Free online packet capture analyzer

Free Online PCAP Analyzer. Understand network traffic without digging through packets.

Use this web-based PCAP analyzer to upload a packet capture and receive a focused, interactive report of suspicious behavior, exposed services, threat intelligence matches, and unusual network activity.

View example report

Network analysis

Upload a PCAP file

Choose a PCAP or PCAPNG file to begin online capture analysis.

or drop a file anywhere in this area

No registration PCAP and PCAPNG Up to 100 MB

Files are processed securely. Need more capacity? Create a free account.

Behavior-based detection Integrated threat intelligence Privacy-first analysis

A clearer signal

Turn raw packet data into an investigation.

Red Hand works as a PCAP file analyzer for the questions that matter: what happened, who was involved, and where to look next.

Behavior Analysis

Detect unusual usage patterns and network behavior that may indicate abuse, misuse, or compromise.

Suspicious attacker technique patterns
Unusual or noteworthy network activity
Traffic composition and protocols

Threat intelligence

Check destinations and payload indicators against continuously updated malicious infrastructure data.

Blacklisted IP address matches
Malicious domains and DNS payloads
Evidence shown in connection context

Your Data Stays Yours

Investigate network activity while keeping control of your data and minimizing exposure of sensitive information.

Captures are deleted after processing
Your data is never used to train AI models
We don't share your data with anyone

Need a capture?

Need help creating a PCAP?

Choose your operating system and follow the essential steps. The tools you need are already included with Windows and macOS, and commonly available on Linux.

What are PCAP files?

PCAP files are raw recordings of network traffic that show which hosts communicated, which protocols were used, when connections happened, and how much data moved.

Windows 10 and 11

Capture traffic with Packet Monitor

Open Command Prompt or PowerShell as Administrator. Replace <id> with the interface ID you identify in step one.

Full Windows guide

1
Find the interface
Run ipconfig /all and note the MAC address of the adapter with a Default Gateway. Match it to an ID from pktmon list.
2
Start the capture
pktmon start -c --comp <id> --pkt-size 0 -s 100 -f cap1.etl
3
Stop and convert
When you have enough traffic, run these commands:

pktmon stop pktmon etl2pcap cap1.etl --out cap1.pcapng

Upload cap1.pcapngThe file is created in your current terminal directory.

Linux

Capture traffic with tcpdump

Open a terminal. Replace <interface-name> with the device name found in step one.

Full Linux guide

1
Find the interface
The interface following dev in the default route is usually the one you need.

ip route | grep default
2
Start the capture
sudo tcpdump -vni <interface-name> -s 0 -w capture.pcap -c 100000

The capture stops at 100,000 packets. Press Ctrl+C to stop it sooner.

Upload capture.pcapThe file is created in your current terminal directory.

macOS

Capture traffic with tcpdump

Open Terminal from Applications > Utilities. Replace <interface-name> with the device name found in step one.

Full macOS guide

1
Find the interface
The final value on the normal default route is usually the device you need, such as en0.

netstat -nr | grep default
2
Start the capture
sudo tcpdump -vni <interface-name> -s 0 -w capture.pcap -c 100000

Enter your password when prompted. Press Ctrl+C if you want to stop before 100,000 packets.

Upload capture.pcapThe file is created in your current terminal directory.

Start with the evidence

See what your capture has to say.

Upload a PCAP or PCAPNG file and get an interactive network behavior report from a browser-based packet capture analyzer.