Troubleshooting Look deeper. Find everything.

Troubleshooting

Try these self-serve fixes before opening a support ticket. Each entry has the symptom, the cause, and the steps to fix.

Still stuck after trying these? Open Intreys → Help → Diagnostics, click Generate report to build a sanitized JSON / .zip bundle locally, review what’s in it, then attach it to a support ticket. The bundle strips API keys, license keys, full home paths, IPs / domains / hashes from any captures, and AI prompts. It is never auto-uploaded — you decide what to share.

Install & first run

1. Account recovery (forgotten password)

Symptom: Can’t sign in to your owner account.

Fix:

Have email access? Click Forgot password on the sign-in screen. Intreys sends a one-time reset link to the email registered on the account.
Owner account is fully locked out? The local account store lives under your OS data directory. Removing it lets you re-run the first-run wizard and create a fresh owner account on the next launch:
```
# macOS
rm ~/Library/Application\ Support/Intreys/users.json

# Linux
rm ~/.local/share/intreys/users.json

# Windows
del %APPDATA%\Intreys\users.json
```
Re-launch Intreys; the EULA + create-owner-account wizard runs again so you can pick a new username and password.

2. App fails to launch on macOS (“cannot be opened”)

Symptom: Gatekeeper blocks the app on first launch.

Fix: Right-click (or Ctrl-click) the app, choose Open, click Open in the dialog. Subsequent launches work normally. If issue persists, xattr -d com.apple.quarantine /Applications/Intreys.app.

3. Windows SmartScreen warning

Symptom: “Windows protected your PC” on installer launch.

Fix: Click More info → Run anyway. Intreys binaries are signed with a Microsoft-trusted certificate; the SmartScreen reputation builds up over time post-launch.

4. Linux: missing libpcap

Symptom: “Cannot load libpcap” on startup.

Fix: sudo apt install libpcap0.8 (Debian/Ubuntu) or sudo dnf install libpcap (RHEL).

5. Docker: port 8765 already in use

Fix: Map a different host port: docker run -p 9000:8765 .... Open http://localhost:9000.

PCAP analysis

6. “PCAP failed to parse”

Causes:

File is truncated (download interrupted)
File is encrypted (some captures from CrowdStrike etc.)
Format Intreys doesn’t recognise (e.g. proprietary)

Fix: Try repairing with pcapfix or re-converting with tshark -r broken.pcap -w fixed.pcap.

7. Pipeline stuck on a stage

Fix: In the right-rail, click the stuck stage, then Cancel. Re-run from that stage. If it fails again, check the stack trace and report at support.html.

8. “File too large”

You hit the tier limit. Trim the PCAP first:

editcap -r big.pcap small.pcap 1-10000
# or
tcpdump -r big.pcap -w small.pcap -C 50

9. Stage runs forever / OOM

Likely cause: pathological inputs (many millions of small packets, single huge stream). Mitigation:

Disable Suricata under Settings → Detection
Disable AI under Settings → AI
Pre-trim to a relevant window

10. No findings on a known-bad capture

Check that detection rules are enabled in Settings → Detection. If beacon detection is off, you won’t see beacons. Enable threat-intel keys for IOC enrichment.

Live capture

11. “Live capture permission denied” (macOS)

ChmodBPF not active or you haven’t logged out/in since install.

sudo launchctl list | grep ChmodBPF
groups | grep access_bpf

If missing, reinstall the ChmodBPF helper (see Live capture → macOS).

12. “Live capture permission denied” (Linux)

getcap /usr/bin/intreys-capture
# If empty, reapply:
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/intreys-capture

13. “Live capture permission denied” (Windows)

sc query npcap
:: If not running, restart the service:
sc start npcap
:: If service missing, reinstall Intreys (bundles Npcap)

14. Capture interface dropdown is empty

Refresh the dropdown. If still empty:

macOS: ChmodBPF group not yet effective (log out/in)
Linux: capability missing
Windows: Npcap service stopped

15. Capture drops packets

Tighten capture filter
Reduce snaplen under Settings → Capture
macOS: sudo sysctl -w debug.bpf_bufsize=8388608

Licensing

16. “License activation 503”

Worker is temporarily unreachable. Wait a minute, retry. Check status.intreys.com. The app falls back to offline grace if you have a previous valid token.

17. “Invalid license key”

Re-copy from the activation email (no extra whitespace)
Confirm the plan is active in the portal
If portal shows expired/canceled, contact [email protected]

18. “Seat exhausted”

All seats in your plan are in use. Sign in at license.intreys.com/portal, deactivate an unused seat, retry activation.

19. Features locked despite valid license

Restart the app. If still locked, run Settings → License → Re-validate.

20. Air-gapped activation request file invalid

Make sure the file came from the same Intreys major version. v1.x request files are not accepted by v2.x license server (and vice-versa).

AI providers

21. “AI provider 401 Unauthorized”

API key invalid or quota exhausted. Test in Settings → AI → Test connection. Replace the key.

22. Local model fails to load

Insufficient RAM — pick a smaller quantization (Q4_K_M instead of Q8_0)
Corrupted download — redownload (Intreys verifies SHA-256)
Wrong format — MLX format only on Apple Silicon

23. Privacy classifier blocks every prompt

Review the redaction rules in Settings → AI → Privacy classifier. Default rules are aggressive; you may need to relax email or IP detection if you intentionally want those visible to the provider.

Threat intelligence

24. VirusTotal rate-limited

Free tier is 4 req/min. Cache TTL defaults to 24h, which usually fits within free quota for typical investigations. Bulk-enrich in batches.

25. GreyNoise “not supported”

GreyNoise Community has limited fields. Some context (RIOT, classification reason) requires GreyNoise Enterprise.

Reports / Export

26. PDF export comes out blank

Headless rendering issue. Check that the bundled Chromium binary is intact — reinstall Intreys if necessary. Pro tip: export HTML and print to PDF from your browser as a workaround.

27. STIX export rejected by my MISP

Some MISP versions are picky about STIX bundle structure. Use the MISP-native export instead of STIX.

UI / Performance

28. App becomes slow with large captures

Filter the DPI list before scrolling (virtual scroll handles 100K+, but plain rendering is slower)
Close the Investigation Graph when not in use (heavy on GPU)
Disable AI auto-narrative if you have it on

29. Cmd+K command palette empty

Try a keyword like “upload” or “help”. The palette indexes views, actions, and help topics. If the index is stale, run Settings → Reset command index.

30. Crash on startup

Last resort: rename the data directory to force a clean start.

# macOS
mv ~/Library/Application\ Support/Intreys ~/Library/Application\ Support/Intreys.bak

# Linux
mv ~/.local/share/intreys ~/.local/share/intreys.bak

# Windows
ren %APPDATA%\Intreys Intreys.bak

Launch fresh. Once you confirm the issue is in the data dir, copy back individual subfolders (e.g. captures, cases) until you find what triggered it. Open a support ticket with the diagnostics file.