PCAP Analysis
Upload a capture, watch the pipeline run, and interpret what you get back. Same pipeline runs on live capture, just streaming.
Supported formats
.pcap(libpcap).pcapng(libpcap-ng with multiple interfaces, comments, secrets blocks).cap(Microsoft Network Monitor — auto-converted).emlfor email forensics (limited — surfaces headers and attachments)
Upload methods
- Drag-and-drop onto the dashboard or upload panel
- File picker via
Ctrl/Cmd + Oor topbar Upload button - Watched folder — configure under Settings → Watched folders; new files in the folder auto-import
- API —
POST /api/uploadwith multipart form-data (Pro+)
The pipeline
Every capture runs through 21 ordered stages. Stages are independent and idempotent — you can re-run any stage individually from the session manager. Stage timing is reported in the right-rail.
Parsing & dissection
- parse — libpcap parsing, packet table construction, link-layer detection
- dissect_extended — core protocols (TCP, UDP, ICMP, IPv4/6, ARP)
- dissect_http — HTTP/1.x with full request/response reassembly
- dissect_http2_grpc — HTTP/2 framing, gRPC method names
- dissect_quic — QUIC initial & handshake; payload encrypted
- dissect_db — MySQL, PostgreSQL, Redis, MSSQL, Oracle
- dissect_ics — Modbus, DNP3, S7comm, IEC-104, OPC UA, BACnet, PROFINET, CIP, GE-SRTP, Niagara Fox (Team)
- dissect_iot — MQTT, CoAP, BLE, ZigBee, Thread, 6LoWPAN, LoRaWAN
- analyze_tls — SNI, JA3/JA3S, certificate chain, mismatch detection
- os_fingerprint — passive OS detection from TTL, window size, options
- reassemble_streams — TCP stream reassembly into byte streams
Extraction
- extract_artifacts — URLs, domains, hostnames, MIME parts
- extract_credentials — HTTP Basic, FTP, Telnet, SMTP/POP/IMAP cleartext credentials
- extract_files — reassembled files from HTTP, SMB, SMTP attachments, FTP
Detection & scoring
- match_iocs — check IPs, domains, URLs, hashes against your local IOC feed
- run_detection_rules — built-in rules engine (suspicious-domain, exfil-by-volume, …)
- run_suricata — optional Suricata pass if rules folder configured
- detect_beacons — periodic communication patterns indicative of C2
- detect_anomalies — ML/statistical anomaly detection per-host
- detect_dga — DGA-likelihood classifier on DNS query names
- detect_scans — horizontal & vertical port scans
- detect_advanced — lateral movement, credential theft, covert channels
- threat_hunt — saved-hunt evaluation across the session
- yara_scan — YARA against extracted files (Pro+)
- map_mitre — map detections to ATT&CK techniques (Pro+)
- pyramid_of_pain — classify indicators by adversary cost-to-replace
- score_risks — per-host and per-flow risk scores
- rescore_risks — second-pass with cross-correlation context
Narrative & CTF
- attack_narrative — AI-generated story with Mermaid diagram (if AI configured)
- ctf_mode — flag-pattern detection for CTF / homelab traffic
- plugin_stages — user-defined plugin stages (Pro+)
map_mitre only fires if there are detections, yara_scan only if files were extracted and YARA rules are configured).
Performance characteristics
| Capture size | Typical pipeline time | RAM peak |
|---|---|---|
| 10 MB / 10K packets | 5–15 s | ~250 MB |
| 50 MB / 50K packets (Community) | 20–60 s | ~500 MB |
| 500 MB / 500K packets (Pro) | 3–8 min | ~2 GB |
| 2 GB / 2M+ packets (Team) | 15–40 min | ~6 GB |
| 5 GB / 5M+ packets (Enterprise) | 40–90 min | ~12 GB |
Times measured on M1 Pro / Ryzen 7 5800X with default settings. Disabling Suricata, YARA, and AI roughly halves runtime.
Reading the results
Dashboard
The dashboard is your triage view. Risk gauge gives a one-glance verdict; protocol distribution and top-risk IPs lead your attention.
DPI (Deep Packet Inspection)
Wireshark-style packet list with display filters (Wireshark filter syntax). Color-coded by protocol. Click a packet to see protocol tree, hex dump, and expert info.
Network Map
Force-directed graph of hosts. Edge weight = bytes; edge color = risk. Click a host for OSINT lookup, threat-intel context, and pivot links.
Timeline
Chronological event view, kill-chain story mode, severity filter. Use this for “what happened, in what order”.
Investigation graph
Living force-directed graph with attack-chain detection. Particle flow shows live volume on each edge during live capture.
Tips
- Pre-filter big captures with
editcaportcpdumpif you only care about specific traffic. - Disable AI for speed — Settings → AI → Auto-narrative: off.
- Disable Suricata if you don’t maintain rule sets — Settings → Detection → Suricata: off.
- Re-run a single stage — right-click in the right-rail, “Re-run from this stage”.
- Compare two sessions — Sessions → Compare highlights deltas.
What if a stage fails?
If a stage errors, the pipeline continues with the rest. The failed stage shows in red in the right-rail with a stack trace. See Troubleshooting → PCAP failed to parse.