Cross-PCAP Comparison

The Multi-Analysis feature lets you load two or more PCAP files into a single unified network topology diagram, so you can compare traffic patterns across captures side by side.

Starting a Comparison

  1. From the All Uploads file list, check the checkboxes on two or more fully-processed PCAP files.

  2. Click the Multi-Analysis (N) button that appears in the header.

  3. A modal appears with two options:

    • View Together — navigates to /compare?files=id1,id2,... and renders the merged topology immediately. The original files are unchanged.

    • Merge & Analyze — permanently merges the selected PCAPs into a new single file (named automatically or as you specify), runs the full analysis pipeline on the merged file, and navigates to its analysis page.

The Comparison View

The comparison view is a React Flow graph identical to the single-file Network Diagram, with the following additions:

Source-aware rendering

Each node and edge carries a sources list recording which uploaded files contributed it:

  • Solid border / solid edge — present in the primary (first selected) file.

  • Dashed border / dashed edge — present only in a secondary file.

  • Thick edge (2.5 px) — present in two or more files simultaneously.

  • A bi-layers badge appears on nodes that exist in multiple captures.

File toggle pills

A row of color-coded pills (one per file, labelled by filename) appears above the graph. Clicking a pill hides all nodes and edges that are exclusive to that file, letting you isolate traffic from a single capture.

Filters and layout

All filters available in the single-file Network Diagram (protocol, IP, port, risk, device type, grouping, layout algorithm) work identically in the comparison view. Filters apply to the merged dataset.

Node merging logic

Nodes are matched across files by IP address. If the same IP appears in two files with different MAC addresses (e.g. DHCP lease reuse), the backend keeps them as separate nodes rather than incorrectly merging them.

Export

The Export PDF button in the comparison view captures the merged topology and includes it in the PDF report alongside any other active analysis sections.

Permanent Merge

Choosing Merge & Analyze calls POST /api/files/merge, which:

  1. Downloads all selected PCAP files from MinIO.

  2. Concatenates them with mergecap.

  3. Uploads the result as a new file and triggers the standard analysis pipeline (tshark parsing, nDPI, geolocation, file extraction).

The merged file appears as a regular entry in the file list and can be analyzed, compared, or deleted independently of the originals.