TracePcap Documentation
TracePcap is a self-hosted PCAP analysis workbench for black-box network analysis — situations where you work from captured traffic alone, with no prior knowledge of the network. It derives device inventory, topology, session content, and behavioural patterns purely from observed packets, making it well-suited for network audits, incident response, penetration test reconnaissance, and research.
Designed for air-gapped and offline deployments — GeoIP lookups use a bundled offline database by default, with optional enrichment via ipinfo.io when internet access is available.
Getting Started
Features
- PCAP Upload & Management
- Network Visualization
- Network Intelligence
- Cross-PCAP Comparison
- nDPI Security Analysis
- IDS Threat Detection (Suricata)
- Conversations
- Session Reconstruction
- File Extraction
- Geolocation & Device Classification
- MAC Manufacturer Lookup
- Timeline Analysis
- AI Filter Generator
- Story Mode
- Custom Signature Rules
- PDF Report Export
- Network Monitor
- Overview
- Getting Started
- Change Detection Signals
- Overlapping-network detection
- Device address conflict (one MAC, multiple IPs)
- Severity Levels
- Change Event Feed
- Capture Timeline
- Drift Panels
- Baseline Definitions
- Subnet Definitions
- Node Role Annotation
- External Events
- Analyst Annotations
- Network Insights
- Network Diagram Overlay
- Polling / Auto-Refresh
- REST API Reference
- Label Staleness Detection
- Streaming / Automated PCAP Upload
Configuration
Demo & Sample Data
Reference