Free PCAP Analyzer Online

Drop a .pcap file and get a fast first-look analysis: protocol distribution, top talkers, conversation pairs, packet timing, and detection of common anomalies like SYN floods, port scans, and ARP spoofing. Files are processed entirely in your browser.

What this tool does: A first-look pcap analyzer for spotting anomalies and getting traffic summaries. It decodes Ethernet, IPv4, IPv6, ARP, TCP, UDP, ICMP and detects common issues like SYN floods, port scans, ARP spoofing.
What it does NOT do: Full protocol dissection (HTTP, TLS, DNS payloads), TLS decryption, file reconstruction. For deep analysis, use Wireshark on the original file. PCAPNG format is not supported (convert with editcap first).

Max 100 MB. File processed in your browser. Files over 25 MB may take 10-30 seconds.

Try this example

A user reports that their connection to a backend service keeps dropping. You captured 2 minutes of traffic with tcpdump and want to know what is happening before opening Wireshark.

Steps
  1. 1Upload the capture.pcap file.
  2. 2Check the anomalies section first. A "High TCP RST count" warning would point at a firewall or load balancer killing the connection.
  3. 3Look at top conversations to confirm the client and server are the heavy talkers.
  4. 4Filter the packet table by the server IP to see the exact RST packets and their timing.
Expected result
Detected anomalies:
  WARNING  TCP  High TCP RST count
    Source 10.0.5.42 sent 1,847 RST packets.
    Recommendation: Check load balancer idle timeout.
    Evidence: 1847 RST packets from 10.0.5.42

Top conversations:
  10.0.5.42 <-> 10.0.5.100   18,432 packets   12.4 MB
  10.0.5.42 <-> 8.8.8.8         142 packets    9.8 KB

How to Use

  1. 01Click the upload field and pick a .pcap, .cap, or .dmp file (up to 100 MB).
  2. 02Wait for parsing. Files larger than 25 MB may take 10 to 30 seconds.
  3. 03Review the detected anomalies first. Each card explains what was found and what to do about it.
  4. 04Use the protocol distribution, top talkers, and packet table to investigate further.
  5. 05Click Export JSON to save a summary report you can attach to a ticket.

FAQ

What link types are supported?

Ethernet (DLT 1), Linux cooked (DLT 113), and Raw IP (DLT 101). Other link types will load but packets will not be dissected. For 802.11, MPLS, or other specialty captures, use Wireshark.

Does it support PCAPNG?

No. PCAPNG uses a different block-based format that requires a separate parser. Convert your file first with Wireshark (File then Export Specified Packets, choose pcap format) or with editcap on the command line: editcap -F libpcap input.pcapng output.pcap

Can it decrypt TLS or read HTTP request bodies?

No. This tool stops at the TCP/UDP header level. For full payload analysis you need Wireshark with appropriate decryption keys.

How is this different from Wireshark?

Wireshark is a full protocol analyzer with hundreds of dissectors. This is a fast first-look tool that gives you summary statistics and flags common anomalies in seconds. Use it to triage a capture before opening Wireshark for deep investigation.

Is my capture file uploaded anywhere?

No. Everything runs in your browser using JavaScript. The file never leaves your machine. You can verify by opening the browser dev tools network tab while you upload.

What anomalies does it detect?

SYN floods (high SYN count with low ACK from one source), TCP RST storms, ARP spoofing (one IP claimed by multiple MACs), TCP port scans (one source touching many ports on one destination), and unusually high DNS query volumes to a single resolver.

Related Tools

🧾
JSON Formatter & Validator
🔐
JWT Decoder
🆔
UUID Generator
Unix Timestamp Converter