Introducing PCAPGraph

When security teams receive a packet capture during an investigation, the same questions usually arise immediately:

  • What systems communicated externally?
  • Did any hosts interact with known malicious infrastructure?
  • Which internal assets were involved?
  • Is there evidence of command-and-control activity or lateral movement?

Traditional packet analysis tools are extremely powerful for deep inspection, but they are not optimized for rapid triage and investigation.

To address this challenge, RedSide Security developed PCAPGraph.

PCAPGraph is a BloodHound-style visualization platform for .pcap and .pcapng files that converts network traffic into an interactive graph, allowing analysts to understand relationships and identify threats in minutes rather than hours.

Key Features

Interactive Traffic Visualization

Import a packet capture and instantly generate a graph showing relationships between:

  • Internal hosts
  • Applications and protocols
  • External destinations
  • Network communications

The graph provides a high-level view of activity while allowing analysts to drill down into specific connections.

Reverse IoC Investigation

Security teams can paste:

  • Malicious IP addresses
  • Suspicious domains
  • Threat intelligence indicators

and immediately identify every internal host that communicated with the indicator.

Matching hosts and connections are highlighted visually, accelerating threat hunting workflows.

Automated Malicious IoC Discovery

PCAPGraph includes a one-click analysis feature that:

  • Extracts public IP addresses
  • Identifies observed domains
  • Queries threat intelligence sources
  • Highlights potentially malicious infrastructure

This enables analysts to quickly identify high-risk communications within large packet captures.

VirusTotal Integration

For supported indicators, PCAPGraph displays:

  • Detection statistics
  • Threat reputation information
  • Country information
  • ASN details

directly within the graph interface.

Offline Threat Intelligence Matching

PCAPGraph can identify known malicious infrastructure using offline threat intelligence datasets, including:

  • abuse.ch feeds
  • URLhaus indicators
  • Tor exit node intelligence

Known malicious systems are automatically flagged to improve analyst visibility.

Advanced Network Visibility

The platform enriches network traffic with:

TLS SNI Analysis

  • Domain identification from encrypted traffic

HTTP Host Analysis

  • Host header extraction and labeling

Country-Based Grouping

  • Geographic visualization of destinations

Lateral Movement Discovery

  • Identification of internal host-to-host communications

Beaconing Detection

  • Detection of repetitive communication patterns commonly associated with command-and-control activity

Privacy and Local Processing

PCAPGraph is designed to operate locally.

The platform:

  • Runs entirely on the analyst workstation
  • Does not require Wireshark or tshark
  • Uses a Python and Flask-based architecture
  • Keeps packet captures on the local system

This allows organizations to investigate sensitive network traffic without uploading captures to third-party services.

Built for Incident Response and Threat Hunting

PCAPGraph is designed for:

  • Threat hunters
  • Incident responders
  • SOC analysts
  • DFIR teams
  • Security researchers
  • Network defenders

By transforming raw packet captures into an interactive investigation graph, analysts can rapidly:

  • Identify compromised systems
  • Trace malicious communications
  • Investigate attacker infrastructure
  • Prioritize response actions

Open Source

PCAPGraph is released as free and open-source software.

GitHub Repository:

Tool:https://github.com/RedSideSecurity/PCAPGraph

Roadmap

Future development efforts include expanded detection capabilities such as:

  • Advanced C2 beaconing detection
  • DNS tunneling analysis
  • Data exfiltration detection
  • Behavioral analytics
  • Enhanced threat intelligence integrations

The project is actively evolving, and community feedback, feature requests, and contributions are welcome.

Conclusion

Packet captures often contain the evidence needed to understand an incident, but extracting actionable intelligence quickly can be challenging.

PCAPGraph simplifies that process by transforming network traffic into a visual investigation platform that helps analysts identify threats, investigate indicators, and understand attacker activity faster.

Built by hunters, for hunters.