PacketSnitch is a network packet analysis tool that combines a Python backend with an Electron frontend to help you explore and filter captured network traffic β no command line required after initial setup.
| Component | Description |
|---|---|
| Backend | Python script (snitch.py) that parses .pcap files and extracts rich per-packet metadata into JSON |
| Frontend | Electron-based desktop application for loading, browsing, filtering, and visualizing traffic |
- π Load PCAP files β Point the backend at a capture, then explore interactively in the desktop app
- π Powerful filtering β Filter by port, country, entropy, MIME type, and more using dot-notation expressions
- π GeoIP integration β See source/destination locations with country, city, and timezone
- π Payload analysis β Shannon entropy visualization, MIME type detection, hex dump with ASCII view
- π€ LLM summaries β Generate AI-powered analysis reports using Ollama
- π Protocol decoding β DNS, HTTP, SSL/TLS, DHCP, NTP, SIP, and more
Download a pre-built release from the releases page:
- Windows:
.exeinstaller - Linux:
.debor.rpmpackages
Launch the app with packetsnitch or click the desktop icon.
- Load PCAP β Click Load PCAP to run the backend on a
.pcapfile - Browse packets β Use Prev / Next buttons or select a host from the dropdown
- Filter β Type expressions like
tcp.dst.port:443and press Enter - Summarize β Click Summary for LLM-generated analysis (requires Ollama)
| Element | Description |
|---|---|
| Target Host | Select which IP stream to inspect |
| Bookmarks | Save and jump to specific packets |
| Save JSON | Export current dataset |
| PCAP size | File size of the capture |
| Load time | Time to parse and load data |
| Total Packets | Total packets in dataset |
| Filtered Packets | Packets matching active filter |
| Timestamp | Current packet's capture time |
| Control | Description |
|---|---|
| Summary | Switch to LLM analysis view |
| Data | Return to packet data view |
| Prev / Next | Step through packet list |
| Filter bar | Enter filter expressions |
| Load JSON | Load previously generated hosts.json |
| Load PCAP | Run backend on a .pcap file |
| Use LLM | Toggle Ollama-powered summaries |
- IP Routing β Source β destination addresses
- Network Info β Ports with ICANN service names
- Data Type β MIME type, charset, encoding, magic file type
- Active Recon β SSL/TLS details, server banners, DNS hostnames, web page titles (with
-aflag)
- ASCII View β Printable character runs from payload
- Hex Grid β Interactive hex dump; click to highlight bytes and see ASCII
| Panel | Description |
|---|---|
| Datagram Frame | Protocol fields (checksums, DNS, HTTP, DHCP, etc.) |
| Location | GeoIP: country, city, postal code, timezone |
| Payload Entropy | Shannon entropy as number + visual indicator |
Filter expressions use dot-notation keys, comparison operators, and boolean combinators:
# HTTPS traffic only
tcp.dst.port:443
# Traffic from China
loc.src.country:China
# High-entropy payloads (encrypted/compressed)
payload.entropy:>=7.0
# HTTP POST with JSON
http.method:POST && payload.mime:application/json
# Large encrypted payloads from external IPs
tcp.dst.port:443 && payload.len:>500 && payload.entropy:>=7.0 && ip.src.class:!=Localnet- String comparisons are case-insensitive
- Press Enter to apply, clear and press Enter again to reset
See the Filter Reference for the complete list of keys and syntax.
- π Frontend Docs β UI reference, installation, developer setup
- βοΈ Backend Docs β
snitch.pyusage, arguments, output structure - π Filter Reference β Complete filter keys, operators, examples
GNU GPLv3 β See LICENSE.md for details.
Marshall Whittaker
If you find PacketSnitch useful, please consider supporting its development:
Β Β
Β Β
