PacketTotal is an engine for analyzing, categorizing, and sharing .pcap files. The tool was built with the InfoSec community in mind and has applications in malware analysis and network forensics.

PacketTotal is 100% public, meaning any packet capture uploaded to the site becomes publicly available upon completed analysis. Before uploading your pcaps, be sure they do not contain sensitive information. As a first-time user, we recommend reading our upload guide.





packet captures analyzed to date

PacketTotal leverages multiple detection engines to locate suspicious traffic, enumerate protocol information, and extract artifacts found within pcap files. Foremost among these are Bro and Suricata IDS.


Our engine combines Bro's excellent protocol analysis capabilities with Suricata's powerful signature based detection to generate insights into a packet capture that go beyond the capabilities of traditional pcap analysis tools. Additionally, our engine enriches high-fidelity indicators of compromise with intelligence gleaned from trusted online sources. If you are interested in finding out more about the capabilities of the tool or the technologies it relies on, see our documentation.


Analyze

Intuitively designed console view provides a simple interface for exploring pcap files. Pivot between protocols, download artifacts, and gain insight into malicious traffic found within packet captures. Use the Similar Packet Captures tab to find other pcaps with similar indicators.


See Console view for a packet capture

Visualize

Automatically generated graphs grant immediate insight into your traffic. Quickly visualize connection information, identify top-talkers, and hone in on anomalous activity. Drill-down into filtered transactions simply by clicking any point on the graph.


See Graph view for a packet capture

Chronologize

Timeline view orders connections chronologically, representing each session's start, end, and duration. Logically view the activity of your pcap, and click on any connection to view key attributes associated with that session.


See Timeline view for a packet capture