Free Public analysis for sanitized PCAPs

Analyze PCAP online in minutes.

Free for sanitized captures. Private for incident, client, and internal traffic.

Upload .pcap or .pcapng and inspect HTTP, DNS, credentials, files, and host relationships in minutes. No signup for public analysis. Use private plans for internal, client, or incident data.

Upload PCAP Free Browse Public Reports
341,802 PCAPs analyzed

Upload sanitized captures to evaluate the product. For captures with credentials, internal hosts, or incident evidence, use a private plan or on-prem deployment. Need volume pricing? Talk to us →

Analysis Modes

Pick the mode that fits the capture

Use public analysis for sanitized PCAPs, private plans for sensitive data, and on-prem when captures cannot leave your environment.

Start Free

Public analysis

Best for sanitized traces, product evaluation, labs, and quick checks where a public result page is acceptable.

  • No signup required
  • Upload and inspect results immediately
  • 25 MB limit on free uploads
Upload sanitized PCAP
Private Plans

Private analysis

Use Packs or Workspace plans when the capture includes internal hosts, credentials, customer traffic, or active incident evidence.

  • Results stay out of the public feed
  • Built for SOC, DFIR, and consulting teams
  • Good fit for recurring teams and one-off sensitive cases
See private plans
On-Prem

On-prem deployment

For regulated, air-gapped, or isolated environments where packet captures and evidence cannot leave your infrastructure.

  • Keep PCAP inside your boundary
  • Support restricted networks and evidence handling
  • Collect deployment requirements directly
Review on-prem option

What You Get

Get to the useful parts of a capture faster

The product is most valuable when it removes boring triage work: reconstructing sessions, finding credentials, extracting files, and mapping relationships between hosts.

Reconstruct HTTP Sessions

Inspect requests, responses, headers, forms, and transferred content without stepping through raw packets one by one.

Read more

Use this to review suspicious web traffic, rebuild client-server exchanges, and move from packet capture to analyst-readable evidence faster.

When you need to verify form submissions, web payloads, or transferred documents, the session view gives you a shorter path than raw Wireshark drilling.

Map Hosts and Services

See which hosts communicated, which services were exposed, and where to focus next during triage.

Read more

Classify nodes, review TCP and UDP communication patterns, and identify infrastructure roles from the capture itself.

Use passive fingerprints and protocol hints to spot DNS, DHCP, LDAP, and other service activity without building manual host inventories.

The graph view is useful when the question is not "what packet is this?" but "which systems were involved and how are they related?"

Review Wireless Artifacts

Extract SSIDs, probe requests, multicast patterns, and handshake artifacts from wireless captures.

Read more

Use the wireless view to separate infrastructure noise from useful evidence and identify what access points and client probes were present in the trace.

Detected WPA/WPA2 handshakes can be exported to .hccapx for offline recovery workflows with Hashcat.

Extract Files and Payloads

Pull images, documents, and transferred payload artifacts out of HTTP flows without rebuilding them manually.

Read more

Use quick previews to confirm whether the capture contains useful artifacts before you spend time on deeper manual analysis.

This is especially useful for phishing reviews, malware delivery checks, or any case where the question is "what actually moved over the wire?"

Find Credential Exposure

Scan the capture for plaintext credentials, auth material, and challenge-response artifacts across common protocols.

Useful for confirming whether a capture contains credential leakage worth escalating.

Read more

The analyzer also looks for challenge-based authentication artifacts that may matter during DFIR and credential exposure reviews.

  • HTTP Basic/Digest
  • SIP Digest & SMB
  • NTLMv1/v2
  • Kerberos & LDAP
  • Postgres & MSSQL
  • Telnet/FTP

Spot Triage-Worthy Events

Identify suspicious patterns such as scans, insecure credential use, and other anomalies that deserve analyst attention.

Read more

Event detection is useful when you want the product to highlight likely starting points instead of manually hunting through the full trace first.

For recurring team use, this becomes more valuable in private plans where sensitive captures and ongoing incident work should not sit in a public result feed.

Working with sensitive captures? See private plans → to keep results out of the public feed.

Frequently Asked Questions

The main questions are usually about privacy, public vs private analysis, and what the free mode is actually for.

When should I use the free mode?
Use the free mode for sanitized PCAPs, product evaluation, labs, and non-sensitive traces. No registration is required, but the free tier is limited to 25 MB per upload and creates a public result page.
What if the PCAP contains internal or sensitive data?
Do not use the free public flow for captures that include credentials, internal hosts, customer traffic, or active incident evidence. Use a private plan or on-prem deployment if the data should stay private.
What file formats does A-Packets support?
Currently, our engine effectively processes native .pcap and .pcapng file structures generated by standard capture suites (Wireshark, tcpdump, etc.). Need help? Follow our Upload instructions.
How do I choose between Packs, subscriptions, and on-prem?
Use Packs for one-off sensitive cases, subscriptions for recurring SOC or DFIR work, and on-prem when packet captures cannot leave your environment.