by ninedter
PCAP Hunter is an AI threat hunting workbench. It uses Zeek and Tshark to analyze PCAPs, enriched by OSINT. Features include a world map, JA3 forensics, and C2 detection. It generates multi-language security reports via local or cloud LLMs, prioritizing privacy and speed.
# Add to your Claude Code skills
git clone https://github.com/ninedter/pcap-hunterLast scanned: 5/30/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-30T16:31:05.205Z",
"npmAuditRan": true,
"pipAuditRan": false
}pcap-hunter is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by ninedter. PCAP Hunter is an AI threat hunting workbench. It uses Zeek and Tshark to analyze PCAPs, enriched by OSINT. Features include a world map, JA3 forensics, and C2 detection. It generates multi-language security reports via local or cloud LLMs, prioritizing privacy and speed. It has 117 GitHub stars.
Yes. pcap-hunter passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/ninedter/pcap-hunter" and add it to your Claude Code skills directory (see the Installation section above).
pcap-hunter is primarily written in Python. It is open-source under ninedter on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh pcap-hunter against similar tools.
No comments yet. Be the first to share your thoughts!
PCAP Hunter is an AI-enhanced threat hunting workbench that bridges manual packet analysis and automated security monitoring. It empowers SOC analysts and threat hunters to rapidly ingest, analyze, and extract actionable intelligence from raw PCAP files.
By combining industry-standard network analysis tools (Zeek, Tshark, PyShark) with Large Language Models (LLMs) and OSINT APIs, PCAP Hunter automates the tedious parts of packet analysis — parsing, correlation, and enrichment — so analysts can focus on detection and response.
📖 User Manual (English) | 中文說明 (Traditional Chinese)
Drag-and-drop .pcap / .pcapng files or paste a container path. Multiple files
trigger batch mode with cross-file correlation, and a dismissable getting-started
panel walks first-time users through the workflow.

Every stage reports live progress with a skippable per-stage control. PyShark and Zeek run in parallel, then DNS, TLS, beaconing, and carving fan out concurrently — you always know what's running and how far it has to go.

The Dashboard surfaces the highest-signal findings first: overall risk level with a "Why this risk level?" explainability expander, a one-line severity color legend, alert count, beacon candidates (with progress-bar scores), YARA hits, and certificate issues. Sections that ran clean say so explicitly — no ambiguous blank panels. A global traffic map, protocol distribution, and UTC-labelled activity timeline put the capture in visual context.

A nine-section narrative — Executive Summary through Recommended Actions, plus an IOC Summary table and a Risk Matrix rendered as a real Markdown table — with confidence qualifiers and MITRE ATT&CK mapping. Generate locally via LM Studio (section-by-section) or in a single full-context call via OpenAI or Anthropic. Reports in 9 languages, including Traditional Chinese (zh-TW).

Prioritized IOC table with VirusTotal, AbuseIPDB, GreyNoise, Shodan, OTX, and VT Domain signals merged into one view. Provider-status pills report each provider honestly (OK / cached / rate-limited / key-rejected / no data), an explicit WHOIS lookup selectbox + button complements row-click dialogs, and IOC search offers a show-all-results toggle. Sub-tabs expose Domains, Detail Cards, Geo Map, Infrastructure ASN clustering, Export, Devices, and Notes.

Every underlying data source is available: the flow table (with explicit
First/Last Seen (UTC) timestamp columns), DNS and TLS analyses, NXDOMAIN
analysis, JA3/JA3S fingerprints, Zeek conn.log/dns.log/http.log/ssl.log,
carved HTTP payloads, and YARA scan results. Export any view as CSV or JSON with
CSV-injection protection.

Promote any capture and its findings into a case. Cases carry IOCs, severity, tags, investigation notes, status, and search — stored in a local SQLite database.

Create, revoke, and monitor API keys for the Integrations API. Each key has its own scope (full or feed-only), optional expiration, per-key rate limits, and a usage sparkline. Environment-variable keys are shown as read-only bootstrap entries.
An LLM Integration section with three providers (LM Studio, OpenAI, Anthropic), a YARA Rules section with a configurable rules directory, OSINT provider keys with a Test Providers live-check button, home location for the world map, binary paths, and pipeline thresholds — all in one place with per-section clear buttons. API keys are PBKDF2-encrypted at rest.

Pick the backend that fits your environment: LM Studio for local, air-gapped analysis (chunked per-section generation), or OpenAI / Anthropic for single-shot full-context cloud reports. Each provider keeps its own credentials and model picker.

anthropic SDK (claude-opus-4-8, claude-sonnet-4-6, claude-haiku-4-5), single-shot with streaming.1 − Π(1 − wᵢsᵢ) (Bayesian independence model) instead of linear summation, producing diminishing returns while allowing multiple weak signals to compound meaningfully.data/zeek|carved/<case>_<uuid8>/ so concurrent runs never clobber each other; stale run dirs are pruned automatically after 7 days.-c optimization — packet limit enforced at the tshark level for zero-waste I/O.conn.log, dns.log, http.log, ssl.log.