No capture loaded
C Native Engine

Tsharky

The open-source network traffic analyzer. Deep packet inspection, anomaly detection, IP timeline replay and geographic analysis for PCAP & PCAPNG captures.

Upload capture file
or drop files anywhere on the page
Supports .pcap, .pcapng and .cap · Multi-GB files · All processing is local

What Tsharky analyzes

Deep Packet Inspection

Parses TCP, UDP, ICMP, DNS, HTTP, TLS, ARP, VLAN and more. Extracts domains, URIs, SNIs, user agents and certificates.

40+ Anomaly Checks

Detects port scans, brute force, C2 beaconing, DNS tunneling, ARP spoofing, data exfiltration and suspicious ports.

IP Geolocation

Maps every public IP to country, city, ASN and organization. Visualizes connections on an interactive world map.

Timeline Replay

Watch every connection as animated comets across the map. Filter time windows with the draggable range scrubber.

Statistical Charts

Protocol distribution, port usage, DNS query types, HTTP status codes and per-IP traffic breakdowns with Chart.js.

C Native Engine

Written in C with libpcap for maximum speed. Processes multi-GB captures. Ethernet, Linux SLL/SLL2, Raw IP and VLAN.

How it works

1

Upload your capture

Drag and drop or click to upload .pcap, .pcapng or .cap files of any size.

2

Automatic analysis

The C engine parses packets, extracts protocols, resolves GeoIP and runs 40+ anomaly checks.

3

Explore results

Navigate dashboards, maps, timelines and anomaly reports. Click any event for forensic details.

Frequently Asked Questions

What file formats does Tsharky support?

Tsharky supports PCAP (libpcap/tcpdump/Wireshark), PCAPNG (next-generation packet capture), and CAP files. It handles Ethernet, Linux SLL (cooked captures from tcpdump -i any), SLL2, Raw IP and 802.1Q VLAN link types.

Is there a file size limit?

No. The C native engine uses dynamic memory allocation and can process multi-GB captures with no packet count limit. The server streams large JSON results to avoid memory exhaustion.

What anomalies and threats does Tsharky detect?

Over 40 security checks: port scans (SYN, XMAS, NULL), brute force (SSH, FTP, RDP, HTTP), C2 beaconing (periodic interval analysis), DNS tunneling (long queries, TXT abuse), data exfiltration (large outbound flows), ARP spoofing, cleartext credentials over Telnet/FTP/HTTP, suspicious ports (Metasploit 4444, IRC 6667, Tor 9001/9050, Back Orifice 31337), ICMP tunneling, Kerberoasting, LDAP enumeration, and lateral movement via RDP/VNC/SMB.

How does the IP timeline replay work?

Select any IP address (public or private) and Tsharky replays all network activity chronologically. Animated comet connections fly between source and destination on the world map. Adjust playback speed (0.5x to 100x) and use the draggable time-window scrubber to focus on specific periods. Click any event for a full-screen modal with statistical charts, IP details and surrounding events.

Is my capture data private?

Yes. Tsharky is self-hosted. Your PCAP files are processed locally on your own server. Uploaded files are deleted immediately after analysis. GeoIP resolution uses a local MaxMind GeoLite2 database with no external API calls.

What protocols does Tsharky analyze?

DNS (A, AAAA, MX, CNAME, TXT, ANY, NXDOMAIN), HTTP (methods, URIs, headers, user agents, status codes), TLS/SSL (version, SNI, ciphers), TCP (SYN/ACK/RST flags, retransmissions, zero-window), UDP, ICMP (echo, redirect, tunneling), ARP (request, reply, spoofing), Kerberos (AS-REQ/TGS-REQ), LDAP, SMB, RDP, VNC, FTP, Telnet, and IRC.

How is Tsharky different from Wireshark?

Wireshark is a low-level packet inspector for examining individual frames and bytes. Tsharky is a traffic analysis and threat detection platform that automatically processes entire captures, detects security anomalies, geolocates all IPs on a world map, replays connection timelines, and generates forensic reports with involved IPs and statistical charts. Think of it as an automated SOC analyst for your packet captures.

What are the system requirements?

Linux with GCC, libpcap-dev, libjson-c-dev, libmaxminddb-dev, and Node.js 16+. For GeoIP, download the free MaxMind GeoLite2 City and ASN databases. Memory scales with capture size: a 1GB PCAP typically requires about 2GB RAM during analysis.

Supported capture formats

PCAP (libpcap) PCAPNG Ethernet Linux SLL/SLL2 Raw IP 802.1Q VLAN

Drop your capture file

PCAP · PCAPNG · CAP

TCP SYN DNS A TLS 1.3 HTTP GET UDP 53
TCP ACK DNS AAAA ClientHello SYN+ACK
POST /api TCP FIN DNS PTR QUIC TLS Alert
Analyzing packets...
0%
Uploading Parsing headers Extracting protocols Detecting anomalies Resolving GeoIP Building results