Open Source · v1.1.0

Network Forensics, Automated

Point this tool at any pcap file and get severity-ranked findings with clear recommendations — in seconds. No more manually sifting through thousands of packets in Wireshark.

View on GitHub Quick Install
ai-packet-analyzer — security audit
$ ai-packet-analyzer capture.pcap --mode security Parsing capture.pcap... Loaded 15,482 packets (12.3 MB, 342.5s capture window) ╭──────────────────────────────────────────────────────────────╮ [!!!] CRITICAL — Cleartext Credentials Detected 6 credential(s) found in unencrypted traffic: FTP: 10.0.0.5 → 192.168.1.2 | USER admin / PASS **** HTTP: 10.0.0.10 → 192.168.1.80 | Basic Auth detected Telnet: 10.0.0.5 → 192.168.1.1 | login: root ╰──────────────────────────────────────────────────────────────╯ ╭──────────────────────────────────────────────────────────────╮ [!!] HIGH — Port Scan Detected 10.0.0.99 scanned 25 ports on 192.168.1.50 Open: 22 (SSH), 80 (HTTP), 443 (HTTPS), 3306 (MySQL) ╰──────────────────────────────────────────────────────────────╯ ╭──────────────────────────────────────────────────────────────╮ [!] MEDIUM — Sensitive Data in Cleartext SSN pattern (123-45-****) in HTTP POST to forms.local Credit card (4111****) in HTTP POST to shop.local ╰──────────────────────────────────────────────────────────────╯ Severity Summary: CRITICAL: 2 HIGH: 4 MEDIUM: 1 LOW: 1
20+
Heuristic Checks
7
LLM Providers
0
Extra Dependencies for LLM
13+
Credential Patterns
Capabilities

Two Modes. One Tool.

Choose connectivity troubleshooting to diagnose network problems, or security audit to find vulnerabilities and exposed data.

TCP Failure Detection

Detects incomplete handshakes, elevated RST rates, retransmissions, and half-open connections that indicate connectivity problems.

DNS Analysis

Identifies NXDOMAIN failures, SERVFAIL errors, REFUSED responses, potential DNS tunneling, and unencrypted DNS traffic.

Credential Detection

Finds passwords, API keys, tokens, HTTP Basic Auth, and session cookies transmitted in cleartext using 13+ regex patterns.

Cleartext Protocol Flags

Flags HTTP, FTP, Telnet, SMTP, POP3, IMAP, LDAP, SNMP, and VNC traffic with migration recommendations to encrypted alternatives.

ARP Spoofing Detection

Identifies multiple MAC addresses claiming the same IP — a telltale sign of man-in-the-middle attacks on local networks.

Sensitive Data Scanning

Detects Social Security numbers, credit card numbers, email addresses, private keys, and certificates in packet payloads.

Architecture

Four Engines, One Pipeline

The tool chains four specialized modules: a Scapy-based packet parser extracts structured metadata from every packet, a heuristic AI engine runs 20+ checks to generate severity-ranked findings, an optional LLM analyzer adds deep contextual intelligence, and a Rich-powered renderer produces clean, color-coded terminal output.

  • Parses TCP, UDP, ICMP, ARP, DNS, HTTP, FTP, Telnet, SMTP
  • Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO
  • Each finding includes actionable remediation steps
  • Supports .pcap and .pcapng file formats
CLI Interactive menus, argument parsing, LLM config
Packet Parser Scapy engine, protocol dissection, stats extraction
▼ PacketStats
AI Engine 20+ heuristic checks, severity ranking, recommendations
▼ AnalysisReport
Report Renderer Rich terminal output, color-coded panels, tables
▼ optional
LLM Analyzer Root cause analysis, attack chains, compliance, Q&A
Detection Matrix

What It Catches

Connectivity Troubleshooting

CheckSeverity
TCP Handshake FailuresCRITICAL
TCP RetransmissionsHIGH
TCP Reset FloodsHIGH
DNS NXDOMAIN/SERVFAILHIGH
ICMP Unreachable MessagesMEDIUM
Ping Loss RateMEDIUM
ARP AnomaliesHIGH
Traffic Black HolesHIGH
One-Way TrafficMEDIUM
Port Scan PatternsINFO

Security Audit

CheckSeverity
Cleartext CredentialsCRITICAL
Telnet UsageCRITICAL
ARP SpoofingCRITICAL
Sensitive Data (SSN, CC)HIGH
FTP / SMTP CleartextHIGH
DNS TunnelingHIGH
HTTP Basic AuthHIGH
Unencrypted HTTP TrafficMEDIUM
Suspicious Ports (C2)MEDIUM
Unencrypted DNSLOW
Powered by AI

Optional LLM Deep Analysis

Connect any LLM provider for root cause analysis, attack chain mapping, compliance impact assessment, and interactive follow-up Q&A. Zero extra dependencies needed — the provider layer uses only Python's built-in urllib.

OpenAI / ChatGPT
gpt-4o

Full OpenAI API support. Set OPENAI_API_KEY or pass inline with --llm-api-key.

API
Anthropic / Claude
claude-sonnet-4-20250514

Native Anthropic Messages API. Uses x-api-key header authentication.

API
OpenRouter
anthropic/claude-sonnet-4

Access hundreds of models through a single API. Great for comparing model performance.

API
Ollama
llama3

Run analysis completely offline and free. Auto-detects Ollama on localhost:11434.

Free / Local
LM Studio
any loaded model

Point to any local model running in LM Studio. Default port 1234.

Free / Local
llama.cpp / vLLM
any compatible model

Supports any OpenAI-compatible endpoint. Specify --llm-base-url to connect.

Free / Local
LLM interactive Q&A session
$ ai-packet-analyzer capture.pcap --llm openai --interactive-llm Running heuristic analysis... 8 findings Sending to GPT-4o for deep analysis... LLM Analysis: The capture reveals an active compromise scenario. Host 10.0.0.5 is authenticating to multiple services using cleartext credentials (FTP, Telnet, HTTP Basic Auth), while 10.0.0.99 is conducting network reconnaissance via SYN scanning. The combination suggests a post-exploitation lateral movement phase... Your question: Which host is most likely compromised? Your question: What firewall rules would contain this? Your question: quit
Privacy First

Your Packets Stay Private

The LLM never sees raw packet data. Only aggregated statistics, finding summaries, and metadata are sent. All actual packet payloads, IP addresses in raw form, and captured credentials stay on your machine.

  • No raw packet payloads sent to LLM
  • Works fully offline with local LLMs
  • 100% open source — audit the code yourself
  • MIT licensed, no telemetry, no tracking
Your Machine Raw packets, payloads, credentials
▼ only stats + findings
LLM Provider Receives: packet counts, protocol distribution, severity-ranked findings, aggregated metadata
▼ analysis results
Your Machine Root cause analysis, recommendations, compliance mapping
Get Started

Install in 30 Seconds

pip install (recommended)
# One-line install from GitHub pip install git+https://github.com/jph4cks/ai-packet-analyzer.git # Run it ai-packet-analyzer capture.pcap
from source
git clone https://github.com/jph4cks/ai-packet-analyzer.git cd ai-packet-analyzer pip install -e . # Run it ai-packet-analyzer capture.pcap --mode security
with LLM integration
# OpenAI export OPENAI_API_KEY="sk-your-key" ai-packet-analyzer capture.pcap --llm openai --interactive-llm # Local with Ollama (free, offline) ollama pull llama3 ai-packet-analyzer capture.pcap --llm ollama # Ask a specific question ai-packet-analyzer capture.pcap --llm anthropic --llm-question "Any signs of data exfiltration?"

Ready to automate your packet analysis?

AI Packet Analyzer is free, open source, and works on Linux, macOS, and Windows. Star it on GitHub or start using it today.

Star on GitHub Download Binary