default: 20)
-r, --retries Retries per port on no response (default: 2)
-b, --banners Grab service banners from open ports
-v, --verbose Verbose scapy output
--json JSON output
udp:
--target Target as ip, ip:port, or ip:start-end (default: local machine, ports 1-1000)
-t, --timeout Packet timeout in seconds (default: 3)
-th, --threads Number of threads (default: 20)
-r, --retries Retries per port on no response (default: 2)
-v, --verbose Verbose scapy output
os:
--target Target IP address (required)
--port Port to probe; omit to auto-try common ports in parallel
-t, --timeout Timeout per probe in seconds (default: 3)
-v, --verbose Verbose scapy output
monitor arp:
-t, --timeout Timeout for initial ARP seed scan (default: 5)
-v, --verbose Verbose scapy output
monitor hosts:
--hosts Hosts to monitor; omit to auto-discover via ARP each round
-i, --interval Seconds between ping rounds (default: 30)
-t, --timeout Ping timeout in seconds (default: 2)
-th, --threads Concurrent pings per round (default: 50)
-v, --verbose Verbose scapy output
monitor ports:
--target Target as ip, ip:port, or ip:start-end (default: local machine, ports 1-1000)
-i, --interval Seconds between scans (default: 60)
-t, --timeout Timeout per probe in seconds (default: 3)
-th, --threads Concurrent probes per scan (default: 20)
-v, --verbose Verbose scapy output
monitor traffic:
--filter BPF filter expression (e.g. 'tcp', 'udp port 53', 'host 192.168.1.1')
-v, --verbose Verbose scapy output
graph:
--fingerprint OS-fingerprint each discovered host (TCP SYN, falls back to ICMP TTL)
-o, --output Output path: .html for interactive graph, .json for topology data (default: sondare_graph.html)
-t, --timeout ARP scan timeout in seconds (default: 3)
-th, --threads Concurrent fingerprint probes (default: 10)
-v, --verbose Verbose scapy output
mdns:
-t, --timeout Browse duration in seconds (default: 5)
-v, --verbose Verbose scapy output
--json JSON output
trace:
--target Target IP address (required)
-t, --timeout Timeout per hop in seconds (default: 3)
--max-hops Maximum number of hops (default: 30)
-v, --verbose Verbose scapy output
--json JSON output
tls:
--target Target as ip or ip:port (default ports: 443, 8443)
-t, --timeout Connection timeout in seconds (default: 5)
-v, --verbose Verbose mode
--json JSON output
Note:
traceuses ICMP echo probes. Hosts that block ICMP will show*for all hops.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sondare-1.0.6.tar.gz.
File metadata
- Download URL: sondare-1.0.6.tar.gz
- Upload date:
- Size: 180.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c2f1d14bf8bb52b0535209867e5f6fd3e5ebc690d00f8041018507adb97b602f
|
|
| MD5 |
03713bde731c6b1cb531f171a00ea966
|
|
| BLAKE2b-256 |
78b533c3c18f6f892c0264227a31094c2d2f04e1bcf14dda94d6a47c152c4621
|
Provenance
The following attestation bundles were made for sondare-1.0.6.tar.gz:
Publisher:
publish.yml on w1ldy0uth/sondare
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sondare-1.0.6.tar.gz -
Subject digest:
c2f1d14bf8bb52b0535209867e5f6fd3e5ebc690d00f8041018507adb97b602f - Sigstore transparency entry: 1695584049
- Sigstore integration time:
-
Permalink:
w1ldy0uth/sondare@ec46e41513c1f619eb2155eb4f15b84049b68c49 -
Branch / Tag:
refs/tags/v1.0.6 - Owner: https://github.com/w1ldy0uth
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@ec46e41513c1f619eb2155eb4f15b84049b68c49 -
Trigger Event:
push
-
Statement type:
File details
Details for the file sondare-1.0.6-py3-none-any.whl.
File metadata
- Download URL: sondare-1.0.6-py3-none-any.whl
- Upload date:
- Size: 167.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8bcc404e2a76ba1b01aae8db888aa7c51483308ef81e5b2b27cbc17b6ffdc979
|
|
| MD5 |
e5c41567caefbff3bffa06b14ba1ef19
|
|
| BLAKE2b-256 |
e54ec0251cee7220362c3bf562832eb253461b507c3e2e31ca4b6f0a74c1cc23
|
Provenance
The following attestation bundles were made for sondare-1.0.6-py3-none-any.whl:
Publisher:
publish.yml on w1ldy0uth/sondare
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sondare-1.0.6-py3-none-any.whl -
Subject digest:
8bcc404e2a76ba1b01aae8db888aa7c51483308ef81e5b2b27cbc17b6ffdc979 - Sigstore transparency entry: 1695584175
- Sigstore integration time:
-
Permalink:
w1ldy0uth/sondare@ec46e41513c1f619eb2155eb4f15b84049b68c49 -
Branch / Tag:
refs/tags/v1.0.6 - Owner: https://github.com/w1ldy0uth
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@ec46e41513c1f619eb2155eb4f15b84049b68c49 -
Trigger Event:
push
-
Statement type: