User guide

PCAPNG Analyzer Pro

The full guide for Pro — large files, batch analysis, threat detection, and more.

What is PCAPNG Analyzer Pro?

PCAPNG Analyzer Pro lets you open network capture files and instantly see what traffic was on your network — which devices were talking, which protocols were used, and whether anything looks suspicious. Everything stays on your computer. No files are uploaded to the internet.

Free vs Pro at a glance

FeatureFreePro
Max file size1 GB5 GB (configurable)
File formats.pcapng and .pcap.pcapng and .pcap
Saved historyLast 25 filesUnlimited
DNS RCODE breakdownYesYes
TLS version breakdownYesYes
Batch analysisYes
Watched folder auto-analysisYes
Side-by-side comparisonYes
Cross-file threat correlationYes
Payload content filterYes
25+ threat detectorsYes
Severity filter for findingsYes
Analyst annotations per findingYes
Per-finding PCAP exportYes
Threat report export (JSON)Yes

Installing

Download the .exe installer and double-click it to install. Desktop and Start Menu shortcuts are created automatically.

When you open the app for the first time, a brief loading screen appears while the backend starts. After a few seconds the Upload screen will appear.

Analyzing a file

  1. Click the upload area to select a .pcapng or .pcap file, or drag and drop files anywhere in the window.
  2. Click Analyze.
  3. A live status is shown while the file is processed. Larger files may take a minute or two.
  4. When complete, click View Full Analysis to see the results.

Understanding results

The results dashboard is divided into sections:

Protocols

A bar chart showing which network protocols were used and how often (e.g. TCP, UDP, DNS, HTTP, TLS).

IPs

Which devices sent and received the most traffic, plus MAC addresses and a TTL breakdown.

Ports

Which network ports were used most — both sending and receiving. Common ports are labelled (e.g. 443 (HTTPS), 53 (DNS)).

Traffic

A timeline chart showing packets and bytes per second over the duration of the capture.

Conversations

A table of every unique pair of devices that communicated, ranked by traffic volume.

Application layer

SectionWhat it shows
DNS queriesWhich domain names were looked up
HTTP hostsWhich websites were accessed
HTTP methodsGET, POST, etc.
TLS SNIWhich HTTPS sites were connected to
TCP flagsBreakdown of connection states (SYN, ACK, FIN, RST, etc.)

Deep packet inspection panels

Pro includes three dedicated deep inspection panels with richer analysis than the standard summaries:

PanelWhat it adds
DNS AnswersPer-domain response aggregation, NXDOMAIN detection, TTL tracking, fast-flux flagging (TTL < 60 s), private-IP resolution warnings
HTTP AnalysisMethod distribution, status code breakdown with error rates, top requested paths, suspicious path detection (webshells / exposed config files), User-Agent analysis with scanner/attack tool flagging
TLS AnalysisTLS version distribution, cipher suite frequency, weak/legacy suite detection, ClientHello offered-suite analysis

Packet statistics

Summary numbers for packet sizes: smallest, largest, average, and standard deviation.

Re-analyze

The Re-analyze button re-runs analysis on the stored file from scratch. Use this if results look outdated after an app update.

Threat intelligence

The Threat Intel view checks your capture for suspicious patterns and shows findings as colour-coded cards.

Severity levels

BadgeMeaning
CriticalStrong sign of an attack — look at this first
HighVery suspicious; worth investigating
MediumUnusual but might be benign
InfoNoteworthy; probably fine

Severity filter

A filter bar above the findings list lets you show only Critical, High, Medium, or Info findings. Only severity levels that have at least one result appear as options. Click All to reset.

What is detected

FindingWhat it means
Port scanOne device contacted more than 20 different ports — typical reconnaissance behaviour
SYN floodFar more connection attempts than completions — possible denial-of-service attack
RST stormUnusually high number of connection resets
DNS tunnelingVery long or very frequent DNS queries — sometimes used to hide data in DNS traffic
C2 beaconingTwo devices communicating at a highly or moderately regular rhythm — common in malware talking to its controller
Unusual TTLPacket TTL values that don't match any normal operating system — may indicate spoofing
Large ICMPPing packets larger than normal — sometimes used for hidden data transfer
ICMP tunnelingRepeated ICMP echo traffic with non-standard payload sizes suggesting data is being smuggled in ping packets
Known bad portsTraffic on ports commonly associated with malware, botnets, or Tor
HTTP reconHTTP requests for paths associated with directory traversal, webshell access, or exposed config files
Credential exposureCleartext usernames or passwords visible in unencrypted HTTP traffic
Weak / legacy TLSTLS 1.0 or 1.1 connections, or cipher suites that are broken or export-grade
Suspicious user-agentsHTTP User-Agent strings matching known attack tools or vulnerability scanners

Click any card to expand it and see which specific packets or IP addresses triggered the alert, along with a link to view those packets in the Packet Inspector. Use the Download PCAP button on any card to export just the relevant packets as a .pcap file.

Annotating findings

Each finding can be annotated with a status and a free-text note to record your analysis:

StatusWhen to use it
ConfirmedYou have verified this is a real threat
False positiveThe alert fired but the traffic is expected
Under investigationYou are still looking into it

Annotations are saved with the analysis and included in the threat report JSON export.

Adjusting detection thresholds

Each detector's sensitivity can be tuned without editing config files. Open Detection Rules from the settings menu to adjust thresholds for any detector.

Analyzing multiple files at once

  1. Click + or drag several files onto the upload area.
  2. All selected files appear in a list with their names and sizes.
  3. Click Analyze All.
  4. The Batch Results screen shows each file's progress: spinning circle = processing, green tick = done, red X = failed (hover for details).
  5. Click any completed file's name to open its full analysis.

Watched folder auto-analysis

Instead of manually uploading files, you can point the app at a local folder and it will automatically analyze any new .pcap or .pcapng file that appears there — useful when a tool like tcpdump or Wireshark is writing captures continuously.

  1. Open Settings → Detection Rules.
  2. Under Folder Monitor, toggle the switch on.
  3. Type or paste the full path to the folder you want to watch.
  4. Click Apply. The status badge changes to Watching.

New files that appear in the watched folder are validated, copied, and analyzed automatically. They show up in History and Threat Intel just like manually uploaded files. The setting persists across app restarts.

Comparing two captures

Useful for seeing what changed between two captures — for example before and after a firewall change, or during and after an incident.

  1. Go to File History.
  2. Tick the checkbox next to any two completed files.
  3. Click Compare Selected.

The comparison view shows:

  • Protocol counts side by side with arrows showing what increased or decreased
  • Top IP addresses in each file with differences highlighted
  • TCP flag counts for each file
  • IP addresses new in the second file
  • IP addresses from the first file that no longer appear

Cross-file threat correlation

At the bottom of the Threat Intel view, a Correlated Across Captures card shows whether any suspicious IPs or domains from the current file's findings also appear in other analyzed captures. This makes it easy to spot persistent actors — for example an IP flagged for beaconing here that also appeared in a port scan finding last week.

Each correlated indicator shows:

  • The indicator value (IP address or domain)
  • Its finding type in the current file
  • The names of other captures where it was seen and what type of finding it appeared in there

Correlation is computed on demand each time the Threat Intel view loads. No manual action is needed.

Inspecting individual packets

The Packet List view shows every packet in the capture, 100 at a time.

Filtering packets

Use the filter bar to narrow down to specific packets. All filters work together — only packets matching every active filter are shown. Click Reset Filters to clear them all.

FilterExample
ProtocolTCP, DNS, HTTP
TCP flagsSYN only, RST only, etc.
Source / destination IP192.168.1.5
Source / destination port443, 53
Packet sizeMin 100 bytes, max 1500 bytes
Time rangeFrom / to a specific timestamp
Payload contentSearch within decoded packet payload

Viewing packet details

Click any row to expand it and see the full breakdown:

  • Ethernet layer — MAC addresses
  • IP layer — IP addresses, TTL
  • TCP/UDP layer — ports, TCP flags
  • Application layer — DNS query, HTTP request, TLS server name
  • Payload — decoded content of DNS answers or HTTP responses

Exporting results

From any analysis view, click Export and choose a format:

  • JSON — everything in one file: protocols, IPs, ports, conversations, timeline, packets, and threat findings
  • CSV ZIP — a zip archive with separate spreadsheet files for each section
  • Threat report JSON — a dedicated export of threat findings and any analyst annotations you have added; available from the Threat Intel view
  • Download PCAP (per finding) — each finding card has a download button that exports only the packets relevant to that specific finding as a .pcap file, ready to open in Wireshark

File history

The History panel shows all previously analyzed files. Click any completed entry to re-open its results without re-uploading. Pro history is unlimited — no entries are ever removed automatically.

To delete a file and all its data, click the delete button next to it in History.

Troubleshooting

The app shows a blank screen on startup.
The backend is still starting. Wait 10 seconds and press Ctrl+R to refresh.
A file is stuck on "processing".
If the app was closed during analysis, the file will be marked as failed when you reopen. Click Re-analyze on that file to try again.
"Disk quota exceeded" when uploading.
Your storage limit has been reached. Go to History and delete some older files, then try again.
Results look wrong after an update.
Open the file from History and click Re-analyze to re-run the analysis with the latest version.