What file formats can I upload?

We accept native .pcap and .pcapng packet-capture files only. Compressed archives (ZIP, RAR, 7-Zip, etc.) are not supported.

Is there an upload size limit?

Yes. Plan-based upload size limits apply.

How long do you retain my PCAP and the report?

Both the original file and its PDF report are stored for one hour and then permanently deleted.

What does the one-time payment include?

A single $9 payment covers one upload, full AI analysis, and a downloadable PDF report—no recurring fees.

Which plans let me upload multiple files?

Monthly and yearly subscription tiers include multiple uploads per cycle, as shown in the pricing table.

Do you provide an API for automated uploads?

Yes. Our REST API is available to Advanced subscribers. Generate an access key and integrate from CI, SIEM, or custom scripts.

In what format is the analysis delivered?

Results are provided as a professionally formatted PDF with network statistics, threat findings, and remediation advice.

What if I miss the 1-hour download window?

For security, both the capture and its report are erased after an hour. Re-upload the file to run a new analysis.

Do you collect any personal data from the files?

No. We cannot track user-identifiable information, and everything is auto-purged after processing.

What personal information is required for subscriptions?

Only the minimal billing details required by our payment processor (card, country, email) are collected.

How does your AI engine work?

Our engine blends deep-packet inspection with machine-learning to decode protocols, detect anomalies, extract credentials, and map threats to MITRE ATT&CK.

Can I upgrade or cancel my subscription at any time?

Yes. You can upgrade, downgrade, or cancel anytime from your dashboard; changes apply immediately or at the next billing cycle.

How to Detect DNS Tunneling & DGA in PCAP Files

Q: How do you find DNS tunneling in Wireshark?

Analysts usually start by filtering for long queries (dns.qry.name.len > 50) or looking for unusual TXT records. However, this produces massive false positives. Pcap AI uses entropy analysis to accurately separate malicious exfiltration from normal network noise.

The Challenge: Alert Fatigue and Noisy Protocols

DNS is the noisiest protocol on any network. Adversaries exploit this by hiding command-and-control (C2) beacons and data exfiltration within DNS queries. Finding a malicious payload among millions of legitimate requests is incredibly difficult.

False Positives

Filtering for long queries (dns.qry.name.len > 50) in Wireshark yields thousands of false positives from legitimate CDNs and tracking domains.

Complexity

Spotting DGA (T1568.002) mathematically requires exporting PCAPs to CSV and running custom Python scripts to calculate Shannon entropy.

🕵️‍♂️

"We filtered for anomalous TXT records, but the Cobalt Strike beacon was hiding in plain sight using dynamically generated A-records. Manual correlation took days."

The Solution: Heuristic & Entropy Analysis

Pcap AI automates the mathematical heavy lifting. Our ML engine analyzes the lexical structure, query frequency, and payload entropy of every single DNS packet in your capture file instantly.

✦ Data Exfiltration Blocked: Identified unusually large, encoded subdomains pointing to a newly registered, untrusted registrar.
✦ DGA Detection: AI flagged algorithmically generated domains (e.g., x8f9q2p.malicious.com) that bypass standard threat intel blocklists.
✦ Noise Reduction: Smart baselining filtered out legitimate background noise from CDNs, anti-virus updates, and cloud telemetry.
✦ MITRE Mapping: Threats automatically mapped to T1071.004 (Application Layer Protocol: DNS) and T1568.002 (DGA).

Wireshark Manual Analysis vs. Pcap AI

Manual (Wireshark)

Exporting DNS logs to CSV, running custom Python entropy scripts, and sorting through false positives. Process takes 1–2 hours.

Pcap AI

Instant lexical analysis, DGA scoring, and automated MITRE mapping. Process takes less than 20 seconds.

*Based on a 1GB PCAP file with heavy DNS traffic.

Frequently Asked Questions

How do you find DNS tunneling in Wireshark?

Analysts usually start by filtering for long queries (dns.qry.name.len > 50) or looking for unusual TXT records (dns.qry.type == 16). However, this produces massive false positives. Pcap AI uses entropy analysis to accurately separate malicious exfiltration from normal network noise.

What is MITRE ATT&CK T1071.004?

It describes adversaries using DNS (an Application Layer Protocol) to communicate with command-and-control (C2) servers or exfiltrate data, bypassing firewalls by hiding malicious traffic within a legitimate, universally allowed protocol.

AI Analysis Output (Sample)

AI Analysis Proof for How to Detect DNS Tunneling & DGA in PCAP Files

Download Full PDF Report See exactly what our AI discovers.