Cybersecurity professional working on network security monitoring dashboard
Learn Cybersecurity

Building Network Security Tools with Rust: Packet Analysi...

Create network analysis and monitoring tools in Rust with packet capture, protocol parsing, traffic analysis, and security monitoring capabilities.

rust network security packet analysis network monitoring protocol parsing

Build network security tools in Rust for packet analysis, traffic monitoring, and network security assessment. Learn to capture packets, parse protocols, analyze traffic patterns, and create production-ready network security utilities using Rust’s performance and safety.

Key Takeaways

  • Packet Capture: Master packet capture using libpcap and Rust
  • Protocol Parsing: Parse TCP, UDP, ICMP, and application protocols
  • Traffic Analysis: Analyze network traffic patterns and anomalies
  • Network Monitoring: Build real-time network monitoring tools
  • Security Assessment: Create tools for network security evaluation
  • Production Patterns: Error handling, performance optimization, async I/O

Table of Contents

  1. Why Rust for Network Tools
  2. Packet Capture Fundamentals
  3. Protocol Parsing
  4. Traffic Analysis
  5. Network Monitoring Tools
  6. Advanced Scenarios
  7. Troubleshooting Guide
  8. Real-World Case Study
  9. FAQ
  10. Conclusion

TL;DR

Build network security tools in Rust with packet capture, protocol parsing, and traffic analysis. Learn production-ready patterns for creating network monitoring and security assessment utilities.

Prerequisites

  • Rust 1.80+ installed
  • libpcap development libraries (Linux/macOS)
  • Basic networking knowledge (TCP/IP, protocols)
  • Understanding of Rust async programming
  • Network interface access (for packet capture)

🎯 Who This Is For

Beginners:

  • Learn packet capture fundamentals
  • Understand network protocols practically
  • Build your first network monitoring tool
  • Focus on TCP/IP basics and traffic analysis

Red Teamers:

  • Network reconnaissance techniques
  • Traffic pattern analysis for evasion
  • Custom packet crafting foundations
  • Understanding defensive monitoring (to evade it)

Exploit Developers:

  • Network-based exploit delivery mechanisms
  • Protocol fuzzing foundations
  • Packet manipulation for exploit testing
  • Understanding network-level defenses
  • Only capture traffic on networks you own or have authorization for
  • Respect privacy and data protection laws
  • Use for defensive security and authorized testing only
  • Obtain written permission before network monitoring
  • Test in isolated lab environments first

Why Rust for Network Tools

Performance Requirements

Network security tools must:

  • Process thousands of packets per second
  • Handle high-bandwidth links efficiently
  • Operate with minimal latency
  • Use memory efficiently

Rust Advantages:

  • Zero-cost abstractions: Performance matching C/C++
  • No garbage collection: Predictable, low-latency performance
  • Efficient memory management: Lower overhead than managed languages
  • Safe concurrency: Handle network I/O concurrently without data races

Safety Guarantees

  • Memory safety: No buffer overflows or use-after-free
  • Thread safety: Prevent data races in concurrent network processing
  • Type safety: Catch protocol parsing errors at compile time

Packet Capture Fundamentals

⚠️ At high throughput, packet loss can occur without kernel bypass techniques (AF_PACKET, XDP, DPDK). Plan for this above 1–10 Gbps or when zero loss matters.

Setting Up Packet Capture

Create project:

Click to view commands 
cargo new network-tool
cd network-tool

Add dependencies to Cargo.toml:

Click to view toml code 
[dependencies]
tokio = { version = "1.40", features = ["full"] }
pcap = "1.1"
etherparse = "0.14"
clap = { version = "4.5", features = ["derive"] }
anyhow = "1.0"
tracing = "0.1"
tracing-subscriber = "0.3"

Basic Packet Capture

Click to view Rust code 
use pcap::{Device, Capture, Active};
use anyhow::Result;

fn main() -> Result<()> {
    // List available devices
    let devices = Device::list()?;
    println!("Available devices:");
    for device in devices {
        println!("  {}", device.name);
    }

    // Open default device
    let device = Device::list()?
        .into_iter()
        .next()
        .ok_or_else(|| anyhow::anyhow!("No device found"))?;

    let mut cap = Capture::from_device(device.name.as_str())?
        .promisc(true)
        .buffer_size(65535)
        .open()?;

    // ⚡ PERFORMANCE TIP: Always apply BPF filters early to reduce packet volume
    // Example: Only capture TCP traffic on port 80 and 443
    // cap.filter("tcp and (port 80 or port 443)", true)?;
    //
    // This dramatically reduces CPU/memory usage by filtering at kernel level
    // instead of processing every packet in user space.

    println!("Capturing packets on {}", device.name);

    loop {
        match cap.next_packet() {
            Ok(packet) => {
                println!(
                    "Packet: {} bytes captured at {:?}",
                    packet.data.len(),
                    packet.header.ts
                );
            }
            Err(pcap::Error::TimeoutExpired) => continue,
            Err(e) => return Err(e.into()),
        }
    }
}

Validation: Run with sudo (required for packet capture). Press Ctrl+C to stop.

🔍 BPF Filters: Essential for Performance

Why BPF Filters Matter:

Berkeley Packet Filter (BPF) filters operate at the kernel level, dramatically reducing the number of packets sent to your application:

Without BPF Filter:

Kernel captures ALL packets → Sends to user space → Your app filters
(High CPU, high memory, packet loss at scale)

With BPF Filter:

Kernel captures ALL packets → Filters in kernel → Sends only matches to user space
(Low CPU, low memory, no packet loss)

Common BPF Filter Examples:

// Only HTTP/HTTPS traffic
cap.filter("tcp and (port 80 or port 443)", true)?;

// Only DNS queries
cap.filter("udp and port 53", true)?;

// Only traffic to/from specific IP
cap.filter("host 192.168.1.100", true)?;

// Only SYN packets (port scanning detection)
cap.filter("tcp[tcpflags] & tcp-syn != 0", true)?;

// Only large packets (potential data exfiltration)
cap.filter("greater 1000", true)?;

Red Team Use Case:

  • Filter for specific target traffic to avoid detection
  • Monitor only C2 beacon traffic
  • Capture only exploit-related protocols

Blue Team Use Case:

  • Monitor only suspicious ports (3389 RDP, 22 SSH)
  • Capture only external connections
  • Filter for known malicious IPs

⚡ Performance Rule: Always apply BPF filters as early as possible. This is the #1 optimization for packet capture tools.

Protocol Parsing

Parsing Ethernet and IP Headers

Click to view Rust code 
use etherparse::{Ethernet2Header, Ipv4Header, TcpHeader};
use anyhow::Result;

fn parse_packet(data: &[u8]) -> Result<()> {
    // Parse Ethernet header
    let (eth_header, ip_data) = Ethernet2Header::from_slice(data)?;
    println!("Source MAC: {}", eth_header.source);
    println!("Dest MAC: {}", eth_header.destination);

    // Parse IP header
    if eth_header.ether_type.value() == 0x0800 {
        let (ip_header, tcp_data) = Ipv4Header::from_slice(ip_data)?;
        println!("Source IP: {}", ip_header.source_addr());
        println!("Dest IP: {}", ip_header.destination_addr());
        println!("Protocol: {}", ip_header.protocol);

        // Parse TCP if protocol is 6
        if ip_header.protocol == 6 {
            let (tcp_header, payload) = TcpHeader::from_slice(tcp_data)?;
            println!("Source Port: {}", tcp_header.source_port);
            println!("Dest Port: {}", tcp_header.destination_port);
            println!("Payload size: {} bytes", payload.len());
        }
    }

    Ok(())
}

Traffic Analysis

Building a Traffic Analyzer

Click to view Rust code 
use std::collections::HashMap;
use std::net::Ipv4Addr;

struct TrafficStats {
    packet_count: u64,
    byte_count: u64,
    connections: HashMap<(Ipv4Addr, Ipv4Addr, u16), u64>,
}

impl TrafficStats {
    fn new() -> Self {
        TrafficStats {
            packet_count: 0,
            byte_count: 0,
            connections: HashMap::new(),
        }
    }

    fn update(&mut self, src_ip: Ipv4Addr, dst_ip: Ipv4Addr, dst_port: u16, bytes: usize) {
        self.packet_count += 1;
        self.byte_count += bytes as u64;
        
        let conn_key = (src_ip, dst_ip, dst_port);
        *self.connections.entry(conn_key).or_insert(0) += 1;
    }

    fn print_summary(&self) {
        println!("Total packets: {}", self.packet_count);
        println!("Total bytes: {}", self.byte_count);
        println!("Unique connections: {}", self.connections.len());
        
        // Top connections
        let mut sorted: Vec<_> = self.connections.iter().collect();
        sorted.sort_by(|a, b| b.1.cmp(a.1));
        
        println!("\nTop 10 connections:");
        for ((src, dst, port), count) in sorted.iter().take(10) {
            println!("  {} -> {}:{} ({} packets)", src, dst, port, count);
        }
    }
}

Network Monitoring Tools

Real-Time Network Monitor

Click to view Rust code 
use tokio::sync::mpsc;
use std::time::{Duration, Instant};

async fn monitor_network(
    mut packet_rx: mpsc::Receiver<CapturedPacket>,
    interval: Duration,
) -> Result<()> {
    let mut stats = TrafficStats::new();
    let mut last_report = Instant::now();

    loop {
        tokio::select! {
            packet = packet_rx.recv() => {
                if let Some(pkt) = packet {
                    // Parse and update stats
                    if let Ok(Some(parsed)) = PacketParser::parse(&pkt.data) {
                        if let (Some(src), Some(dst), Some(port)) = 
                            (parsed.src_ip, parsed.dst_ip, parsed.dst_port) {
                            stats.update(src, dst, port, pkt.data.len());
                        }
                    }
                }
            }
            _ = tokio::time::sleep(interval) => {
                if last_report.elapsed() >= interval {
                    stats.print_summary();
                    last_report = Instant::now();
                }
            }
        }
    }
}

Advanced Scenarios

Scenario 1: Bandwidth Monitoring

Monitor bandwidth usage per IP address:

Click to view Rust code 
use std::collections::HashMap;

struct BandwidthMonitor {
    ip_bandwidth: HashMap<Ipv4Addr, u64>,
}

impl BandwidthMonitor {
    fn track(&mut self, ip: Ipv4Addr, bytes: usize) {
        *self.ip_bandwidth.entry(ip).or_insert(0) += bytes as u64;
    }

    fn get_top_consumers(&self, n: usize) -> Vec<(Ipv4Addr, u64)> {
        let mut sorted: Vec<_> = self.ip_bandwidth.iter().collect();
        sorted.sort_by(|a, b| b.1.cmp(a.1));
        sorted.into_iter()
            .take(n)
            .map(|(ip, bytes)| (*ip, *bytes))
            .collect()
    }
}

Scenario 2: Protocol Distribution

Track traffic by protocol:

Click to view Rust code 
use std::collections::HashMap;

struct ProtocolAnalyzer {
    protocol_counts: HashMap<u8, u64>,
}

impl ProtocolAnalyzer {
    fn analyze(&mut self, protocol: u8) {
        *self.protocol_counts.entry(protocol).or_insert(0) += 1;
    }

    fn print_distribution(&self) {
        let total: u64 = self.protocol_counts.values().sum();
        
        for (proto, count) in &self.protocol_counts {
            let percentage = (*count as f64 / total as f64) * 100.0;
            let name = match proto {
                1 => "ICMP",
                6 => "TCP",
                17 => "UDP",
                _ => "Other",
            };
            println!("{}: {} ({:.2}%)", name, count, percentage);
        }
    }
}

Code Review Checklist for Network Security Tools

Packet Capture

  • Proper permissions for raw sockets (capabilities or sudo)
  • Interface selection validated
  • Promiscuous mode handled correctly
  • Error handling for capture failures

Protocol Parsing

  • Protocol parsers validate input
  • Malformed packets handled gracefully
  • Buffer overflow prevention
  • Efficient parsing (zero-copy where possible)

Network Analysis

  • Traffic filtering implemented correctly
  • Statistics tracking accurate
  • Memory usage optimized for high throughput
  • Thread-safe data structures for concurrent processing

Security

  • No sensitive data in logs
  • Packets analyzed in isolated context
  • Rate limiting to prevent resource exhaustion
  • Proper error messages (no info disclosure)

Performance

  • Efficient packet processing
  • Minimal allocations in hot paths
  • Proper use of async I/O
  • Performance benchmarks included

Troubleshooting Guide

Problem: Permission Denied

Solution:

# Set capabilities (Linux)
sudo setcap cap_net_raw,cap_net_admin=eip target/release/network-tool

# Or run with sudo
sudo ./target/release/network-tool

Problem: No Packets Captured

Diagnosis:

  • Check interface is correct
  • Verify promiscuous mode enabled
  • Check firewall/security settings

Solution:

  • Use tcpdump to verify interface works
  • Try different network interfaces
  • Check system permissions

Real-World Case Study

Case Study: Network Traffic Analyzer

Challenge: Monitor 1Gbps network link for security analysis.

Solution: Built Rust-based packet analyzer with real-time statistics.

Results:

  • 100% packet capture rate at 1Gbps
  • <1% CPU usage on monitoring system
  • Real-time analysis with <10ms latency
  • Identified 5 security incidents in first week

⚠️ Packet Loss at High Throughput

Important Limitation:

At high throughput (>1-10 Gbps), packet loss can occur without kernel bypass techniques. Standard libpcap uses the kernel’s packet capture mechanism, which has limitations:

Packet Loss Factors:

  • Kernel buffer overflow: Packets arrive faster than user space can process
  • Context switching overhead: Moving packets from kernel to user space
  • CPU limitations: Single-threaded packet processing bottleneck
  • Memory bandwidth: High packet rates saturate memory bus

Kernel Bypass Solutions for High-Speed Capture:

  1. AF_PACKET (Linux):

    • Direct access to network interface
    • Reduces kernel overhead
    • 5-10 Gbps throughput

  2. XDP (eXpress Data Path, Linux):

    • eBPF-based packet processing in kernel
    • 10-40 Gbps throughput
    • Requires Linux 4.8+

  3. DPDK (Data Plane Development Kit):

    • Bypasses kernel entirely
    • 40-100 Gbps throughput
    • Requires dedicated NICs

  4. PF_RING (Linux):

    • Kernel module for high-speed capture
    • 10-20 Gbps throughput
    • Commercial and open-source versions

When to Use Kernel Bypass:

  • ✅ Monitoring 10+ Gbps links
  • ✅ Zero packet loss requirement
  • ✅ High-frequency trading / DDoS mitigation
  • ❌ Standard network monitoring (libpcap is sufficient)
  • ❌ Learning/development (adds complexity)

Realistic Expectations:

  • <1 Gbps: libpcap works perfectly
  • 1-10 Gbps: libpcap with tuning (BPF filters, buffer sizes)
  • >10 Gbps: Consider kernel bypass (AF_PACKET, XDP, DPDK)

What This Network Tool Cannot Detect

Audience Lens:

  • Beginners: Use this to understand why network monitoring alone misses some attacks.
  • Red Teamers: Know which gaps you can safely leverage (lawfully) and which need alternate channels.
  • Exploit Developers: Recognize where payloads can hide (TLS, localhost, in-memory) and where they are exposed.

Understanding Detection Limitations

Realistic Expectations:

Even with full packet capture and protocol parsing, network-based monitoring has inherent blind spots. Understanding these limitations is critical for defense-in-depth security.

Network Monitoring Blind Spots

1. Encrypted Payload Contents

  • What it is: Data encrypted with TLS/SSL, VPNs, or custom encryption
  • Why we can’t detect: Encryption hides payload contents from network inspection
  • What we CAN see: Metadata (IPs, ports, packet sizes, timing, TLS handshake details)
  • Defensive approach: SSL/TLS inspection with MITM proxy (requires certificate trust)
  • Red team evasion: Use legitimate encrypted channels (HTTPS, DNS-over-HTTPS)

2. Application-Layer Attacks Inside TLS

  • What it is: SQL injection, XSS, command injection over HTTPS
  • Why we can’t detect: Attack payloads are encrypted end-to-end
  • What we CAN see: Connection patterns, certificate details, SNI (Server Name Indication)
  • Defensive approach: Web Application Firewall (WAF) at application layer, endpoint monitoring
  • Red team note: HTTPS is your friend for payload delivery

3. Host-Only Threats (Fileless Malware)

  • What it is: Malware that operates entirely in memory without network activity
  • Why we can’t detect: No network traffic to capture
  • What we CAN see: Nothing (if malware doesn’t communicate externally)
  • Defensive approach: Endpoint Detection and Response (EDR), memory scanning
  • Example: PowerShell-based attacks that only manipulate local files

4. Local Traffic on Endpoints

  • What it is: Localhost communication (127.0.0.1), inter-process communication
  • Why we can’t detect: Traffic never leaves the host, doesn’t hit network interface
  • What we CAN see: Nothing (localhost traffic bypasses network capture)
  • Defensive approach: Host-based monitoring (EDR, system call monitoring)
  • Red team evasion: Use localhost for C2 relay, stage payloads locally

5. Out-of-Band Attacks

  • What it is: Attacks using separate communication channels (USB, Bluetooth, physical access)
  • Why we can’t detect: Not transmitted over monitored network
  • What we CAN see: Nothing
  • Defensive approach: Physical security, USB device control, air-gapped networks
  • Example: BadUSB attacks, hardware implants

6. Steganography in Legitimate Traffic

  • What it is: Hidden data embedded in images, DNS queries, ICMP packets
  • Why we can’t detect: Looks like normal traffic without deep content analysis
  • What we CAN see: Normal-looking packets (without statistical analysis)
  • Defensive approach: Deep packet inspection, statistical anomaly detection
  • Red team technique: DNS tunneling, ICMP covert channels

7. Low-and-Slow Attacks

  • What it is: Attacks spread over days/weeks to avoid rate-based detection
  • Why we can’t detect: Falls below threshold-based alerts
  • What we CAN see: Individual packets (but pattern is hard to correlate)
  • Defensive approach: Long-term behavioral analysis, SIEM correlation
  • Example: Credential stuffing at 1 attempt per hour

Detection Coverage Matrix

Threat TypeNetwork ToolWhy the GapAlternative Solution
Unencrypted attacks✅ ExcellentN/AN/A
Encrypted payloads (TLS)❌ NoneEncryption hides contentSSL inspection, WAF
Metadata analysis✅ GoodCan see IPs, ports, timingBehavioral analysis
Fileless malware❌ NoneNo network activityEDR, memory scanning
Localhost traffic❌ NoneDoesn’t hit networkHost-based monitoring
DNS tunneling⚠️ LimitedLooks like DNSDNS query analysis, ML
Port scanning✅ ExcellentClear SYN patternsN/A
DDoS attacks✅ ExcellentHigh packet ratesN/A
Out-of-band❌ NoneDifferent channelPhysical security

Red Team Implications

What Network Monitoring Catches:

  • ❌ Unencrypted C2 traffic (use HTTPS!)
  • ❌ Port scanning without rate limiting
  • ❌ Large data exfiltration bursts
  • ❌ Known malicious IPs/domains

What Network Monitoring Misses:

  • ✅ HTTPS-encrypted C2 beacons
  • ✅ DNS tunneling (if done carefully)
  • ✅ Low-and-slow data exfiltration
  • ✅ Localhost-based staging
  • ✅ Fileless malware without network activity

Blue Team Implications

Network Monitoring is Excellent For:

  • Detecting reconnaissance (port scans, vulnerability scans)
  • Identifying lateral movement (unusual internal connections)
  • Spotting data exfiltration (large outbound transfers)
  • Monitoring external connections (C2 communication)

Network Monitoring is NOT Sufficient For:

  • Detecting encrypted attacks (need SSL inspection)
  • Catching fileless malware (need EDR)
  • Monitoring localhost activity (need host-based tools)
  • Deep application-layer inspection (need WAF)

Defense-in-Depth Strategy

Layer 1: Network Monitoring (This Tool)

  • Captures unencrypted traffic
  • Detects reconnaissance and lateral movement
  • Monitors external connections

Layer 2: SSL/TLS Inspection

  • Decrypts HTTPS traffic (with proper authorization)
  • Inspects encrypted payloads
  • Detects application-layer attacks

Layer 3: Endpoint Detection (EDR)

  • Monitors process behavior
  • Detects fileless malware
  • Tracks localhost activity

Layer 4: Application Security (WAF)

  • Inspects HTTP/HTTPS requests
  • Blocks injection attacks
  • Validates input at application layer

Layer 5: SIEM Correlation

  • Correlates events across all layers
  • Detects low-and-slow attacks
  • Provides long-term analysis

Key Takeaway

This network tool is excellent for:

  • Learning packet capture and protocol analysis
  • Detecting network-level reconnaissance
  • Monitoring unencrypted traffic
  • Understanding network behavior

This network tool is NOT sufficient for:

  • Complete security monitoring (need defense-in-depth)
  • Detecting encrypted attacks (need SSL inspection)
  • Catching host-only threats (need EDR)
  • Application-layer security (need WAF)

Realistic Security Posture:

  • Network monitoring is ONE layer of defense
  • Combine with endpoint, application, and perimeter security
  • Understand encryption limits your visibility
  • No single tool catches everything

This honest assessment prevents overconfidence and reinforces defense-in-depth thinking.

FAQ

Q: How does this compare to Wireshark or tcpdump?

A: This is a learning implementation. Commercial tools offer:

  • Advanced protocol dissectors
  • Graphical interfaces
  • Extensive protocol support
  • Export formats and analysis features

Q: Can this handle encrypted traffic?

A: It can capture encrypted packets but cannot decrypt without keys. For analysis:

  • Monitor TLS handshakes
  • Analyze metadata and patterns
  • Use SSL/TLS inspection for decryption

Q: How do I add support for more protocols?

A: Extend the parser:

  • Add protocol-specific parsing logic
  • Use protocol libraries (HTTP, DNS, etc.)
  • Handle protocol-specific fields
  • Test with sample traffic

Conclusion

Rust provides excellent foundations for building network security tools. Its performance, safety, and concurrency features make it ideal for packet processing and network analysis.

Action Steps

For Beginners:

  1. Start simple: Capture packets on your local network (with permission)
  2. Learn protocols: Parse TCP, UDP, ICMP headers
  3. Build basic analyzer: Track connections and bandwidth
  4. Understand BPF filters: Practice filtering specific traffic

For Red Teamers:

  1. Study detection patterns: Understand what network monitoring catches
  2. Test evasion techniques: Experiment with encrypted channels, rate limiting
  3. Build reconnaissance tools: Custom port scanners, service enumeration
  4. Analyze defensive monitoring: Capture your own attacks to see signatures

For Exploit Developers:

  1. Understand protocol parsing: Learn how parsers can be exploited
  2. Build packet crafting tools: Create custom packets for testing
  3. Test exploit delivery: Monitor network-based exploit mechanisms
  4. Analyze defensive filters: Understand how IDS/IPS detect exploits

For All Learners:

  1. Practice packet capture: Capture and analyze your own traffic
  2. Extend protocol support: Add parsing for more protocols
  3. Build analysis tools: Create custom traffic analyzers
  4. Optimize performance: Profile and optimize hot paths
  5. Integrate systems: Connect to logging/monitoring systems

Next Steps

  • Explore advanced protocol parsing
  • Study network forensics techniques
  • Learn about traffic analysis methodologies
  • Implement custom detection logic

Remember: Network monitoring requires authorization and compliance with privacy laws. Always obtain permission and test in isolated environments.

Cleanup

Click to view commands 
# Clean up network tool artifacts
rm -rf target/
rm -f network-tool
rm -f *.pcap *.log

# Stop any running captures
pkill -f network-tool || true

# Clean up capture files
rm -f capture_*.pcap

Validation: Verify no network capture artifacts or processes remain.

← Previous: Building Endpoint Detection Tools with Rust (2026) Next: Analyzing Rust Malware: Reverse Engineering and Detection... →

Similar Topics

Network Traffic Analysis: Detecting Threats in Network Flows Read →

Master network traffic analysis for security. Learn to analyze network flows, detect threats, identify anomalies, and investigate security incidents.

Build a Network Intrusion Detection System Using Rust (2026) Read →

Real-world project: Build a production-ready NIDS with packet sniffing, port scan detection, anomaly detection, signature-based rules, and real-time alerting...

Mobile App Network Security: VPN and Proxy Detection (202... Read →

Master mobile app network security. Learn to detect VPNs, proxies, and network anomalies to protect mobile apps from network-based attacks.

Rust Reverse Shells Explained for Beginners (Safe Educati... Read →

Learn how reverse shells work in Rust, why attackers use them, and the defensive controls that stop outbound callbacks.Learn essential cybersecurity strategi...

FAQs

Can I use these labs in production?

No—treat them as educational. Adapt, review, and security-test before any production use.

How should I follow the lessons?

Start from the Learn page order or use Previous/Next on each lesson; both flow consistently.

What if I lack test data or infra?

Use synthetic data and local/lab environments. Never target networks or data you don't own or have written permission to test.

Can I share these materials?

Yes, with attribution and respecting any licensing for referenced tools or datasets.