Drop in a .pcapng or .pcap capture file and get a full interactive breakdown in seconds — protocols, traffic timelines, DNS, TLS, anomalies, and more.
Core capabilities
A full analysis dashboard built for clarity. All processing happens locally — no data ever leaves your machine.
Bar charts and raw counts for every protocol in the capture — from Ethernet down to TLS.
Dual line charts showing packets per second and bytes per second across the full capture window.
DNS query names, HTTP hosts, and TLS SNI server names extracted and ranked automatically.
Paginated table of all packets with per-row detail modal. Combine filters by protocol, IP, and port.
Source/destination IPs, MACs, ports, and IP-pair conversations all ranked by packet count.
Horizontal bar chart breaking down SYN, ACK, FIN, RST, PSH, and URG counts across all TCP traffic.
Breakdown of IP TTL values across the capture — useful for OS fingerprinting and anomaly spotting.
Persistent list of past analyses with one-click re-open, re-analyze, or delete. Auto-prune when limits are reached.
Download the full analysis result as a JSON file or structured CSV for use in other tools.
Pricing
The free edition covers everyday analysis tasks. Pro adds batch processing, deep packet inspection panels, 25+ threat detectors, capture comparison, cross-file correlation, watched folder auto-analysis, configurable detection rules, and unlimited history.
Pro — threat intelligence
25+ heuristic detectors run after every Pro analysis. Each finding is severity-badged and links directly to the relevant packets in the packet list. Filter findings by severity to focus on what matters most.
Single source IP probing many distinct destination ports in a short window.
SYN:ACK ratio above threshold — potential denial-of-service activity.
Elevated RST count relative to total TCP traffic — possible scan or session hijack.
Unusually long query names (>50 chars) or high query frequency from a single host.
Periodic connections from the same src/dst pair at highly or moderately regular intervals.
TTLs outside typical OS ranges (64, 128, 255) — potential spoofing or scanning.
ICMP packets significantly larger than 64 bytes — potential data exfiltration channel.
Traffic to/from common C2 ports — 4444, 31337, 1337, IRC channels, and others.
Suspicious HTTP methods or paths suggesting directory traversal or scanner activity.
Cleartext usernames or passwords visible in unencrypted HTTP traffic.
TLS 1.0 or 1.1 sessions, or cipher suites flagged as broken or export-grade.
HTTP User-Agent strings associated with known attack tools or vulnerability scanners.
Feature comparison
A quick breakdown of what's included in each tier.
| Feature | Free | Pro |
|---|---|---|
| Upload .pcap and .pcapng files | ✓ | ✓ |
| Max file size | 1 GB | 5 GB (configurable) |
| Protocol, IP, port & MAC breakdown | ✓ | ✓ |
| Traffic over time charts | ✓ | ✓ |
| DNS queries & RCODE breakdown | ✓ | ✓ |
| HTTP host extraction | ✓ | ✓ |
| TLS SNI & version breakdown | ✓ | ✓ |
| Packet size statistics (min, max, avg, std dev) | ✓ | ✓ |
| Packet list with filtering | ✓ | ✓ |
| Filter by payload content | — | ✓ |
| JSON & CSV export | ✓ | ✓ |
| Analysis history | Last 25 files | Unlimited |
| Batch upload & processing | — | ✓ |
| Deep packet inspection (DNS, HTTP, TLS panels) | — | ✓ |
| Side-by-side capture comparison | — | ✓ |
| Threat intelligence & anomaly detection | — | ✓ |
| Analyst annotations per finding (confirmed / false positive / under investigation) | — | ✓ |
| Severity filter for findings | — | ✓ |
| Per-finding PCAP slice export | — | ✓ |
| Threat report export as JSON (findings + annotations) | — | ✓ |
| Cross-file threat correlation | — | ✓ |
| Watched folder auto-analysis | — | ✓ |
| Configurable detection rule thresholds | — | ✓ |
| Native desktop app (Tauri) | ✓ | ✓ |
| Local processing — no external servers | ✓ | ✓ |