Visual Tour

1. Upload — load one or many PCAPs

Drag-and-drop a .pcap / .pcapng file (up to 200 MB each) or paste a container path. Multiple files trigger batch mode with cross-file correlation.

2. Progress — transparent 10-stage pipeline

Every stage of the analysis pipeline reports live progress with a skippable per-stage control. You always know what's running and how far it has to go.

3. Dashboard — at-a-glance threat summary

The Dashboard surfaces the highest-signal findings first: overall risk level, alert count, beacon candidates, YARA hits, and certificate issues. A global traffic map, protocol distribution, and activity timeline put the capture in visual context.

4. LLM Analysis — AI-generated threat report

An 8-section narrative (Executive Summary → Key Findings → Indicators & Evidence → OSINT Corroboration → Beaconing / C2 → DNS & TLS → Risk Assessment → Recommended Actions) with confidence qualifiers and MITRE ATT&CK mapping, generated locally via LM Studio or any OpenAI-compatible endpoint.

5. OSINT — multi-provider IOC enrichment

Prioritized IOC table with VirusTotal, AbuseIPDB, GreyNoise, Shodan, OTX, and VT Domain signals merged into one view. Sub-tabs expose Domains, Detail Cards, Geo Map, Infrastructure ASN clustering, Export, Devices, and Notes.

6. Raw Data — Zeek logs, flows, carved payloads, YARA matches

Every underlying data source is available: flow table, DNS and TLS analyses, NXDOMAIN analysis, JA3/JA3S fingerprints, Zeek conn.log/dns.log/http.log/ ssl.log, carved HTTP payloads, and YARA scan results. Export any view as CSV or JSON with CSV-injection protection.

7. Cases — persistent investigation tracking

Promote any capture and its findings into a case. Cases carry IOCs, severity, tags, investigation notes, status, and search — stored in a local SQLite database.

8. Config — centralized settings

LLM endpoint, API keys (PBKDF2-encrypted at rest), home location for the world map, OSINT provider toggles, binary paths, and pipeline thresholds — all in one place with per-section clear buttons.

Key Features

AI-Powered Threat Analysis

• Automated Reporting — Generates professional, SOC-ready threat reports with severity-calibrated assessments, false-positive awareness, and structured analysis workflow (Characterize → Identify → Assess → Recommend).
• Local & Cloud LLM Support
  • Local Privacy: Fully compatible with LM Studio (Llama 3, Mistral, etc.) for air-gapped or privacy-sensitive environments.
  • Cloud Power: Supports any OpenAI-compatible API endpoint for leveraging larger models.
• Multi-Language Reports — 9 languages with region-specific terminology: English, Traditional Chinese (Taiwan), Simplified Chinese, Japanese, Korean, Italian, Spanish, French, German.
• MITRE ATT&CK Mapping — Automated mapping of detected behaviors and IOCs to ATT&CK techniques and Kill Chain phases.
• Attack Narrative Synthesis — Translates raw events into a coherent, actionable security story.

IOC Priority Scoring

• Tiered Signal Architecture — Dynamically ranks indicators as Critical, High, Medium, or Low using a three-tier model:
  • Tier 1 (Definitive): OSINT confirmations (VirusTotal, GreyNoise malicious) — any single Tier 1 hit sets a score floor.
  • Tier 2 (Behavioral): C2 beaconing, flow asymmetry, DNS tunneling, DGA domains.
  • Tier 3 (Contextual): AbuseIPDB, self-signed certs, expired certs, YARA matches.
• Tier 3 signals alone never exceed "medium"; corroboration from multiple tiers is required for "high" or "critical".

Cross-Indicator Correlation Engine

• Independence-complement formula — Uses 1 − Π(1 − wᵢsᵢ) (Bayesian independence model) instead of linear summation, producing diminishing returns while allowing multiple weak signals to compound meaningfully.
• Strong-signal floors — A confirmed VirusTotal detection automatically sets a minimum score regardless of other factors.
• Aggregates signals across all analysis modules (OSINT, beaconing, DNS, TLS, YARA, flow analysis).
• Produces composite threat scores per indicator with verdict classification (critical / high / medium / low).

Flow Analysis & Exfiltration Detection

• Data Exfiltration Detection — Identifies suspicious outbound:inbound byte ratios per src/dst pair (default threshold: 10:1, minimum 1 MB).
• Port Anomaly Detection — Flags non-standard port usage, C2 common ports (4444, 5555, 6666, etc.), and high port pairs.

Multi-PCAP Batch Processing

• Multi-File Upload — Upload and analyze multiple PCAP files simultaneously.
• Cross-File Correlation — Detects shared IPs, domains, and JA3 fingerprints across files.
• Merged Dashboard — Aggregated results with per-file detail cards and batch summary.
• Resource Limits — Configurable limits: 1 GB per file, 50 files max, 5 GB total.

Parallel Pipeline Execution

• PyShark + Zeek in parallel — The two heaviest stages run concurrently via ThreadPoolExecutor.
• HTTP Carving in parallel with DNS/TLS/Beaconing analysis.
• Tshark -c optimization — Packet limit enforced at the tshark level for zero-waste I/O.

Deep Packet Inspection & Flow Analysis

• Multi-Engine Pipeline: PyShark for granular inspection, Tshark for high-speed statistics.
• Protocol Parsing: Automatically extracts metadata for HTTP, DNS, TLS/SSL, and SMB protocols.

Zeek Integration

• Automated Zeek execution on uploaded PCAPs — no manual CLI required.
• Parses and correlates core Zeek logs: conn.log, dns.log, http.log, ssl.log.

Advanced DNS & TLS Forensics

• DGA Detection — Shannon entropy-based Domain Generation Algorithm identification.
• DNS Tunneling — Detects high-volume / anomalous DNS payloads.
• Fast Flux Detection — Identifies domains resolving to rapidly changing IP addresses.
• JA3/JA3S Fingerprinting — Matches TLS fingerprints against 90+ known malware signatures (Cobalt Strike, Trickbot, Emotet, QakBot, etc.).
• Certificate Analysis — Validates certificate chains; detects self-signed and expired certificates.

C2 Beaconing Detection

• Statistical algorithm scoring flows based on:
  • Periodicity — Regularity of communication intervals (CV + entropy scoring).
  • Jitter — Modal interval analysis with ±20% tolerance for detecting randomized C2.
  • Volume — Packet count and payload size consistency.
• False-Positive Reduction — Multi-layered penalties to prevent benign traffic from triggering alerts:
  • Infrastructure allowlist (major public DNS resolvers)
  • Protocol awareness (ICMP, NTP, mDNS, SSDP, IGMP are inherently periodic)
  • Service port penalties (HTTPS, IMAPS, Apple Push, MQTT, SIP)
  • High-volume large-payload filtering (streaming/downloads vs. C2)

Payload Carving & YARA Scanning

• HTTP Payload Extraction via tshark with automatic SHA256 hashing.
• YARA Scanner — Scan carved files with custom/community YARA rules.
• Safe Storage — Quarantined directory with path traversal and symlink protection.

Interactive Dashboard & World Map

• Threat Summary Panel — At-a-glance risk level (Critical/High/Medium/Low) with corroboration-based escalation, alert count, beacon candidates, YARA hits, and certificate issues.
• World Map — Threat-level coloring, connectivity arcs with volume-based thickness, configurable home location.
• Cross-Filtering — Unified drill-down across Map, Protocol Pie Chart, and Flow Timeline.
• Persistent View Options — "Exclude Private IPs" toggle persists during interactive exploration.
• TopN Charts — Top IPs, Ports, Protocols, Domains with aggregated bar charts, metrics, and reverse DNS hostnames.
• Dashboard Detections — Beaconing candidates, YARA matches, and TLS certificate risks surfaced directly on the dashboard.
• Network Communication Graph — Force-directed graph with threat-colored nodes and equal-aspect-ratio rendering.

OSINT Enrichment

Integrates with leading threat intelligence providers:

• VirusTotal — File hash and IP/Domain reputation.
• AbuseIPDB — Crowdsourced IP abuse reports.
• GreyNoise — Internet background noise and scanner identification.
• OTX (AlienVault) — Open Threat Exchange pulses a