Frequently Asked Questions

What information am I sharing when I upload a packet-capture?

Everything stored within the packet-capture including the file itself is stored on the backend. Your public IP address is also captured at the time of the upload for the purpose of analytics and security. Please be sure to read the privacy policy before submitting your first packet-capture.

How long does analysis take?

Analysis takes around 15 seconds per packet-capture. I implement a queue-based, distributed, processing model, meaning the time is actually relative to the number of captures in front of yours. On average, packet-captures take 2-3 minutes to be queued and analyzed under times of high load.

What does PacketTotal offer that a traditional packet-capture tool does not?

PacketTotal presents information at a higher level than a tools such as WireShark. When I built this tool I was less concerned about duplicating functionality of these tools and more about automating the extraction of information that would be useful to security analysts and researchers. On top of extracting information useful to quickly understanding the scope of a security incident or how a particular piece of malware communicates, PacketTotal:

  • Extracts artifacts found inside the packet-capture and makes them available for download
  • Reconstructs a timeline of TCP, UDP, and ICMP connections within the capture
  • Provides drill-down analytics that can aid in understanding the behavior of traffic found within the capture

Why am I getting error messages when uploading a packet-capture?

Currently, you are limited to 50MB packet-captures, any larger and the processing nodes have trouble analyzing the capture in a reasonable amount of time. I also use server-side content inspection of packet-captures to validate they can be processed by the processing nodes. Some .pcapng files fallout outside this criteria. If you receive an error simply re-open the packet-capture in a tool like WireShark, and save as a standard .pcap file.

What technologies does the tool use to perform the analysis?

Quite a few, the engine is 100% coded in Python and relies on a custom templating engine for page-rendering. At the heart of the tool I use three amazing open-source technologies to facilitate analysis, retention, and searching.

  • Bro is used for identifying the various protocols and extract artifacts found within the capture.
  • Suricata is used for signature based identification of known malicious traffic within the capture.
  • Elasticsearch is used for indexing packet-capture meta-data, and making it available for search and rendering in the future.

I want to analyze a packet-capture with sensative information, and do not want it to be available publically?

This is a very legitimate use-case, however one of the primary goals of this project was to allow open intel sharing of malicious packet-captures accross the InfoSec community. I am working on a private API which I plan on making available in mid-2017. For the time being, simply use one of the numerous .pcap editing tools to redact any information you do not want shared prior to upload.

I found a bug or security vulnerability! How should I report it?

This software has been put through tens-of-thousands of automated tests, however it is completely possible something was missed. If you find a bug, please report it to