What file formats can I upload?

We accept native .pcap and .pcapng packet-capture files only. Compressed archives (ZIP, RAR, 7-Zip, etc.) are not supported.

Is there an upload size limit?

Yes. Plan-based upload size limits apply.

How long do you retain my PCAP and the report?

Both the original file and its PDF report are stored for one hour and then permanently deleted.

What does the one-time payment include?

A single $9 payment covers one upload, full AI analysis, and a downloadable PDF report—no recurring fees.

Which plans let me upload multiple files?

Monthly and yearly subscription tiers include multiple uploads per cycle, as shown in the pricing table.

Do you provide an API for automated uploads?

Yes. Our REST API is available to Advanced subscribers. Generate an access key and integrate from CI, SIEM, or custom scripts.

In what format is the analysis delivered?

Results are provided as a professionally formatted PDF with network statistics, threat findings, and remediation advice.

What if I miss the 1-hour download window?

For security, both the capture and its report are erased after an hour. Re-upload the file to run a new analysis.

Do you collect any personal data from the files?

No. We cannot track user-identifiable information, and everything is auto-purged after processing.

What personal information is required for subscriptions?

Only the minimal billing details required by our payment processor (card, country, email) are collected.

How does your AI engine work?

Our engine blends deep-packet inspection with machine-learning to decode protocols, detect anomalies, extract credentials, and map threats to MITRE ATT&CK.

Can I upgrade or cancel my subscription at any time?

Yes. You can upgrade, downgrade, or cancel anytime from your dashboard; changes apply immediately or at the next billing cycle.

How to Detect ARP Spoofing in PCAP Files

Q: Why is manual ARP detection in Wireshark unreliable?

Manual filtering for 'arp.duplicate-address-detected' only flags conflicts as they happen. Pcap AI performs a global heuristic analysis of the entire ARP state machine, catching subtle poisoning attempts that simple filters often miss.

Q: What is MITRE ATT&CK T1557.002?

MITRE T1557.002 refers to ARP Cache Poisoning (Adversary-in-the-Middle). It is a technique where an attacker sends spoofed ARP messages onto a local network to associate their MAC address with the IP address of another host, such as the default gateway, enabling them to intercept traffic.

The Challenge: Manual Packet Hunting

Detecting an Adversary-in-the-Middle (AitM) attack in a massive network dump is like finding a needle in a haystack. Traditional forensic workflows are often too slow to catch active threats before data exfiltration occurs.

Time Sink

Correlating MAC conflicts with gateway IPs (e.g., 192.168.1.1) manually takes hours of tedious work.

Complexity

Identifying Active Scanning (T1595) requires complex Wireshark filters or custom Zeek/Suricata scripts.

🕵️‍♂️

"While incident responders struggle with arp.duplicate-address-detected filters, the attacker has already gained persistent access to the segment."

The Solution: AI-Driven Automated Forensics

Pcap AI eliminates manual packet hunting by applying machine-learning models to your raw traffic data. Within seconds, it reconstructs the network topology and surfaces behavioral anomalies.

✦ ARP Cache Poisoning: Identified host 192.168.1.105 maliciously claiming the MAC address of the subnet gateway.
✦ Active Reconnaissance: Endpoint 192.168.1.104 flagged for aggressive TCP SYN scans across the local segment.
✦ MITRE Mapping: Every finding is automatically mapped to T1557.002 and T1595 tactics for instant compliance reporting.
✦ Immediate Containment: Get precise isolation data to revoke switch port access or quarantine infected endpoints before data leaves the perimeter.

Wireshark Manual Analysis vs. Pcap AI

Manual (Wireshark)

Setting display filters, exporting endpoint lists, and manual correlation. Process takes 30–60 mins.

Pcap AI

Instant extraction and automated threat mapping. Process takes less than 15 seconds.

*Based on a 500MB PCAP file analysis.

Frequently Asked Questions

Why is manual ARP detection in Wireshark unreliable?

Manual filtering for arp.duplicate-address-detected only flags conflicts as they happen. Pcap AI performs a global heuristic analysis of the entire ARP state machine, catching subtle poisoning attempts that simple filters often miss.

What is MITRE ATT&CK T1557.002?

It refers to ARP Cache Poisoning (Adversary-in-the-Middle), where an attacker intercepts traffic by spoofing ARP messages on a local network.

AI Analysis Output (Sample)

AI Analysis Proof for How to Detect ARP Spoofing in PCAP Files

Download Full PDF Report See exactly what our AI discovers.