A standalone web application for analyzing PCAP files using Suricata. View security alerts, browse network metadata (DNS, HTTP, TLS, flows), extract ASCII transcripts, and carve individual streams — all from a single-page UI.
The welcome screen allows you to upload a PCAP file or load a previous analysis:
After analysis, you can view security alerts, network metadata, and extract streams:
The fastest way to try OhMyPCAP is with our online demo:
https://securityonion.net/pcap
Please note the following:
- this is a cloud based service so please do not share any sensitive PCAP files or any other sensitive info
- free accounts are limited to 60 minutes of usage before the instance is automatically terminated
- if you need a private or permanent instance of OhMyPCAP, then please see the other options below
Most folks will want to use our pre-built Docker image. If you prefer not to use our pre-built Docker image, then there are other options shown below.
If you are running the latest version of OhMyDebn, then you can just press Ctrl + Alt + P to automatically install and run OhMyPCAP and then you can skip to the Usage section below.
If you're not running OhMyDebn but are running another Debian-based distro, then you can install and configure Docker like this:
sudo apt update && sudo apt -y install docker.io
sudo usermod -aG docker $USER
newgrp dockerIf you're running something other than Debian, then check your OS documentation for the best way to install Docker.
Once Docker is installed and configured, all you have to do is create a data directory and then run our OhMyPCAP Docker image with that data directory mounted as a volume:
mkdir -p ~/ohmypcap-data
docker run -v ~/ohmypcap-data:/data -p 8000:8000 ghcr.io/dougburks/ohmypcap:mainOhMyPCAP will update its NIDS rules and then prompt you to open http://localhost:8000/ohmypcap.html in your browser.
- Upload a file — click "Choose File" and select a
.pcap,.pcapng,.cap, or.tracefile (or a.zipcontaining one) - Load from URL — paste a URL to a PCAP file and click "Load from URL". Password-protected zips from
malware-traffic-analysis.netare auto-decrypted using the date-based password format - Reopen a previous analysis — previously analyzed PCAPs are listed on the welcome screen
After Suricata finishes processing, the UI displays:
- Stats Grid — clickable cards showing event counts by type (Alerts, DNS, HTTP, TLS, Flows, etc.)
- Data Tables — sortable tables with expandable detail rows showing full event JSON and ASCII transcripts
- Aggregation Tables — (Advanced mode) frequency counts for each column; click a value to filter
- Filtering — apply filters by clicking aggregation values; filter chips show active filters; filters persist across all tabs
Toggle the "Advanced" switch in the upper right to enable:
- Aggregation tables showing top-10 values per column
- Inline filter bar with filter chips
- Cross-tab filter persistence
Click any row in a data table to expand it, then:
- ASCII Transcript — view decoded TCP/UDP payload as readable text
- Download PCAP — carve that specific stream into a standalone
.pcapfile
All analyzed PCAPs are stored in ~/ohmypcap-data/. Each analysis gets a subdirectory named by its MD5 hash containing:
~/ohmypcap-data/<md5>/
<original-filename>.pcap # The uploaded PCAP
eve.json # Suricata's JSON output
events.db # SQLite index (auto-created after analysis)
name.txt # Human-readable display name
If you prefer to build your own Docker image, you can clone this github repo and then build the image:
git clone https://github.com/dougburks/ohmypcap
cd ohmypcap
docker build -t ohmypcap .
mkdir -p ~/ohmypcap-data
docker run -v ~/ohmypcap-data:/data -p 8000:8000 ohmypcapThen open http://localhost:8000/ohmypcap.html in your browser.
If you prefer to run without docker, then you will need these prerequisites:
- Python 3 (stdlib only — no pip packages required)
- Suricata — for PCAP analysis and rule-based alerting
- suricata-update — for downloading/updating Suricata rules
- tcpdump — for stream carving (
/api/download-stream) - tshark — for ASCII transcript extraction (
/api/ascii-stream)
Once you have the preqequisites, then you can clone this github repo and run the server:
python3 ohmypcap.pyThen open http://localhost:8000/ohmypcap.html in your browser.
| Variable | Default | Description |
|---|---|---|
DATA_DIR |
~/ohmypcap-data |
Directory for analyzed PCAPs and Suricata config |
BIND_ADDRESS |
127.0.0.1 |
Address to bind the HTTP server to |
PORT |
8000 |
HTTP server port |
| Constant | Default | Description |
|---|---|---|
PORT |
8000 |
HTTP server port |
BASE_DIR |
~/ohmypcap-data |
Root directory for analyzed PCAPs |
MAX_UPLOAD_SIZE |
1000 MB |
Maximum PCAP upload size |
MAX_EVE_SIZE |
1000 MB |
Maximum eve.json size |
MAX_TRANSCRIPT_SIZE |
100,000 chars |
Maximum ASCII transcript length |
Suricata config is auto-generated from /etc/suricata/ on first run. Rules are downloaded via suricata-update if not present.
- Binds to
127.0.0.1only (no external access) - No CORS wildcard
- Input validation on all endpoints (IP, port, MD5, path traversal)
- PCAP magic byte validation (rejects non-PCAP uploads)
- URL safety checks (blocks localhost, private IPs, resolves hostname)
- Zip-slip prevention on archive extraction
- Generic error messages (no internal details leaked)
See docs/ARCHITECTURE.md for a detailed overview of how the pieces fit together.
See docs/API.md for the full API reference.
See docs/FILTERING.md for details on the filtering system.
# Server tests
python3 -m unittest test_server -v
# UI tests
python3 -m unittest test_ui -v
# All tests
python3 -m unittest discover -vSee LICENSE

