Getting started
PCAPNG Analyzer Free lets you open a network capture file and explore what was happening on the network — which devices were talking, which protocols and ports were in use, which websites were visited, and more. Everything is processed on your computer. Your capture files are never sent anywhere.
Opening a capture file
- Launch PCAPNG Analyzer Free.
- Click the upload area and select your
.pcapngor.pcapfile. - Click Analyze File.
A live packet count is shown while the app works. For large files this can take a minute or two. When processing finishes, click View Analysis to see the results.
File format note: Both .pcapng and .pcap formats are supported. PCAPNG stores richer metadata, but either will work.
The analysis dashboard
Once a file has been analyzed you will see a dashboard broken into sections. Each section can be expanded or collapsed by clicking its header. Scroll down to see them all.
Summary
A quick overview of the capture at the top of the dashboard:
- Total packets — how many packets are in the file
- Total bytes — the combined size of all traffic
- Start / End time — when the capture began and ended (UTC)
- Duration — how long the capture ran
Protocol distribution
A bar chart and counts showing which network protocols were used — for example TCP, UDP, ICMP, ARP. This gives you a quick sense of what kind of traffic dominated the capture.
Traffic over time
A line chart showing how busy the network was second-by-second throughout the capture. Spikes indicate bursts of activity.
Top talkers
The most active IP addresses, ranked two ways:
- By packets — which addresses sent or received the most packets
- By bytes — which addresses transferred the most data
Both directions (sent and received) are counted together, so a server that mostly receives requests will still appear if it handled a lot of traffic.
Conversations
The busiest pairs of IP addresses that were communicating with each other, ranked by packet count. Useful for spotting which two hosts were doing the most back-and-forth.
IP addresses
- Source IPs — addresses that sent traffic
- Destination IPs — addresses that received traffic
Click See more to see the full list in a scrollable panel.
Ports
- Source ports — ports that connections were made from
- Destination ports — ports that connections were made to
Common destination ports to recognise: 80 = HTTP, 443 = HTTPS, 53 = DNS, 22 = SSH.
MAC addresses
The hardware (MAC) addresses of devices seen in the capture, split into source and destination. These identify network adapters rather than IP addresses, and are usually only visible for devices on the same local network segment.
TCP flags
Counts of TCP control flags across all TCP traffic in the capture:
| Flag | Meaning |
|---|---|
| SYN | Opening a new connection |
| ACK | Acknowledging received data |
| FIN | Closing a connection gracefully |
| RST | Resetting / forcibly closing a connection |
| PSH | Pushing data to the application immediately |
| URG | Urgent data (rare in normal traffic) |
A high RST count can indicate connection errors, port scans, or rejected connections.
TTL distribution
TTL (Time to Live) is a number in each IP packet that decrements at every router hop. The starting value often reveals the operating system of the sending device:
64— common default on Linux and macOS128— common default on Windows255— common on network equipment
Packet size statistics
Min, max, average, and standard deviation of packet sizes in bytes. Very small packets (under ~100 bytes) are often acknowledgements or keep-alives. Large packets near 1500 bytes are typically data transfers using the full Ethernet frame size.
DNS queries & RCODE
Domain names that were looked up during the capture. This is one of the most useful sections for understanding which websites or services the device was connecting to.
Below the query list, a response code (RCODE) breakdown shows how DNS answers resolved — for example how many lookups ended in NXDOMAIN (domain not found) or SERVFAIL (server error). NXDOMAIN and SERVFAIL counts are highlighted to make them easy to spot.
HTTP hosts & methods
When unencrypted HTTP traffic is present, this section shows:
- Hosts — the website or server being contacted (from the
Host:header) - Methods — the type of request (
GET,POST, etc.)
Most modern web traffic is encrypted (HTTPS/TLS) and will not appear here.
TLS SNI & version
For encrypted HTTPS connections, the server name is still visible in the TLS handshake even though the content is not. This shows which hostnames encrypted connections were made to, without decrypting the traffic.
A TLS version breakdown is shown below the SNI list — how many connections used TLS 1.3, 1.2, 1.1, or 1.0. TLS 1.3 is the current standard; 1.0 and 1.1 are deprecated and their presence may indicate older clients or servers.
Packet list
A scrollable, searchable table of individual packets. Filter by:
- Protocol (e.g.
TCP) - Source or destination IP address
- Source or destination port number
Click any row to expand it and see the full layer-by-layer detail of that packet.
Analysis history
Click Analysis History in the top navigation to see your last 25 analyses. From this screen you can:
- Open any previous analysis by clicking it
- Re-analyze a file — reprocesses the stored capture without re-uploading
- Delete an entry to remove it and free up space
When you upload a 26th file, the oldest analysis is automatically removed. A notice is shown at the top of the screen when this happens.
Need unlimited history? Pro keeps every analysis indefinitely with no auto-pruning.
Exporting results
Inside any open analysis, click Export to download the results:
- JSON — a single file containing all analysis data, useful for importing into other tools or scripts
- CSV ZIP — a ZIP archive with one spreadsheet-friendly CSV per category (protocols, IPs, ports, DNS, etc.)
Other features
Stopping an analysis
If you click Analyze File and then change your mind, click Stop. This cancels processing and deletes the in-progress file.
Dark mode
Click the sun/moon icon in the top-right corner to switch between light and dark themes.
Frequently asked questions
.pcapng and .pcap files are supported in the free edition. The PCAPNG format stores richer metadata, but either will work.editcap (included with Wireshark). Pro supports up to 5 GB by default, with the limit configurable via the MAX_FILE_SIZE_MB environment variable.%APPDATA%\PCAPNG Analyzer Free\data\. To remove all stored data, delete that folder.