Documentation

PCAPNG Analyzer Pro

Threat detector reference, Pro feature guide, and configuration.

Overview

PCAPNG Analyzer Pro includes everything in the Free edition plus batch processing, unlimited analysis history, deep packet inspection panels, 25+ heuristic threat detectors, side-by-side capture comparison, cross-file threat correlation, watched folder auto-analysis, per-finding PCAP slice export, analyst annotations, and configurable detection rule thresholds.

Like the free edition, all processing happens locally on your machine — no capture data or results are ever sent to external servers.

Threat detectors

25+ heuristic detectors run automatically after every Pro analysis. All thresholds are adjustable via the Detection Rules settings panel.

Port scan High

Single source IP contacting more than 20 distinct destination ports in the capture window.

SYN flood Critical

SYN:ACK ratio above threshold — potential denial-of-service activity. Ratio > 10 → Critical; ratio > 3 → High.

RST storm High

Elevated RST share of total TCP traffic — possible scan or session hijack. RST ratio > 0.5 → High; > 0.2 → Medium.

DNS tunneling High

Unusually long query names (>50 characters) or high query frequency from a single host.

C2 beaconing High

Periodic connections from the same source/destination pair at highly or moderately regular intervals. Regularity is measured by the coefficient of variation of inter-packet intervals: CoV < 0.15 → "highly regular" (High); CoV 0.15–0.3 → "moderately regular" (Medium).

Unusual TTL Medium

TTL values outside typical OS defaults (32, 64, 128, 255) — potential spoofing or scanning activity.

Large ICMP Medium

ICMP packets larger than 64 bytes — possible data exfiltration channel.

ICMP tunneling High

High-volume ICMP echo traffic with non-standard payload sizes or repeated payload patterns consistent with data being chunked into ping packets.

Known malicious ports High

PortAssociated with
6667, 6668, 6669IRC / IRC botnets
1080SOCKS proxy (often abused)
4444Metasploit default
9001, 9030Tor
31337Classic backdoor
12345, 54321Common RAT defaults

HTTP recon High

Suspicious HTTP methods (e.g. TRACE, OPTIONS sweeps) or paths matching patterns associated with directory traversal, webshell access, or exposed configuration files.

Credential exposure Critical

Cleartext usernames or passwords visible in unencrypted HTTP traffic — Basic Auth header, form-encoded login fields, or URL query parameters matching common credential patterns.

Weak / legacy TLS High

TLS 1.0 or 1.1 sessions (deprecated per RFC 8996), or cipher suites flagged as broken, export-grade, or NULL. Also flags ClientHellos that advertise weak suites even if a stronger one is negotiated.

Suspicious user-agents Medium

HTTP User-Agent strings matching known attack tools, vulnerability scanners, or exploit frameworks (e.g. Nikto, sqlmap, Metasploit, Nmap HTTP scripts).

Severity filter

The Threat Intel view includes a pill-button filter bar above the findings list. The bar only shows severity levels that have at least one result. Selecting a level hides all findings at other severities, letting you focus on Critical or High items first. Selecting All resets to the full list.

Per-finding PCAP export

Each threat finding card includes a Download PCAP button alongside the Evidence and Annotate buttons. Clicking it extracts only the packets relevant to that finding type from the original capture file and downloads them as a PCAP (capped at 5,000 packets).

Finding typePackets included
Port scanSYN packets from the scanning source IP
SYN floodAll SYN packets
RST stormAll RST packets
DNS tunnelingDNS packets matching the flagged domain pattern
C2 beaconingAll packets for the flagged IP pair
Unusual TTLPackets with the flagged TTL value
Large ICMPICMP packets over 64 bytes
Known bad portsPackets to/from the flagged port

Cross-file threat correlation

The Threat Intel view includes a Correlated Across Captures card at the bottom of the page. It cross-references IP addresses and domain names from the current file's findings against all other stored analyses, showing you where the same indicators appeared in earlier or later captures.

Each correlated indicator is listed with the indicator value, the finding type in the current file, and the other filenames and finding types where it also appears. This makes it easy to confirm persistent activity across multiple captures.

Watched folder / auto-analysis

When enabled, the app monitors a local directory for new .pcap and .pcapng files and automatically triggers analysis — identical to the manual upload path. Useful for continuous monitoring environments where captures are written by an external tool such as tcpdump.

Setup

Open Settings → Detection Rules. The Folder Monitor section has:

  • An enable toggle (Watching / Stopped badge)
  • A folder path input (editable only when the toggle is on)
  • An Apply button to save and activate

The configuration persists across app restarts — the observer resumes automatically on startup if enabled.

How it works

  1. When a new file appears in the watched directory, the watcher waits for the file to stabilise to avoid reading a partially-written capture.
  2. Files that aren't valid PCAP or PCAPNG are silently ignored.
  3. Valid files are queued for analysis and appear in History once processing completes.

Configuration

The following environment variables can be set before launching the app to change its behaviour.

VariableDefaultDescription
MAX_FILE_SIZE_MB5120Maximum accepted file size in megabytes (default 5 GB)
MAX_DISK_USAGE_MBunsetReject uploads when total stored file size exceeds this value

In-app limits: The maximum file size and disk usage caps can also be adjusted from the Storage & Performance Limits settings panel inside the app — no environment variables required.

Data & privacy

  • All processing is local. No capture data or analysis results leave your machine.
  • Uploaded files and analysis results are stored in the application's local data folder on your machine.
  • Analysis history is unlimited in Pro — files are only removed when you delete them manually.
  • To remove all stored data, use Analysis History → delete all, or uninstall the application.