User guide

PCAPNG Analyzer Free

Everything you need to open, explore, and export a network capture.

Getting started

PCAPNG Analyzer Free lets you open a network capture file and explore what was happening on the network — which devices were talking, which protocols and ports were in use, which websites were visited, and more. Everything is processed on your computer. Your capture files are never sent anywhere.

Opening a capture file

  1. Launch PCAPNG Analyzer Free.
  2. Click the upload area and select your .pcapng or .pcap file.
  3. Click Analyze File.

A live packet count is shown while the app works. For large files this can take a minute or two. When processing finishes, click View Analysis to see the results.

File format note: Both .pcapng and .pcap formats are supported. PCAPNG stores richer metadata, but either will work.

The analysis dashboard

Once a file has been analyzed you will see a dashboard broken into sections. Each section can be expanded or collapsed by clicking its header. Scroll down to see them all.

Summary

A quick overview of the capture at the top of the dashboard:

  • Total packets — how many packets are in the file
  • Total bytes — the combined size of all traffic
  • Start / End time — when the capture began and ended (UTC)
  • Duration — how long the capture ran

Protocol distribution

A bar chart and counts showing which network protocols were used — for example TCP, UDP, ICMP, ARP. This gives you a quick sense of what kind of traffic dominated the capture.

Traffic over time

A line chart showing how busy the network was second-by-second throughout the capture. Spikes indicate bursts of activity.

Top talkers

The most active IP addresses, ranked two ways:

  • By packets — which addresses sent or received the most packets
  • By bytes — which addresses transferred the most data

Both directions (sent and received) are counted together, so a server that mostly receives requests will still appear if it handled a lot of traffic.

Conversations

The busiest pairs of IP addresses that were communicating with each other, ranked by packet count. Useful for spotting which two hosts were doing the most back-and-forth.

IP addresses

  • Source IPs — addresses that sent traffic
  • Destination IPs — addresses that received traffic

Click See more to see the full list in a scrollable panel.

Ports

  • Source ports — ports that connections were made from
  • Destination ports — ports that connections were made to

Common destination ports to recognise: 80 = HTTP, 443 = HTTPS, 53 = DNS, 22 = SSH.

MAC addresses

The hardware (MAC) addresses of devices seen in the capture, split into source and destination. These identify network adapters rather than IP addresses, and are usually only visible for devices on the same local network segment.

TCP flags

Counts of TCP control flags across all TCP traffic in the capture:

FlagMeaning
SYNOpening a new connection
ACKAcknowledging received data
FINClosing a connection gracefully
RSTResetting / forcibly closing a connection
PSHPushing data to the application immediately
URGUrgent data (rare in normal traffic)

A high RST count can indicate connection errors, port scans, or rejected connections.

TTL distribution

TTL (Time to Live) is a number in each IP packet that decrements at every router hop. The starting value often reveals the operating system of the sending device:

  • 64 — common default on Linux and macOS
  • 128 — common default on Windows
  • 255 — common on network equipment

Packet size statistics

Min, max, average, and standard deviation of packet sizes in bytes. Very small packets (under ~100 bytes) are often acknowledgements or keep-alives. Large packets near 1500 bytes are typically data transfers using the full Ethernet frame size.

DNS queries & RCODE

Domain names that were looked up during the capture. This is one of the most useful sections for understanding which websites or services the device was connecting to.

Below the query list, a response code (RCODE) breakdown shows how DNS answers resolved — for example how many lookups ended in NXDOMAIN (domain not found) or SERVFAIL (server error). NXDOMAIN and SERVFAIL counts are highlighted to make them easy to spot.

HTTP hosts & methods

When unencrypted HTTP traffic is present, this section shows:

  • Hosts — the website or server being contacted (from the Host: header)
  • Methods — the type of request (GET, POST, etc.)

Most modern web traffic is encrypted (HTTPS/TLS) and will not appear here.

TLS SNI & version

For encrypted HTTPS connections, the server name is still visible in the TLS handshake even though the content is not. This shows which hostnames encrypted connections were made to, without decrypting the traffic.

A TLS version breakdown is shown below the SNI list — how many connections used TLS 1.3, 1.2, 1.1, or 1.0. TLS 1.3 is the current standard; 1.0 and 1.1 are deprecated and their presence may indicate older clients or servers.

Packet list

A scrollable, searchable table of individual packets. Filter by:

  • Protocol (e.g. TCP)
  • Source or destination IP address
  • Source or destination port number

Click any row to expand it and see the full layer-by-layer detail of that packet.

Analysis history

Click Analysis History in the top navigation to see your last 25 analyses. From this screen you can:

  • Open any previous analysis by clicking it
  • Re-analyze a file — reprocesses the stored capture without re-uploading
  • Delete an entry to remove it and free up space

When you upload a 26th file, the oldest analysis is automatically removed. A notice is shown at the top of the screen when this happens.

Need unlimited history? Pro keeps every analysis indefinitely with no auto-pruning.

Exporting results

Inside any open analysis, click Export to download the results:

  • JSON — a single file containing all analysis data, useful for importing into other tools or scripts
  • CSV ZIP — a ZIP archive with one spreadsheet-friendly CSV per category (protocols, IPs, ports, DNS, etc.)

Other features

Stopping an analysis

If you click Analyze File and then change your mind, click Stop. This cancels processing and deletes the in-progress file.

Dark mode

Click the sun/moon icon in the top-right corner to switch between light and dark themes.

Frequently asked questions

What file formats are supported?
Both .pcapng and .pcap files are supported in the free edition. The PCAPNG format stores richer metadata, but either will work.
How large a file can I analyze?
Up to 1 GB. Larger captures should be split using a tool like editcap (included with Wireshark). Pro supports up to 5 GB by default, with the limit configurable via the MAX_FILE_SIZE_MB environment variable.
Is my capture data sent anywhere?
No. All processing happens locally on your machine. No data ever leaves your machine.
Where are my files stored?
On Windows, files and analysis results are stored at %APPDATA%\PCAPNG Analyzer Free\data\. To remove all stored data, delete that folder.
Why did my old analysis disappear?
The free edition keeps the last 25 analyses. When you upload a 26th file, the oldest is removed automatically.
The app says "Processing timed out". What do I do?
The frontend waits up to 5 minutes. Very large files may take longer. Open Analysis History after a few minutes — if processing completed in the background, the analysis will be listed there.
I see a lot of RST packets. Is something wrong?
Not necessarily. RST packets are normal when a port is closed or a connection is refused. A sudden spike can indicate a port scan or misconfiguration, but occasional RSTs are part of normal TCP behaviour.
What does a high DNS count mean?
It means there were many domain name lookups. This is normal for busy web browsing sessions. Check the DNS Queries section to see which domains were looked up most frequently.