pcapx 1.1.1

Analyst-focused PCAP behavior analysis and finding engine

PCAPX

PCAPX is a lightweight, analyst-focused PCAP analysis tool designed to extract actionable security findings from packet captures without relying on signatures, malware labels, or assumptions.

It focuses on behavioral evidence, protocol misuse, and cleartext exposure, presenting results in a format familiar to SOC analysts, blue teams, and incident responders.

PCAPX does not claim malware detection.
It highlights observable behaviors that may warrant investigation.

---

Why PCAPX?

Most PCAP tools fall into one of two extremes:

• Low-level packet viewers (e.g., Wireshark)
• Heavy IDS engines with opaque alerts

PCAPX sits in the middle.

It answers questions like:

• Were credentials exposed?
• Are hosts communicating in automated or periodic patterns?
• Is there evidence of service discovery or probing?
• Are application payloads behaving unusually?

All without guessing intent.

---

Key Features

🔐 Cleartext Authentication Detection

• Detects FTP cleartext credentials
• Extracts:
  • Username
  • Password
  • Client & server IPs
• Aggregated into a single SOC-style finding
• No duplication across sessions

---

🌐 Network Behavior Analysis

• High-frequency and periodic communication patterns
• Bidirectional traffic deduplication
• Broad port interaction (recon-like behavior)

---

📡 DNS & Application Observations

• Unusual DNS query structures
• Application payloads loosely associated with exploitation techniques
  (low confidence, informational only)

---

📊 Analyst-Friendly Output

• Clean terminal tables
• Findings grouped with:
  • ID
  • Severity
  • What happened
  • Why it matters
  • Affected assets

---

🧠 Safe, Generalized Language

• No malware family names
• No attribution claims
• No intent assumptions
• Suitable for reports, audits, and legal review