Cybersecurity Packet Analyzer (WIP)

Description

This tool was created with Grok AI.

Packet Analyzer is a web-based tool designed for cybersecurity enthusiasts and network analysts to inspect and analyze network packet captures exported in JSON format (e.g., from Wireshark or tshark). It provides an interactive table view of packet details, real-time filtering, sorting, and advanced features like IP geolocation and anomaly detection. Built with simplicity and usability in mind, this tool helps identify suspicious network activity without requiring complex software installations.

How to Use

1. Upload a Packet Capture: Click the file input field labeled "Choose File" and select a .json file exported from a tool like Wireshark (tshark -r capture.pcap -T json > packets.json). The app will parse the file and display its contents in a table.
2. Navigate the Table: Each row represents a packet. Click a row to view its full JSON details in a modal. Sort columns by clicking headers (e.g., "Time", "Source IP"). Click again to reverse the order.
3. Filter Data: Use the search bar above the table to filter packets by IP address, port, or protocol (e.g., type "192.168" or "TCP").
4. Analyze IPs: Click the "🔍" button next to any Source or Destination IP to open a modal with geolocation details (ISP, location, etc.) and a map.
5. Review Stats: Check the statistics section above the table for total packets, average packet size, and top protocols.
6. Learn More: Click the "ℹ️ Info" button to open this description modal for detailed guidance.

Features and Options

• Interactive Table: Displays packet details (Packet No., Time, Delta, IPs, Ports, Protocol, TCP Flags, Lengths) with clickable rows for full JSON.
• Search/Filter: Real-time filtering of packets based on user input.
• Sorting: Sort any column in ascending or descending order.
• Packet Details Modal: View raw JSON of a packet with a "Copy to Clipboard" button.
• IP Lookup: Geolocation and ISP details for IPs via the IP-API service, with text, JSON, and map views.
• Statistics: Displays total packets, average size, and top 3 protocols in the capture.
• Anomaly Detection: Flags suspicious elements with color highlights and info icons for explanations.
• Info Modal: Comprehensive guide (you’re reading it!) accessible via a button.

Flags (Anomaly Detection)

The app highlights potential issues in the packet data with colored backgrounds and "ℹ️" icons (click for details):

• SYN-only (Red: #ffcccc):
  • Condition: TCP Flags = 0x0002 (SYN only).
  • Meaning: Indicates a connection attempt without follow-up, common in port scanning (e.g., nmap).
• Malformed (Red: #ffcccc):
  • Condition: TCP Flags = 0x000c (FIN+PSH+URG, "Xmas Tree").
  • Meaning: Unusual flag combination often used in reconnaissance or exploit attempts.
• Unusual Ports (Dark Red: #ff9999):
  • Condition: Source or Destination Port not in common list (e.g., 80, 443, 22).
  • Meaning: Non-standard ports may suggest malware communication or tunneling.
• Rapid Bursts (Orange: #ffcc99):
  • Condition: Time Delta < 0.001 seconds.
  • Meaning: Very fast packet sequences could indicate DDoS attacks or automated scanning.
• Large Packets (Yellow: #fff3cd):
  • Condition: TCP Length > 1000 bytes or Total Length > 1500 bytes.
  • Meaning: Oversized packets might signal data exfiltration or amplification attacks.
• TLS (Green: #ccffcc):
  • Condition: TLS layer present.
  • Meaning: Encrypted traffic. Check for outdated versions (e.g.,