TracePcap Documentation

TracePcap is a self-hosted PCAP analysis workbench for black-box network analysis — situations where you work from captured traffic alone, with no prior knowledge of the network. It derives device inventory, topology, session content, and behavioural patterns purely from observed packets, making it well-suited for network audits, incident response, penetration test reconnaissance, and research.

Designed for air-gapped and offline deployments — GeoIP lookups use a bundled offline database by default, with optional enrichment via ipinfo.io when internet access is available.

Getting Started

• Prerequisites
  • Software Requirements
  • Hardware Requirements
  • Operating System
• Installation
  • 1. Clone the Repository
  • 2. Configure Environment Variables
  • 3. Start the Application
  • 4. Verify the Stack is Running
  • 5. Open TracePcap
  • Next Steps
• Offline / Air-Gapped Deployment
  • Overview
  • Step 1 — Pull and Save Images (online machine)
  • Step 2 — Transfer Files to the Offline Machine
  • Step 3 — Load Images and Start the Stack (offline machine)
  • LLM Configuration for Offline Use

Features

• PCAP Upload & Management
  • Supported Formats
  • Upload Limit
  • Upload Options
  • Duplicate Detection
  • Processing Progress
  • Managing Uploads
• Network Visualization
  • How the Graph Is Constructed
  • Technology
  • Grouping Modes
  • Filter Panel
  • Layout Controls
  • Export
• Network Intelligence
  • Cluster Graph
  • Grouping Strategies
  • Color Modes
  • Cluster Side Panel
  • Filters
  • Country Map View
• Cross-PCAP Comparison
  • Starting a Comparison
  • The Comparison View
  • Export
  • Permanent Merge
• nDPI Security Analysis
  • What nDPI Provides
  • Misclassification Corrections
  • Viewing nDPI Results
  • Risk Flags
  • Enabling nDPI
  • Graceful Degradation
• Conversations
  • How Conversations Are Built
  • Protocol vs Application
  • Columns
  • Filtering
  • Sorting
  • Pagination
  • Conversation Detail Panel
  • Conversation Tracer
  • Session Reconstruction
  • Export Options
• Session Reconstruction
  • How It Works
  • Opening the Viewer
  • Payload Decompression
  • Stream Direction
  • Truncation Limits
  • STUN Decoder
  • Media Detection Panel
  • Limitations
• File Extraction
  • Enabling Extraction
  • Extraction Methods
  • MIME Detection
  • Size Limit
  • Viewing Extracted Files
  • Bulk Download
• Geolocation & Device Classification
  • Geolocation
  • Device Classification
• MAC Manufacturer Lookup
  • How MAC Addresses Are Captured
  • How the OUI Lookup Works
  • Where Vendor Names Appear
  • Limitations
• Timeline Analysis
  • How Timeline Data Is Derived
  • Chart Layout
  • Time Granularity
  • Protocol Breakdown
  • Interaction
• AI Filter Generator
  • Requirements
  • How to Use
  • Confidence Score
  • Privacy
• Story Mode
  • Requirements
  • How Story Generation Works
  • What Story Mode Produces
  • Privacy
• Custom Signature Rules
  • How It Works
  • Rule Format
  • Match Fields
  • Payload Matching
  • Device Type Override
  • Severity Colors
  • Examples
  • Network Labels
• PDF Report Export
  • Generating a Report
  • Report Sections
  • Network Diagrams in the Report
  • Compare View Report
• Network Monitor
  • Overview
  • Getting Started
  • Change Detection Signals
  • Severity Levels
  • Change Event Feed
  • Capture Timeline
  • Drift Panels
  • Baseline Definitions
  • Subnet Definitions
  • Node Role Annotation
  • External Events
  • Analyst Annotations
  • Network Insights
  • Network Diagram Overlay
  • Polling / Auto-Refresh
  • REST API Reference
• Streaming / Automated PCAP Upload
  • API Endpoints Used
  • Finding Your Network ID
  • Usage
  • Tips

Configuration

• Environment Variables
  • Upload Configuration
  • Nginx Configuration
  • LLM Configuration
  • Map Configuration
  • Database Configuration (internal)
  • MinIO Configuration (internal)
• LLM Setup
  • Supported Servers
  • Model Recommendations
  • Testing the Connection
• Signature Rule Authoring Guide
  • Rule Structure
  • Execution Semantics
  • Field Reference
  • Editing Rules at Runtime
  • Validating Rules

Operations

• Backup & Restore
  • Backing Up
  • Restoring
  • Export Options
• Logs & Monitoring
  • Viewing Logs
  • Log Levels
  • Health Checks
  • Restarting Services
  • Monitoring Disk Usage
• Production Hardening
  • Change Default Credentials
  • Add an Authentication Layer
  • Configure SSL/TLS
  • Adjust Upload Limits
  • Configure LLM Privacy
  • Restrict MinIO Console Access

Reference

• API Reference
• Sample Files