This work addresses the challenge of covertly detecting unsolicited and erroneous network traffic—such as misconfigurations, transient failures, external scanning, and potential attacks—without disrupting legitimate operations. We propose a programmable, passive detection system leveraging Software-Defined Networking (SDN), which employs hardware-accelerated flow tables in SDN switches to perform fine-grained filtering of anomalous packets, thereby eliminating the need for full-packet capture. The system integrates lightweight passive monitoring with semantic-aware analysis to accurately identify internally misconfigured hosts, compromised nodes, transient faults, and externally originated attack emanations. Compared to conventional full-flow collection, our approach reduces network traffic overhead by 96%, ensures compliance with privacy regulations, and enables seamless integration with deception systems (e.g., honeypots). The system is open-sourced, demonstrating high scalability and readiness for real-world deployment.

Traffic visibility remains a key component for management and security operations. Observing unsolicited and erroneous traffic, such as unanswered traffic or errors, is fundamental to detect misconfiguration, temporary failures or attacks. ChamaleoNet transforms any production network into a transparent monitor to let administrators collect unsolicited and erroneous traffic directed to hosts, whether offline or active, hosting a server or a client, protected by a firewall, or unused addresses. ChamaleoNet is programmed to ignore well-formed traffic and collect only erroneous packets, including those generated by misconfigured or infected internal hosts, and those sent by external actors which scan for services. Engineering such a system poses several challenges, from scalability to privacy. Leveraging the SDN paradigm, ChamaleoNet processes the traffic flowing through a campus/corporate network and focuses on erroneous packets only, lowering the pressure on the collection system while respecting privacy regulations by design. ChamaleoNet enables the seamless integration with active deceptive systems like honeypots that can impersonate unused hosts/ports/services and engage with senders. The SDN in-hardware filtering reduces the traffic to the controller by 96%, resulting in a scalable solution, which we offer as open source. Simple analytics unveil internal misconfigured and infected hosts, identify temporary failures, and enhance visibility on external radiation produced by attackers looking for vulnerable services.