PCAP Upload Analyzer

How the PCAP Analyzer Works

This tool reads raw PCAP and PCAPNG binary files directly in your browser using JavaScript's FileReader and DataView APIs. Your capture file is never uploaded to any server: all parsing and analysis is performed client-side in real time.

The analyzer extracts and inspects:

• Ethernet headers: Source and destination MAC addresses, EtherType for protocol identification.
• IPv4 headers: Source/destination IPs, protocol number, TTL, total length, and fragmentation flags.
• TCP headers: Port numbers and flag analysis (SYN, ACK, RST, FIN, PSH) to detect connection-state attacks.
• UDP headers: Port numbers and payload sizes to identify amplification and volumetric floods.
• ICMP headers: Type and code fields to detect ICMP-based floods and unreachable floods.

Attack Types Detected

The classification engine uses traffic heuristics to identify common DDoS attack patterns:

• SYN Flood: High ratio of SYN packets without corresponding ACKs, indicating a TCP handshake exhaustion attack.
• UDP Flood: Large volumes of UDP traffic targeting specific ports, often with spoofed source addresses.
• DNS Amplification: UDP port 53 traffic with large response payloads, typical of reflective amplification attacks.
• NTP Amplification: UDP port 123 traffic exploiting monlist commands for bandwidth amplification.
• ICMP Flood: Excessive ICMP Echo Requests or other ICMP types saturating network capacity.
• TCP RST Flood: High volume of RST packets attempting to tear down legitimate connections.
• Volumetric / Mixed: Multi-vector attacks combining multiple protocols and techniques.

Supported Capture Formats

The tool supports standard PCAP files (libpcap magic 0xa1b2c3d4 and byte-swapped 0xd4c3b2a1) as well as PCAPNG files (Section Header Block 0x0a0d0d0a with Enhanced Packet Blocks). Captures from tcpdump, Wireshark, tshark, and most network monitoring tools are compatible.