PCAP Analyzer

Browser-based packet capture analysis: parse .pcap and .pcapng files entirely client-side. Decode Ethernet/IP/TCP/UDP, extract DNS queries, HTTP requests, TLS Client Hello (SNI), conversation flows, top talkers, protocol distribution, and export results — all without uploading.

Analyzer Networking Updated Apr 28, 2026

How to Use

Drop a .pcap or .pcapng file into the input area, or click to browse.
The Overview tab shows total packets, duration, top talkers, and protocol distribution.
Packets tab lists every packet with timestamp, source/destination, protocol, and length. Click any row to see hex.
Conversations tab groups packets into flows (5-tuple) with byte counts.
DNS tab extracts every query and response with TTLs and answers.
HTTP tab pulls request lines (Method/URL/Host) from cleartext HTTP traffic.
TLS tab extracts SNI hostnames from Client Hello messages and JA3-style fingerprints.
Use the search/filter bar on any tab to narrow results by IP, port, protocol, or hostname.
Export filtered results as CSV, JSON, or a Wireshark display filter.

🌐

Drop .pcap or .pcapng file here

Or click to browse. Nothing uploads — analysis is 100% client-side.

Protocol distribution

Top talkers (by bytes)

Capture metadata

#	Time	Src	Dst	Proto	Len	Info

Endpoint A	Endpoint B	Proto	Pkts A→B	Pkts B→A	Bytes A→B	Bytes B→A	Duration

#	Time	Type	QName	QType	Answers

#	Time	Method	Host	Path	UA

#	Time	Client	Server	SNI	Version	Ciphers

Click a packet in the Packets tab to display its raw bytes here.

No packet selected.

What gets analyzed

File formats

libpcap + PcapNG

Both endian variants.

Link layer

Ethernet II, 802.1Q VLAN, Linux SLL

Auto-detected from datalink type.

Network

IPv4, IPv6, ARP, ICMP, ICMPv6

Full header parsing.

Transport

TCP, UDP

Flags, sequence, ports.

DNS

Queries + responses

QName, QType, answers, TTLs.

HTTP/1.x

Request line + Host

Method, path, host, user-agent.

TLS

Client Hello + SNI

Hostname extraction, version, ciphers.

Conversations

5-tuple flow tracking

Bidirectional byte/packet counts.

Threats

DGA, beacons, anomalies

Heuristic surfacing of suspicious patterns.

A Brief History of Packet Capture

Packet capture as we know it begins with Van Jacobson, Steven McCanne, and the BSD Packet Filter (BPF) in 1992 at Lawrence Berkeley National Laboratory. BPF gave Unix kernels a way to copy network packets from the kernel to user space cheaply and with kernel-side filtering — fast enough that capturing high-speed traffic on commodity hardware became practical for the first time. tcpdump, the canonical command-line capture tool, was built on top of BPF and remains a Unix workhorse today.

The libpcap file format — the .pcap extension — emerged from the need to save captures to disk for later analysis. The format is dead simple: a 24-byte global header (magic number, version, time-zone, link-layer type) followed by a stream of per-packet records, each with a 16-byte header (timestamp, captured length, original length) plus the raw packet bytes. The simplicity is deliberate; libpcap files have been losslessly readable for 30+ years.

Wireshark (originally Ethereal, 1998) brought a graphical dissector with hundreds of protocol decoders. The PcapNG ("next generation") format was introduced in 2008 to address libpcap's limitations: PcapNG supports multiple capture interfaces in one file, per-packet comments, name resolution data, and richer metadata. Modern tcpdump and Wireshark both produce PcapNG by default.

The browser became a viable platform for packet analysis once ArrayBuffer, DataView, and FileReader were universally supported (around 2013) — the same primitives that power image and video tools. This analyzer stands on those primitives, doing what previously required Wireshark installed on your local machine.

About This Analyzer

This analyzer parses libpcap and PcapNG files in the browser using ArrayBuffer + DataView, then walks each packet through a layered decoder: link-layer (Ethernet II, 802.1Q, Linux SLL), network (IPv4/v6, ARP, ICMP), transport (TCP/UDP), and application (DNS, HTTP/1.x request lines, TLS Client Hello with SNI). Aggregates are computed in a single pass: top talkers by bytes, conversation flows by 5-tuple, protocol distribution, DNS query timeline, HTTP requests, and TLS hostnames.

Everything runs entirely in your browser. Your packet capture is never transmitted to any server — useful for sensitive captures (corporate networks, customer data, security incidents) where uploading to an online tool would be inappropriate. For full Wireshark-grade protocol depth (HTTP body reassembly, encrypted payload decryption with provided keys, SMB/Kerberos/etc dissectors), use Wireshark locally. This tool is optimized for fast triage and the most-used 80% of traffic types.

Frequently Asked Questions

Does my packet capture get uploaded?

No. The entire parser runs in your browser using ArrayBuffer + DataView — your file is never sent to any server. You can safely analyze captures containing internal IPs, credentials in plaintext (don't!), authentication headers, or other sensitive material. The browser is just doing what Wireshark does, locally.

Which file formats are supported?

<strong>libpcap</strong> (the classic format used by tcpdump and most network tools — magic bytes 0xa1b2c3d4 or 0xd4c3b2a1). <strong>PcapNG</strong> (the modern format with multiple interfaces, comments, and metadata — magic 0x0a0d0d0a). Both little-endian and big-endian. Any tool that exports a packet capture to disk likely produces one of these.

Which protocols does it decode?

Link layer: Ethernet II, 802.1Q VLAN tags, Linux SLL. Network: IPv4, IPv6, ARP, ICMP/ICMPv6. Transport: TCP, UDP. Application: DNS query/response, HTTP/1.x request line, TLS Client Hello with SNI extraction. For deeper protocol decoding (full HTTP body reassembly, TLS payload, DHCP, SMB, etc.), use Wireshark — this tool is optimized for fast triage and the ~80% case.

How big a capture can it handle?

Tens of MB easily. The parser streams through the file once and indexes packets; UI rendering is virtualized so only visible rows are in the DOM. Captures over a few hundred MB may slow down depending on your device. For very large captures (multi-GB), use Wireshark on your local machine.

What's the difference vs Wireshark?

Wireshark has hundreds of dissectors and decades of feature depth — for full forensics on a complex capture, use Wireshark. This tool is for: (1) quick triage when you don't have Wireshark installed, (2) browser-only environments (locked-down corporate workstations, ChromeOS, mobile), (3) sharing a capture with someone who can't install desktop software, (4) sensitive captures you don't want to leave your machine. The triage output is comparable for the most-used dissectors.

Will it find malicious traffic?

It surfaces obvious indicators: DNS queries to algorithmically-generated domains (DGA patterns), unusual port destinations, suspicious TLS fingerprints, beacons (regular intervals), data exfil signs (large outbound on unusual ports). For deep threat hunting, follow up with dedicated tools (Suricata, Zeek, or a SIEM). The Threats tab is for getting a quick sense of 'is this capture interesting,' not full IDS replacement.

Can I export filtered results?

Yes — every tab supports CSV, JSON, and Wireshark-display-filter export of the currently filtered/visible rows. Useful for handing off triage findings to a colleague who'll continue analysis in Wireshark, or for feeding IOCs into a SIEM.

Where do .pcap files come from?

tcpdump (Linux/Mac), Wireshark (any OS, save as), netsh trace (Windows), Microsoft Network Monitor, t-shark, dumpcap, Suricata in capture mode, Zeek, mitmproxy, Charles Proxy, and many cloud-network monitoring tools (VPC Flow Logs can be converted to PCAP). Any tool that does network capture produces one of the supported formats.

Common Use Cases

Incident response triage

Get a fast read on a suspicious capture before opening Wireshark — top talkers, protocol mix, anomalous DNS queries, unusual destinations.

Debugging API integrations

Inspect HTTP request lines to a third-party API when DevTools aren't accessible (server-side calls, mobile app traffic captured via tcpdump).

TLS / SNI inspection

See exactly which hostnames a device is connecting to (the SNI is visible even with TLS 1.3 unless ECH is in use).

DNS query auditing

Audit which domains a network is resolving — useful for malware investigation, ad-blocker tuning, or general curiosity.

Bandwidth / talker analysis

Identify which IPs are using the most bandwidth in a capture for capacity planning or noisy-neighbor diagnosis.

Sharing captures securely

Analyze a sensitive capture (corporate, customer data) without uploading to any cloud service. Browser-only stays browser-only.

IoT device profiling

Capture from an IoT device on your network and see exactly which servers it phones home to, on which ports, with which protocols.

Education and training

Network security students and CTF players can analyze sample captures interactively without setting up Wireshark.

Last updated: April 28, 2026