Network forensics workspace
Private by design PCAP · Zscaler · Palo Alto · Suricata · Syslog Evidence filters MITRE + AI summary PDF · CSV · STIX export

Turn packet captures into a clean incident report.

Upload a PCAP, HAR, firewall export, or security log and get a structured dashboard with TCP health, TLS, DNS, HTTP, endpoint traffic, top findings, analyst filters, and a print-ready brief. Files up to 50 MB are parsed in-memory and are not stored on disk.

Parse
Packets, flows, TLS, DNS, HTTP
Prioritize
Severity, evidence, Wireshark filters
Explain
AI summary grounded in parsed data
Report
PDF, CSV, JSON, STIX exports
PCAP

Upload evidence for analysis

Drop a file here or click to browse. The fast parser handles PCAP, PCAPNG, and HAR; vendor logs are routed to the universal analyzer when supported.

50 MB limit In-memory parse No raw capture stored
Packets
PCAP · PCAPNG · HAR
Firewall
Palo Alto · Fortinet · ASA
Proxy
Zscaler ZIA · Syslog
Detection
Suricata · Audit logs

AI summary Llama 3.1 70B

Click Generate AI summary for a one-paragraph engineer-level read on this capture. Or ask a focused question below.
📝 Summarize findings 🔧 Biggest problem + fix 🔍 Check for malicious activity 🌊 Explain top conversations
Export:

Linux / Mac (tcpdump)

sudo tcpdump -i any -w mycap.pcap -s 0 \
  'port 443 or port 53 or host 10.0.0.5'

Stop with Ctrl-C. -s 0 captures the full packet (not just the first 96 bytes). Always filter to reduce file size.

Windows (Wireshark)

1. Open Wireshark
2. Pick your active interface (Ethernet / Wi-Fi)
3. Filter: ip.addr == 10.0.0.5
4. Hit Stop after the issue reproduces
5. File → Save As → .pcapng

tshark (headless)

tshark -i 1 -w mycap.pcapng -F pcapng \
  -f "host x.x.x.x and (port 443 or port 53)"

Privacy advice

  • Capture stays in your browser/CF Worker — never written to disk on our side.
  • Share links last 24 h and contain only the parsed JSON, not the raw PCAP.
  • If you're worried about IPs in screenshots, mask before sharing.

Related investigation tools

Use these when the capture points to TLS, identity, mail, routing, or training follow-up work.
T

Live chat · Techclick

auto
👋 Hi — I'm Techclick AI. Drop a PCAP and I can produce an RCA, runbook or audit grounded in what's actually in the capture. Public IPs and SNI hostnames are auto-checked against VirusTotal, AbuseIPDB, Shodan and GreyNoise.

Try:
"Why did this TLS handshake fail?"
"Is any IP in this pcap malicious?"
"Build a runbook for this DNS issue"
⚙ RCA 📘 Runbook 🛡 Audit ⚖ L3 Verdict 💡 Explain top error 🔎 Check IPs 📋 Top risks