What is PCAPNG Analyzer Pro?
PCAPNG Analyzer Pro lets you open network capture files and instantly see what traffic was on your network — which devices were talking, which protocols were used, and whether anything looks suspicious. Everything stays on your computer. No files are uploaded to the internet.
Free vs Pro at a glance
| Feature | Free | Pro |
|---|---|---|
| Max file size | 1 GB | 5 GB (configurable) |
| File formats | .pcapng and .pcap | .pcapng and .pcap |
| Saved history | Last 25 files | Unlimited |
| DNS RCODE breakdown | Yes | Yes |
| TLS version breakdown | Yes | Yes |
| Batch analysis | — | Yes |
| Watched folder auto-analysis | — | Yes |
| Side-by-side comparison | — | Yes |
| Cross-file threat correlation | — | Yes |
| Payload content filter | — | Yes |
| 25+ threat detectors | — | Yes |
| Severity filter for findings | — | Yes |
| Analyst annotations per finding | — | Yes |
| Per-finding PCAP export | — | Yes |
| Threat report export (JSON) | — | Yes |
Installing
Download the .exe installer and double-click it to install. Desktop and Start Menu shortcuts are created automatically.
When you open the app for the first time, a brief loading screen appears while the backend starts. After a few seconds the Upload screen will appear.
Analyzing a file
- Click the upload area to select a
.pcapngor.pcapfile, or drag and drop files anywhere in the window. - Click Analyze.
- A live status is shown while the file is processed. Larger files may take a minute or two.
- When complete, click View Full Analysis to see the results.
Understanding results
The results dashboard is divided into sections:
Protocols
A bar chart showing which network protocols were used and how often (e.g. TCP, UDP, DNS, HTTP, TLS).
IPs
Which devices sent and received the most traffic, plus MAC addresses and a TTL breakdown.
Ports
Which network ports were used most — both sending and receiving. Common ports are labelled (e.g. 443 (HTTPS), 53 (DNS)).
Traffic
A timeline chart showing packets and bytes per second over the duration of the capture.
Conversations
A table of every unique pair of devices that communicated, ranked by traffic volume.
Application layer
| Section | What it shows |
|---|---|
| DNS queries | Which domain names were looked up |
| HTTP hosts | Which websites were accessed |
| HTTP methods | GET, POST, etc. |
| TLS SNI | Which HTTPS sites were connected to |
| TCP flags | Breakdown of connection states (SYN, ACK, FIN, RST, etc.) |
Deep packet inspection panels
Pro includes three dedicated deep inspection panels with richer analysis than the standard summaries:
| Panel | What it adds |
|---|---|
| DNS Answers | Per-domain response aggregation, NXDOMAIN detection, TTL tracking, fast-flux flagging (TTL < 60 s), private-IP resolution warnings |
| HTTP Analysis | Method distribution, status code breakdown with error rates, top requested paths, suspicious path detection (webshells / exposed config files), User-Agent analysis with scanner/attack tool flagging |
| TLS Analysis | TLS version distribution, cipher suite frequency, weak/legacy suite detection, ClientHello offered-suite analysis |
Packet statistics
Summary numbers for packet sizes: smallest, largest, average, and standard deviation.
Re-analyze
The Re-analyze button re-runs analysis on the stored file from scratch. Use this if results look outdated after an app update.
Threat intelligence
The Threat Intel view checks your capture for suspicious patterns and shows findings as colour-coded cards.
Severity levels
| Badge | Meaning |
|---|---|
| Critical | Strong sign of an attack — look at this first |
| High | Very suspicious; worth investigating |
| Medium | Unusual but might be benign |
| Info | Noteworthy; probably fine |
Severity filter
A filter bar above the findings list lets you show only Critical, High, Medium, or Info findings. Only severity levels that have at least one result appear as options. Click All to reset.
What is detected
| Finding | What it means |
|---|---|
| Port scan | One device contacted more than 20 different ports — typical reconnaissance behaviour |
| SYN flood | Far more connection attempts than completions — possible denial-of-service attack |
| RST storm | Unusually high number of connection resets |
| DNS tunneling | Very long or very frequent DNS queries — sometimes used to hide data in DNS traffic |
| C2 beaconing | Two devices communicating at a highly or moderately regular rhythm — common in malware talking to its controller |
| Unusual TTL | Packet TTL values that don't match any normal operating system — may indicate spoofing |
| Large ICMP | Ping packets larger than normal — sometimes used for hidden data transfer |
| ICMP tunneling | Repeated ICMP echo traffic with non-standard payload sizes suggesting data is being smuggled in ping packets |
| Known bad ports | Traffic on ports commonly associated with malware, botnets, or Tor |
| HTTP recon | HTTP requests for paths associated with directory traversal, webshell access, or exposed config files |
| Credential exposure | Cleartext usernames or passwords visible in unencrypted HTTP traffic |
| Weak / legacy TLS | TLS 1.0 or 1.1 connections, or cipher suites that are broken or export-grade |
| Suspicious user-agents | HTTP User-Agent strings matching known attack tools or vulnerability scanners |
Click any card to expand it and see which specific packets or IP addresses triggered the alert, along with a link to view those packets in the Packet Inspector. Use the Download PCAP button on any card to export just the relevant packets as a .pcap file.
Annotating findings
Each finding can be annotated with a status and a free-text note to record your analysis:
| Status | When to use it |
|---|---|
| Confirmed | You have verified this is a real threat |
| False positive | The alert fired but the traffic is expected |
| Under investigation | You are still looking into it |
Annotations are saved with the analysis and included in the threat report JSON export.
Adjusting detection thresholds
Each detector's sensitivity can be tuned without editing config files. Open Detection Rules from the settings menu to adjust thresholds for any detector.
Analyzing multiple files at once
- Click + or drag several files onto the upload area.
- All selected files appear in a list with their names and sizes.
- Click Analyze All.
- The Batch Results screen shows each file's progress: spinning circle = processing, green tick = done, red X = failed (hover for details).
- Click any completed file's name to open its full analysis.
Watched folder auto-analysis
Instead of manually uploading files, you can point the app at a local folder and it will automatically analyze any new .pcap or .pcapng file that appears there — useful when a tool like tcpdump or Wireshark is writing captures continuously.
- Open Settings → Detection Rules.
- Under Folder Monitor, toggle the switch on.
- Type or paste the full path to the folder you want to watch.
- Click Apply. The status badge changes to Watching.
New files that appear in the watched folder are validated, copied, and analyzed automatically. They show up in History and Threat Intel just like manually uploaded files. The setting persists across app restarts.
Comparing two captures
Useful for seeing what changed between two captures — for example before and after a firewall change, or during and after an incident.
- Go to File History.
- Tick the checkbox next to any two completed files.
- Click Compare Selected.
The comparison view shows:
- Protocol counts side by side with arrows showing what increased or decreased
- Top IP addresses in each file with differences highlighted
- TCP flag counts for each file
- IP addresses new in the second file
- IP addresses from the first file that no longer appear
Cross-file threat correlation
At the bottom of the Threat Intel view, a Correlated Across Captures card shows whether any suspicious IPs or domains from the current file's findings also appear in other analyzed captures. This makes it easy to spot persistent actors — for example an IP flagged for beaconing here that also appeared in a port scan finding last week.
Each correlated indicator shows:
- The indicator value (IP address or domain)
- Its finding type in the current file
- The names of other captures where it was seen and what type of finding it appeared in there
Correlation is computed on demand each time the Threat Intel view loads. No manual action is needed.
Inspecting individual packets
The Packet List view shows every packet in the capture, 100 at a time.
Filtering packets
Use the filter bar to narrow down to specific packets. All filters work together — only packets matching every active filter are shown. Click Reset Filters to clear them all.
| Filter | Example |
|---|---|
| Protocol | TCP, DNS, HTTP |
| TCP flags | SYN only, RST only, etc. |
| Source / destination IP | 192.168.1.5 |
| Source / destination port | 443, 53 |
| Packet size | Min 100 bytes, max 1500 bytes |
| Time range | From / to a specific timestamp |
| Payload content | Search within decoded packet payload |
Viewing packet details
Click any row to expand it and see the full breakdown:
- Ethernet layer — MAC addresses
- IP layer — IP addresses, TTL
- TCP/UDP layer — ports, TCP flags
- Application layer — DNS query, HTTP request, TLS server name
- Payload — decoded content of DNS answers or HTTP responses
Exporting results
From any analysis view, click Export and choose a format:
- JSON — everything in one file: protocols, IPs, ports, conversations, timeline, packets, and threat findings
- CSV ZIP — a zip archive with separate spreadsheet files for each section
- Threat report JSON — a dedicated export of threat findings and any analyst annotations you have added; available from the Threat Intel view
- Download PCAP (per finding) — each finding card has a download button that exports only the packets relevant to that specific finding as a
.pcapfile, ready to open in Wireshark
File history
The History panel shows all previously analyzed files. Click any completed entry to re-open its results without re-uploading. Pro history is unlimited — no entries are ever removed automatically.
To delete a file and all its data, click the delete button next to it in History.
Troubleshooting
Ctrl+R to refresh.