Every security team has the same workflow bottleneck. Someone captures network traffic during an incident, an assessment, or a routine audit. The pcap file lands on an analyst's workstation. The analyst opens Wireshark. And then the real work begins: manually scrolling through thousands of packets, building display filters, following TCP streams one at a time, searching for cleartext credentials, checking for DNS anomalies, correlating connection failures, and trying to assemble a coherent picture of what happened on the wire.
For a small capture — a few hundred packets — this is manageable. For the kind of captures you actually deal with in production — 10,000, 50,000, 100,000 packets spanning hours of traffic — it is a full day of focused work. And the outputs are inconsistent. One analyst catches the FTP credentials in the clear. Another misses the ARP spoofing. A third notices the port scan but does not connect it to the cleartext SMTP traffic that followed.
We built AI Packet Analyzer to eliminate that inconsistency and compress that timeline from hours to seconds.
What It Is
AI Packet Analyzer is an open-source, command-line tool written in Python that takes a pcap or pcapng file and produces a severity-ranked report of findings — with clear explanations and actionable recommendations for every issue it identifies. It is free, MIT-licensed, and runs on Linux, macOS, and Windows.
The tool operates in two modes. Connectivity troubleshooting mode diagnoses network problems: failed TCP handshakes, retransmissions, DNS resolution failures, ICMP unreachable messages, ARP anomalies, traffic black holes, and asymmetric routing indicators. Security audit mode finds vulnerabilities: cleartext protocols, exposed credentials, sensitive data in payloads, port scan patterns, ARP spoofing, DNS tunneling indicators, and unencrypted traffic on protocols that should be encrypted.
Both modes are driven by a heuristic AI engine that runs 20+ specialized checks against the parsed packet data. Every finding is classified by severity — CRITICAL, HIGH, MEDIUM, LOW, or INFO — and includes a description of what was detected, supporting evidence, and a specific recommendation for remediation. The tool does not produce vague warnings. It tells you exactly what it found, where it found it, and what to do about it.
What It Catches
The detection capabilities are organized by the two operational modes.
In connectivity troubleshooting mode, the engine identifies TCP handshake failures where SYN packets are sent but never receive a SYN-ACK, elevated TCP reset rates that indicate refused connections or firewall interference, retransmission patterns that signal packet loss or congestion, DNS failures broken down by error type (NXDOMAIN, SERVFAIL, REFUSED), ICMP unreachable messages with host and port granularity, unanswered ARP requests that reveal offline hosts or VLAN misconfigurations, and one-way traffic patterns that point to asymmetric routing or firewall state issues. When the tool detects multiple issues simultaneously, it prompts you to narrow the analysis by providing a problem description, specific IPs, or ports — so the output stays focused and actionable rather than overwhelming.
In security audit mode, the engine scans for cleartext credentials across FTP (USER/PASS commands), HTTP Basic Auth (Base64-encoded Authorization headers), Telnet sessions, SMTP AUTH, and password patterns in form data. It flags sensitive data patterns including Social Security numbers, credit card numbers, email addresses, private keys, and certificates transmitted over unencrypted channels. It detects cleartext protocol usage for HTTP, FTP, Telnet, SMTP, POP3, IMAP, LDAP, SNMP, and VNC — each with specific migration recommendations to encrypted alternatives. It identifies ARP spoofing by detecting multiple MAC addresses claiming the same IP. It flags potential DNS tunneling based on unusually long query names. And it calculates an encryption coverage metric that tells you what percentage of the captured traffic is using encrypted versus cleartext protocols.
Across 25 tests against real-world captures from the Wireshark sample library and synthetic attack scenarios, the tool achieved a 92% detection rate with zero crashes and zero false positives on deterministic checks.
The LLM Integration
The heuristic engine runs entirely locally with no external dependencies beyond Scapy. But for teams that want deeper analysis — root cause correlation, attack chain identification, compliance impact assessment, or the ability to ask follow-up questions about the findings — the tool includes an optional LLM integration layer.
The architecture is deliberately privacy-conscious. The LLM never receives raw packet data. The tool serializes only aggregated statistics, finding summaries, and metadata — protocol distributions, connection counts, severity-ranked findings, and conversation-level patterns. Actual packet payloads, captured credentials, and raw IP addresses stay on your machine. This means you can point the tool at a capture containing sensitive production traffic and still use a cloud LLM provider without leaking packet contents.
Seven providers are supported out of the box: OpenAI (GPT-4o), Anthropic (Claude), OpenRouter (access to hundreds of models through a single API), Ollama, LM Studio, llama.cpp, and vLLM. The provider abstraction layer uses only Python's built-in urllib — zero additional SDK dependencies. For teams that want to keep everything on-premises, Ollama or any local model server works with a single flag: --llm ollama.
In troubleshooting mode, the LLM correlates findings to identify root causes, suggests specific diagnostic commands to run next, infers network topology from traffic patterns, and produces a prioritized action plan. In security mode, it maps attack chains across findings, assesses compliance impact against frameworks like PCI-DSS, HIPAA, and SOC 2, calculates risk scores, identifies indicators of compromise, and prioritizes remediation steps by business impact.
The interactive Q&A mode (--interactive-llm) lets you ask follow-up questions after the initial analysis. The tool maintains conversation context, so each question builds on the previous answers. You can start with "Which host is most likely compromised?" and follow up with "What lateral movement is possible from that host?" and "What specific firewall rules would block this?" — and the LLM maintains the thread across all three questions.
How It Fits Into Your Workflow
The tool is designed to slot into existing workflows, not replace them. It is the first step in your analysis pipeline, not the last.
For incident response, point the tool at a capture from the affected network segment. Run it in security mode with LLM integration. In under a minute, you have a prioritized list of every credential exposure, every cleartext protocol in use, every suspicious connection pattern, and an LLM-generated assessment of the likely attack chain. That gives your IR team a starting point that would have taken hours to assemble manually — and the LLM's follow-up Q&A mode lets the team drill into specific questions without going back to Wireshark.
For penetration testing, capture traffic during your engagement and run the security audit at the end. The tool will catch cleartext credentials you might have missed in real-time, identify cleartext protocol usage across the entire capture window, and flag sensitive data patterns that your manual testing may not have covered. The severity-ranked output maps directly to the findings section of a pentest report.
For network troubleshooting, run it in troubleshooting mode when a user reports connectivity issues. The tool will identify whether the problem is DNS resolution failures, TCP handshake failures to specific destinations, ICMP unreachable responses from intermediate hops, or ARP-level issues on the local segment. The narrowing feature — where the tool prompts for a problem description, IPs, and ports when multiple issues are detected — keeps the output focused on what the user actually reported rather than every minor anomaly in the capture.
For compliance audits, the security mode's encryption coverage metric and cleartext protocol detection give you a quantitative answer to the question "what percentage of our network traffic is encrypted?" That number, combined with the specific protocol and host breakdowns, maps directly to PCI-DSS Requirement 4, HIPAA's transmission security requirement, and SOC 2's encryption controls.
Architecture
The tool is built as a four-stage pipeline. The Packet Parser uses Scapy to dissect every packet and extract structured metadata: TCP flags, DNS query names and response codes, ICMP types, ARP request/reply pairs, IP conversation tracking, and payload content for cleartext protocol analysis. The parser also runs 13+ regex patterns against payloads to detect credentials and sensitive data patterns.
The AI Engine takes the parsed statistics and runs heuristic analysis. Each check evaluates the data against calibrated thresholds, correlates multiple signals, and generates a Finding object with severity, title, description, supporting details, and a recommendation. The engine does not use machine learning — it uses deterministic heuristics written by practitioners who know what specific patterns indicate in real network traffic.
The Report Renderer uses the Rich library to produce color-coded terminal output with severity panels, summary statistics, and formatted detail blocks. The output is designed to be immediately readable — no log parsing required.
The optional LLM Analyzer takes the structured output from the heuristic engine and sends it to the configured provider with carefully engineered prompts tailored to each analysis mode. The prompt engineering is a critical detail: the troubleshooting prompt instructs the LLM to focus on root cause correlation and diagnostic next steps, while the security prompt instructs it to map attack chains, assess compliance impact, and prioritize by business risk.
Getting Started
Installation is a single command:
pip install git+https://github.com/jph4cks/ai-packet-analyzer.git
Then point it at any pcap file:
ai-packet-analyzer capture.pcap --mode security
For LLM-enhanced analysis with Ollama (free, runs locally):
ai-packet-analyzer capture.pcap --llm ollama --interactive-llm
The full documentation, architecture details, and source code are available on the project website and the GitHub repository. The tool is MIT-licensed. Contributions are welcome.
If your team is still opening every pcap in Wireshark and manually building filters to find the same categories of issues that a heuristic engine can detect in seconds — the gap between what you are doing and what you could be doing is measured in hours per investigation. That time adds up. And in an incident, those hours are the difference between containment and escalation.
Want help building an AI-augmented security operations pipeline?
We help organizations integrate AI-powered tools into their security workflows — from packet analysis automation to full SOC modernization. Book a session with our team to discuss your environment.