Show HN: BroadcastDetector – Detect Network Loops and ARP Spoofing in Real-Time
I'm excited to share a project I’ve been working on: *BroadcastDetector* – a lightweight tool for real-time detection of *switch loops*, *network loops*, *ARP spoofing*, and *broadcast storms*.
It passively analyzes your network for unusual patterns using `tcpdump` and `pyshark`, identifies loops and spoofing attacks, and alerts you before they cause real damage.
Key features: - Detects broadcast storms and switch/network loops - Monitors and alerts on ARP spoofing activity - Logs events to CSV (MAC, VLAN, timestamp, etc.) - Web dashboard for live traffic & alerts - Designed for Linux, optimized for Raspberry Pi 4/5 - Runs fully local – no cloud, no external API
Use cases: - Homelabs & data centers - Diagnosing faulty switches or misconfigured loop protection - Monitoring ARP spoofing in enterprise networks
Installation: You can install it manually on Debian/Raspbian *or flash a ready-to-go Pi image*. Here's the download & demo page: https://itfourall.com/broadcast.php
The goal is to make network loop detection simple and accessible – especially for small teams and IT admins who usually don’t have deep visibility into what's happening on Layer 2.
Happy to answer questions or get feedback from the community – especially around performance optimizations or edge cases you’ve encountered in network environments.
Thanks!
– IT fourAll
I built this tool after struggling with hard-to-diagnose issues in enterprise and SMB networks – especially broadcast storms and switch loops that silently bring everything down. Most tools focus on Layer 3 and above, while this one keeps an eye on the chaos at Layer 2.
It’s fully passive (no active probing), uses `tcpdump` + `pyshark` under the hood, and stores all detection logs locally in CSV (MAC, VLAN, timestamps, etc). It runs well on low-power devices like Raspberry Pi 4/5, which makes it ideal for plugging directly into a trunk port and letting it monitor multiple VLANs.
If you’ve ever had to troubleshoot sudden ARP storms or mystery broadcast floods, I’d love to hear how you handled them – or what tooling you use. Feedback on performance, packet handling, or edge case behavior is super welcome.
Would also love suggestions if anyone’s worked on similar tools or has ideas for improving broadcast visibility in a lightweight way.
Thanks again!
BroadcastDetector tries to fill that gap by being completely passive and focused. It doesn't touch your devices, it just watches traffic from a mirror/trunk port and tries to find patterns you’d usually only spot after a meltdown.
The whole system runs headless with a simple web interface, logs everything, and alerts based on loop/spoof patterns. It’s written in Python and optimized for Raspberry Pi or Debian-based systems.
If you’ve built anything like this (or used tools like Wireshark/tcpdump for long-term monitoring), I’d love to hear how you approached it. Happy to swap ideas or improve it based on real-world experience.
This tool was born out of frustration with silent network issues like broadcast storms, misconfigured switches, and ARP spoofing that go undetected until users start complaining.
BroadcastDetector plugs into a trunk port, listens to all VLANs, and spots anomalies in real time. It’s lightweight (Python + tcpdump), doesn’t need any fancy hardware, and stores everything locally – ideal for sysadmins and network engineers who want visibility without deploying full-blown NMS systems.
I’m especially interested in your thoughts on: - How you currently detect Layer 2 issues (if at all) - Whether you'd prefer full packet captures or metadata - Other tools you'd recommend for L2 monitoring
Would love your feedback – happy to open up ideas or collaborations if it helps others fighting with broadcast loops and spoofing chaos.