hfsecret / FlowGuardX

What is FlowGuardX?

FlowGuardX is a Python-based network traffic analyzer that parses PCAP files and extracts security-relevant features for threat detection. It builds on CICFlowMeter's established methodology for bidirectional flow aggregation, adding frequency-domain descriptors (energy, entropy, periodicity) and a rule-based detector that flags port scans, flooding, C2 heartbeat patterns, and data exfiltration. You interact with it via a CLI that runs `python -m flowguardx.cli analyze file.pcap --output ./results`, or start a local web server with `flowguardx serve` and access a dashboard at http://127.0.0.1:8088. It outputs CSV, JSON, and HTML reports with explainable alerts.

Why is it gaining traction?

The hook is the pure Python PCAP parser - you do not need to compile jnetpcap or install native libraries to get started. It maintains CICFlowMeter compatibility so the 80+ flow features align with existing research and tooling. Security teams exploring behavior-based detection find value in the frequency-domain analysis layer, which goes beyond traditional flow statistics.

Who should use this?

Security engineers analyzing network captures offline, researchers working with CICFlowMeter datasets who want extended features, and blue teamers needing explainable threat alerts without deploying a full SIEM.

Verdict

With only 19 stars and a credibility score of 0.8999999761581421%, this is clearly an early-stage project - experimental and unproven in production environments. The Python implementation is clean and the feature set is comprehensive, but there is no community backing or commercial support. Consider it a solid research prototype for understanding flow-based detection, but do not rely on it for critical infrastructure without significant testing and validation first.