TracePcap: The AI-Powered PCAP Workbench That Maps Your Entire Network from Thin Air — No Docs, No Schema, Just Packets + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

Network analysis has traditionally been a domain reserved for seasoned professionals armed with deep protocol knowledge, years of experience, and extensive documentation. But what happens when you’re handed a PCAP file with no network diagram, no documentation, and a simple “figure it out”? TracePcap emerges as the answer — a self-hosted, AI-powered PCAP analysis workbench that transforms raw packet captures into complete network topology maps, device inventories, and actionable intelligence without requiring any prior knowledge of the target environment.

Learning Objectives:

• Understand how to deploy and configure TracePcap as a self-hosted network analysis workbench using Docker and local LLM integration
• Master the art of extracting complete network topology, device classifications, and communication patterns from raw PCAP files
• Learn to leverage AI-powered narrative generation and natural language filter creation for accelerated threat hunting and incident response

You Should Know:

1. Deploying TracePcap: From Zero to Network Map in Minutes

TracePcap is built as a containerized application that integrates PostgreSQL for data persistence, MinIO for object storage, and a modular backend that orchestrates packet analysis through industry-standard tools. The deployment process is streamlined for security professionals who need rapid analysis capabilities without complex setup procedures.

Step‑by‑step deployment guide:

Step 1: Clone the repository and configure environment variables

git clone https://github.com/NotYuSheng/TracePcap.git
cd TracePcap
cp .env.example .env

Step 2: Configure your `.env` file for your environment

 Upload Configuration
MAX_UPLOAD_SIZE_BYTES=536870912  512MB default

Nginx Port Configuration
NGINX_PORT=80  Change if port 80 is already in use

LLM Configuration (Local LLM Server)
LLM_API_BASE_URL=http://localhost:1234/v1  LM Studio default
LLM_API_KEY=
LLM_MODEL=Qwen2.5-14B-Coder-Instruct
LLM_TEMPERATURE=0.7
LLM_MAX_TOKENS=2000

Step 3: Launch the application stack

docker compose up -d

Step 4: Access the web interface

Open `http://localhost:80` in your browser.

System Requirements:

• RAM: 4GB minimum, 8GB+ recommended
• Storage: 10GB for database, PCAP files, and object storage
• Docker & Docker Compose: Latest versions
• LLM Server: Any OpenAI-compatible API (LM Studio, Ollama, or OpenAI)

For Windows users, ensure Docker Desktop is installed with WSL2 backend enabled. The application runs identically across all platforms thanks to containerization.

1. PCAP Ingestion and Deep Packet Inspection with nDPI

Once deployed, TracePcap leverages nDPI v5 — the open-source deep packet inspection library — to perform application identification, traffic categorization, and risk flagging on every packet. This goes far beyond simple port-based classification, enabling accurate identification of applications even when they run on non-standard ports.

Supported protocol detection includes:

• Application-layer: TLS, HTTP, DNS, QUIC
• Layer 2: ARP, STP, LLDP, CDP
• Transport: TCP, UDP, ICMP

Upload and analyze a PCAP file:

1. Navigate to the upload interface

1. Drag and drop a PCAP/PCAPNG file (max 512MB)

3. Optionally enable nDPI analysis and file extraction

4. Monitor the asynchronous processing progress

1. Review detected applications, protocols, risk alerts, and custom signature matches

Command-line packet capture alternatives (for reference):

On Linux/macOS:

 Capture live traffic to a PCAP file
sudo tcpdump -i eth0 -w capture.pcap -s 0

Capture with specific filter
sudo tcpdump -i eth0 port 443 -w https_traffic.pcap -s 0

Read and display PCAP contents
tshark -r capture.pcap -Y "http" -T fields -e ip.src -e ip.dst -e http.request.uri

On Windows (using pktmon):

 Start packet capture
pktmon start --capture --pkt-size 0 --file-1ame capture.etl

Stop capture
pktmon stop

Convert to PCAPNG format
pktmon pcapng capture.etl

Windows 10 20H2 and later support native PCAPNG conversion via pktmon.

3. Network Topology Visualization and Device Classification

One of TracePcap’s most powerful features is its ability to automatically infer network topology from observed traffic patterns. Using React Flow with ELK layout, the tool generates an interactive network diagram that visualizes every discovered device and its communication relationships.

Device classification happens automatically through:

• Traffic behaviour analysis (what protocols a device speaks, when, and to whom)
• MAC manufacturer lookup via Wireshark OUI database integration
• Geolocation and ASN enrichment for external IPs

Device types inferred:

• Router
• Server
• IoT
• Mobile
• Laptop/Desktop

Subnet detection and labelling:

TracePcap can infer subnet structure from traffic patterns or accept manually defined CIDR blocks. All observed IPs are grouped by subnet across all snapshots, providing immediate visibility into network segmentation.

Step-by-step topology exploration:

1. After analysis, navigate to the Visualize tab

1. Explore the interactive topology with filters (IP, port, device type, protocol, risk)
2. Click any node to view detailed information panels
3. Use fullscreen toggle and layout controls for better visibility
4. Apply custom filters to isolate specific traffic patterns

Practical use case: During a penetration test, you receive a PCAP from a client’s industrial control system network. Upload the file, and within minutes, TracePcap reveals all SCADA controllers, HMIs, PLCs, and their communication patterns — with AI-suggested role annotations like “SCADA Controller” or “Historian”.

1. AI-Powered Story Mode and Natural Language Filter Generation

TracePcap integrates local LLMs (via Ollama, LM Studio, or any OpenAI-compatible API) to generate human-readable narratives of network activity and create complex Wireshark/tcpdump filters from plain English queries.

Setting up local LLM integration:

Option A: Using LM Studio

1. Download and install LM Studio from lmstudio.ai

2. Load a model (e.g., Qwen2.5-14B-Coder-Instruct)

1. Start the local server (default: http://localhost:1234/v1)

4. Point `LLM_API_BASE_URL` to this address in `.env`

Option B: Using Ollama

 Install Ollama
curl -fsSL https://ollama.com/install.sh | sh

Pull a model
ollama pull qwen2.5:14b

Run the model server
ollama serve

Then configure `LLM_API_BASE_URL=http://localhost:11434/v1`.

AI capabilities in action:

Story Mode — The AI reconstructs what actually happened on the network:

“At 14:23:17, device 192.168.1.100 (Laptop/Desktop) initiated a TLS handshake with 203.0.113.45 (External Server). The connection used TLSv1.3 with cipher suite TLS_AES_256_GCM_SHA384. At 14:23:19, the server responded with a 200 OK, transferring 2.4MB of data identified as application/octet-stream…”

AI Filter Generator — Type natural language queries like:
– “Show me all HTTP traffic to external IPs”
– “Find all TLS connections with self-signed certificates”
– “Display traffic between 192.168.1.100 and any device on port 443”

The AI generates the corresponding Wireshark display filter with confidence scores and packet-level results.

5. Network Monitor: Tracking Changes Across Multiple Captures

The Network Monitor feature transforms TracePcap from a single-file analyzer into a continuous monitoring and change-detection platform. Upload multiple PCAPs taken at different times, and the tool highlights what changed between each snapshot.

Step-by-step network monitoring:

1. Create a Network — Name your monitored environment (e.g., “Production DC — Q1 2026”)
2. Add Snapshots — Upload PCAPs in chronological capture order
3. Review the Diagram — Click any snapshot to open its network diagram; changed nodes are highlighted by severity

4. Track Drift — Automatic detection of:

• IP addresses changing MAC addresses
• Gateway devices that have moved
• New devices appearing on the network
• VPN connections appearing or disappearing
• Protocol changes between snapshots

Detection severity levels:

• Critical: New device discovered, gateway change detected
• High: IP-to-MAC mapping changed, VPN tunnel appeared/disappeared
• Medium: New protocol observed, device classification changed

Practical use case for auditors: Run a PCAP capture at the beginning of an engagement, then another at the end. TracePcap’s Network Monitor will automatically highlight all changes — perfect for detecting unauthorized devices, rogue access points, or configuration drift during iterative audits.

6. File Extraction, Payload Inspection, and Custom Signatures

TracePcap goes beyond metadata analysis by extracting files from network streams and providing deep payload inspection capabilities.

File extraction capabilities:

• HTTP object extraction (images, documents, binaries)
• Raw TCP/UDP stream extraction
• Automatic MIME type detection
• Magic-byte file type detection for images (JPEG, PNG, GIF, BMP, WEBP) and other file types
• Bulk download of all extracted files

Payload inspection:

The hex+ASCII viewer provides Wireshark-style packet payload inspection, allowing analysts to:
– Detect credentials transmitted in cleartext (HTTP, FTP, Telnet)
– Search for specific hex or ASCII byte strings in payloads
– Hunt for magic bytes, protocol markers, or custom signatures

Creating custom YAML signatures:

 Example custom signature rule
- name: "Suspicious JA3 Fingerprint"
description: "Detects known C2 JA3 fingerprint"
condition:
ja3: "a0e9f5d1c8b7a6f4e3d2c1b0a9f8e7d6"
severity: "high"
action: "alert"

Rules can be matched against IP, CIDR, port, JA3, hostname, app, and protocol fields, and are live-reloaded without restarting the application.

7. Export and Reporting for Compliance and Documentation

TracePcap generates professional-grade reports suitable for compliance audits, client deliverables, and internal documentation.

Export options include:

• PDF Report — Includes live topology capture, tab title, applied filters, timestamp, and summary tables
• Per-conversation PCAP — Isolate specific conversations for deeper analysis
• Bulk PCAP Export — Download multiple conversations simultaneously
• CSV Export — Structured data for further processing in SIEM or spreadsheet tools

Report generation workflow:

1. Apply desired filters and analysis views

2. Navigate to the Export tab

3. Select the export format

1. Download the report with all contextual data included

What Undercode Say:

• Network analysis no longer requires deep protocol expertise — TracePcap democratizes network forensics by using AI to translate raw packets into human-readable narratives and visual topologies. Security analysts can focus on decision-making rather than manual packet decoding.

• Local LLM integration preserves data privacy — By supporting Ollama and LM Studio, TracePcap ensures sensitive PCAP data never leaves your infrastructure. This is critical for incident response in regulated industries where data exfiltration to cloud AI services is unacceptable.

• The Network Monitor changes how we think about audits — Traditional network audits are point-in-time snapshots. TracePcap introduces temporal analysis, automatically highlighting drift and changes between captures. This shifts network auditing from a compliance checkbox to a continuous security monitoring capability.

The convergence of traditional packet analysis (nDPI, tshark, Wireshark OUI) with modern AI (local LLMs for narrative and filter generation) represents a paradigm shift. Analysts no longer need to memorize filter syntax or protocol details — they can ask questions in plain English and receive actionable intelligence. However, this doesn’t replace foundational knowledge; rather, it amplifies the analyst’s effectiveness by removing friction from the analysis workflow. The tool’s ability to handle PCAPNG files with multiple interfaces (a common Windows capture scenario) and its support for L2 protocols like ARP, STP, and LLDP make it enterprise-ready for diverse environments.

Expected Output:

Introduction:

Network analysis has traditionally been a domain reserved for seasoned professionals armed with deep protocol knowledge, years of experience, and extensive documentation. But what happens when you’re handed a PCAP file with no network diagram, no documentation, and a simple “figure it out”? TracePcap emerges as the answer — a self-hosted, AI-powered PCAP analysis workbench that transforms raw packet captures into complete network topology maps, device inventories, and actionable intelligence without requiring any prior knowledge of the target environment.

What Undercode Say:

• Network analysis no longer requires deep protocol expertise — TracePcap democratizes network forensics by using AI to translate raw packets into human-readable narratives and visual topologies, allowing analysts to focus on decision-making rather than manual packet decoding.
• Local LLM integration preserves data privacy by ensuring sensitive PCAP data never leaves your infrastructure — critical for incident response in regulated industries where data exfiltration to cloud AI services is unacceptable.

Prediction:

• +1 TracePcap and similar AI-powered analysis tools will become standard issue for SOC analysts within 24 months, reducing average incident response times by 60-70% through automated network mapping and AI-generated narratives that eliminate manual correlation efforts.

• +1 The shift toward local LLM integration in security tools will accelerate as enterprises recognize the compliance and privacy risks of sending packet data to cloud AI services, driving adoption of Ollama, LM Studio, and other on-premise model hosting solutions.

• -1 As AI-powered analysis becomes mainstream, attackers will increasingly focus on adversarial evasion techniques designed to confuse LLM-based analysis — including traffic obfuscation, protocol anomalies, and deliberate poisoning of packet captures to generate misleading AI narratives.

• +1 The Network Monitor’s change-detection capability will evolve into a continuous compliance engine, enabling organizations to automatically validate network configurations against security baselines without deploying active scanning agents that could disrupt production environments.

• -1 Over-reliance on AI-generated narratives without human verification could lead to missed threats or false conclusions — organizations must maintain rigorous quality assurance processes and ensure analysts understand the underlying packet data rather than blindly trusting AI outputs.

• +1 The democratization of network analysis through tools like TracePcap will lower the barrier to entry for cybersecurity careers, allowing junior analysts to contribute meaningfully to incident response and threat hunting much earlier in their careers.

• -1 As PCAP analysis becomes more accessible, the volume of false positives generated by automated tools may increase, requiring organizations to invest in better alert triage and validation processes to avoid alert fatigue.

▶️ Related Video (68% Match):

https://www.youtube.com/watch?v=1b54-GSYqDc

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Laurent Biagiotti – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky