// the find
srixivas/PcapXray
:snowflake: PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
PcapXray is a desktop forensics tool that takes a PCAP file (or live capture) and produces an annotated network diagram: device identification via OUI lookup, DNS/whois resolution, Tor session matching, and basic malicious traffic flagging. It targets security analysts and students who want a quick visual overview of captured traffic without manually grinding through Wireshark. Presented at DEF CON 27 Demo Labs, so it has real field exposure.
The pluggable engine architecture (dpkt/scapy/pyshark with auto fallback) is a practical decision — dpkt is genuinely fast for bulk parsing while pyshark covers exotic protocols without reimplementing dissectors. Tor detection via consensus download is a real implementation, not just port-9001 matching. SQLite session persistence means you can close the tool and reload without re-analyzing a large capture. The test suite (96+ tests, tox matrix across 3.10/3.11/3.12) is better than most security tools of this size.
The malicious traffic identification is port and domain heuristics, which will produce both false positives on anything non-standard and miss anything that looks normal. No mention of how the domain blocklist is updated or sourced — it's probably a static file, which means it rots. The GUI is Tkinter, which means the known macOS minimize bug listed in the README is just the start of the Tk/Cocoa friction; on HiDPI displays this will look bad. Memory scaling with session count is a real problem — a 1GB PCAP from a busy corporate network could easily have millions of sessions, and 'use dpkt' is not a sufficient mitigation for an analyst who actually needs the full picture.