Overview
PCAPNG Analyzer Pro includes everything in the Free edition plus batch processing, unlimited analysis history, deep packet inspection panels, 25+ heuristic threat detectors, side-by-side capture comparison, cross-file threat correlation, watched folder auto-analysis, per-finding PCAP slice export, analyst annotations, and configurable detection rule thresholds.
Like the free edition, all processing happens locally on your machine — no capture data or results are ever sent to external servers.
Threat detectors
25+ heuristic detectors run automatically after every Pro analysis. All thresholds are adjustable via the Detection Rules settings panel.
Port scan High
Single source IP contacting more than 20 distinct destination ports in the capture window.
SYN flood Critical
SYN:ACK ratio above threshold — potential denial-of-service activity. Ratio > 10 → Critical; ratio > 3 → High.
RST storm High
Elevated RST share of total TCP traffic — possible scan or session hijack. RST ratio > 0.5 → High; > 0.2 → Medium.
DNS tunneling High
Unusually long query names (>50 characters) or high query frequency from a single host.
C2 beaconing High
Periodic connections from the same source/destination pair at highly or moderately regular intervals. Regularity is measured by the coefficient of variation of inter-packet intervals: CoV < 0.15 → "highly regular" (High); CoV 0.15–0.3 → "moderately regular" (Medium).
Unusual TTL Medium
TTL values outside typical OS defaults (32, 64, 128, 255) — potential spoofing or scanning activity.
Large ICMP Medium
ICMP packets larger than 64 bytes — possible data exfiltration channel.
ICMP tunneling High
High-volume ICMP echo traffic with non-standard payload sizes or repeated payload patterns consistent with data being chunked into ping packets.
Known malicious ports High
| Port | Associated with |
|---|---|
| 6667, 6668, 6669 | IRC / IRC botnets |
| 1080 | SOCKS proxy (often abused) |
| 4444 | Metasploit default |
| 9001, 9030 | Tor |
| 31337 | Classic backdoor |
| 12345, 54321 | Common RAT defaults |
HTTP recon High
Suspicious HTTP methods (e.g. TRACE, OPTIONS sweeps) or paths matching patterns associated with directory traversal, webshell access, or exposed configuration files.
Credential exposure Critical
Cleartext usernames or passwords visible in unencrypted HTTP traffic — Basic Auth header, form-encoded login fields, or URL query parameters matching common credential patterns.
Weak / legacy TLS High
TLS 1.0 or 1.1 sessions (deprecated per RFC 8996), or cipher suites flagged as broken, export-grade, or NULL. Also flags ClientHellos that advertise weak suites even if a stronger one is negotiated.
Suspicious user-agents Medium
HTTP User-Agent strings matching known attack tools, vulnerability scanners, or exploit frameworks (e.g. Nikto, sqlmap, Metasploit, Nmap HTTP scripts).
Severity filter
The Threat Intel view includes a pill-button filter bar above the findings list. The bar only shows severity levels that have at least one result. Selecting a level hides all findings at other severities, letting you focus on Critical or High items first. Selecting All resets to the full list.
Per-finding PCAP export
Each threat finding card includes a Download PCAP button alongside the Evidence and Annotate buttons. Clicking it extracts only the packets relevant to that finding type from the original capture file and downloads them as a PCAP (capped at 5,000 packets).
| Finding type | Packets included |
|---|---|
| Port scan | SYN packets from the scanning source IP |
| SYN flood | All SYN packets |
| RST storm | All RST packets |
| DNS tunneling | DNS packets matching the flagged domain pattern |
| C2 beaconing | All packets for the flagged IP pair |
| Unusual TTL | Packets with the flagged TTL value |
| Large ICMP | ICMP packets over 64 bytes |
| Known bad ports | Packets to/from the flagged port |
Cross-file threat correlation
The Threat Intel view includes a Correlated Across Captures card at the bottom of the page. It cross-references IP addresses and domain names from the current file's findings against all other stored analyses, showing you where the same indicators appeared in earlier or later captures.
Each correlated indicator is listed with the indicator value, the finding type in the current file, and the other filenames and finding types where it also appears. This makes it easy to confirm persistent activity across multiple captures.
Watched folder / auto-analysis
When enabled, the app monitors a local directory for new .pcap and .pcapng files and automatically triggers analysis — identical to the manual upload path. Useful for continuous monitoring environments where captures are written by an external tool such as tcpdump.
Setup
Open Settings → Detection Rules. The Folder Monitor section has:
- An enable toggle (Watching / Stopped badge)
- A folder path input (editable only when the toggle is on)
- An Apply button to save and activate
The configuration persists across app restarts — the observer resumes automatically on startup if enabled.
How it works
- When a new file appears in the watched directory, the watcher waits for the file to stabilise to avoid reading a partially-written capture.
- Files that aren't valid PCAP or PCAPNG are silently ignored.
- Valid files are queued for analysis and appear in History once processing completes.
Configuration
The following environment variables can be set before launching the app to change its behaviour.
| Variable | Default | Description |
|---|---|---|
MAX_FILE_SIZE_MB | 5120 | Maximum accepted file size in megabytes (default 5 GB) |
MAX_DISK_USAGE_MB | unset | Reject uploads when total stored file size exceeds this value |
In-app limits: The maximum file size and disk usage caps can also be adjusted from the Storage & Performance Limits settings panel inside the app — no environment variables required.
Data & privacy
- All processing is local. No capture data or analysis results leave your machine.
- Uploaded files and analysis results are stored in the application's local data folder on your machine.
- Analysis history is unlimited in Pro — files are only removed when you delete them manually.
- To remove all stored data, use Analysis History → delete all, or uninstall the application.