A network forensics tool — visualize PCAP files or live traffic as an annotated network diagram with device identification, protocol classification, Tor detection, and malicious traffic flagging.

graph TD
UI[user_interface.py\nGUI controller] --> PR[pcap_reader\nFile + Live capture]
PR --> ENG[engines/\nauto · dpkt · scapy · pyshark]
PR --> MEM[(memory.py\nShared state)]
MEM --> CDF[communication_details_fetch\nDNS · whois]
MEM --> DDF[device_details_fetch\nOUI vendor lookup]
MEM --> TTH[tor_traffic_handle\nTor consensus]
MEM --> MTI[malicious_traffic_identifier\nHeuristic flags]
MEM --> SS[sqlite_store\nSession persistence]
MEM --> PLN[plot_lan_network\nGraphviz PNG + pyvis HTML]
UI --> IG[interactive_gui\nMatplotlib panel]
IG --> MEM
PLN --> OUT[Reports + Diagrams]
Given a PCAP file or a live network interface, plot a network diagram displaying hosts, traffic flows, important/Tor/malicious communication, and data involved in each session.
Make a network diagram with the following features:
Tool Highlights: - Network Diagram — summary network diagram of the full network - Web traffic with server details - Tor traffic detection - Possible malicious traffic flagging - Data obtained from packets in report — device/traffic/payloads - Device details — OUI vendor, hostname resolution, whois - Live traffic capture with real-time graph updates - Interactive graph — pyvis HTML for in-browser exploration - Session persistence — SQLite cache for reload without re-analysis
Main application panel

Static network graph — natural layout with auto-fit zoom


Requirements: Python 3.10+
sudo apt-get update
sudo apt-get install -y python3-tk graphviz tshark
pip3 install -r requirements.txt
sudo python3 Source/main.py
If using a specific Python version (3.11, 3.12), replace
python3-tkwithpython3.11-tkorpython3.12-tk. Install Pillow via pip only — do not installpython3-pilfrom apt as it conflicts.
brew install graphviz
pip3 install -r requirements.txt
sudo python3 Source/main.py
sudois required for live capture. File analysis runs without it.
.pcap / .pcapng fileauto)sudo / root)PcapXray supports four interchangeable parsing backends selectable from the toolbar:
| Engine | Best for | Notes |
|---|---|---|
auto |
General use | Tries dpkt first, falls back to scapy |
dpkt |
Large files, low memory | Fast offline parsing |
scapy |
Deep protocol inspection | TLS-aware, slower on large files |
pyshark |
Maximum protocol coverage | Requires tshark installed |
All dependencies are in requirements.txt — install with pip3 install -r requirements.txt.
Tkinter is the only library not on PyPI — install via your system package manager (python3-tk on Linux, included with Python on macOS).
| Library | Purpose |
|---|---|
| scapy | Packet reading and live capture |
| dpkt | Fast PCAP parsing engine |
| pyshark | tshark-backed parsing engine |
| ipwhois | Whois / RDAP lookup |
| netaddr | IP address classification |
| pillow | Image processing for graph display |
| stem | Tor consensus data fetch |
| graphviz | Network diagram rendering |
| networkx | Graph construction and layout |
| matplotlib | Embedded interactive graph panel |
| pyvis | Interactive HTML network graph |
| pydantic | Typed data models for session state |
| cryptography | TLS cipher suite parsing |
See DEV.md for full architecture documentation, call flow diagrams, module responsibilities, threading model, and how to add a new engine.
See SECURITY.md for responsible disclosure, security posture, and known limitations.
# Fast suite — no network calls
pytest -m "not network" Test/
# Full suite including real DNS + Tor
pytest Test/
# Isolated engine environments
tox
tox -e all-engines
96+ tests across Python 3.10, 3.11, 3.12.
dpkt engine for best performance on large files.$ claude mcp add PcapXray \
-- python -m otcore.mcp_server <graph>