Você pode usar algo como Snort .
SNORT® is an open source network intrusion prevention system capable of performing real-time traffic analysis and packet logging on IP networks. Snort can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort is comprised of two major components: (i) a detection engine that utilizes a modular plug-in architecture (the “Snort Engine”) and (ii) a flexible rule language to describe traffic to be collected (the “Snort Rules”).
Você criaria regras personalizadas na configuração:
The rule header contains the information that defines the who, where, and what of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up. The first item in a rule is the rule action. The rule action tells Snort what to do when it finds a packet that matches the rule criteria. There are 5 available default actions in Snort, alert, log, pass, activate, and dynamic. In addition, if you are running Snort in inline mode, you have additional options which include drop, reject, and sdrop.
- alert - generate an alert using the selected alert method, and then log the packet
- log - log the packet
- pass - ignore the packet
- activate - alert and then turn on another dynamic rule
- dynamic - remain idle until activated by an activate rule , then act as a log rule
- drop - block and log the packet
- reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
- sdrop - block the packet but do not log it.
Tem uma versão do Windows na página de downloads.