Skip to content
PacketSense
Local-first packet investigation

Local-first packet investigation for network engineers and SOC teams.

PacketSense turns PCAP files, live captures, and text-based packet evidence into structured findings, stream views, threat context, reports, and guided investigation — while keeping raw captures local by default.

Desktop app · macOS · Windows · Linux Raw captures stay local by default
PacketSense
LOCAL
No.Source → DestProto
218198.51.100.24 192.0.2.44TLS
219192.0.2.44 198.51.100.24TLS
220198.51.100.24 192.0.2.44HTTP
221192.0.2.71 198.51.100.24TCP
222198.51.100.24 192.0.2.71TCP
223198.51.100.24 203.0.113.10DNS
224203.0.113.10 198.51.100.24DNS
225198.51.100.24 192.0.2.44TLS

Protocol distribution

TCP
46%
TLS
27%
DNS
11%
HTTP
8%
UDP
5%
2 anomalies

SYN retries to 192.0.2.71:9099 · NXDOMAIN beacon lookup

Assistant finding

Workstation contacted an unknown host and failed to complete the handshake.→ frames 221–224

PCAP / PCAPNG analysisText-to-capture importLive captureLocal Analyst AssistantStream reconstructionEnterprise policy controlsThreat intelligence updatesPCAP / PCAPNG analysisText-to-capture importLive captureLocal Analyst AssistantStream reconstructionEnterprise policy controlsThreat intelligence updates
The problem

Packet captures hold the truth. It's just buried.

Captures contain the truth, but that truth is often buried in raw rows, flags, ports, timings, streams, and protocol details. PacketSense keeps packet evidence inspectable while adding the structure analysts need to move faster.

Rich but hard to triage

Captures hold the truth, but it's buried in rows, flags, ports, timings, streams, and protocol details.

Juniors get lost in raw tables

Packet tables are unforgiving. Newer analysts spend hours where the signal is minutes away.

Seniors still need proof

Experienced engineers need deterministic, inspectable evidence — not a black box that says 'trust me'.

Sensitive captures can't leave

Plenty of captures simply cannot be uploaded to a cloud tool. The workflow has to run locally.

Too many disconnected tools

Traditional triage jumps between tools, scripts, notes, screenshots, and reports — losing traceability.

How it works

From raw capture to evidence-backed finding.

One workflow, five stages — import, normalize, prioritize, investigate, and package — so evidence moves forward without jumping between disconnected tools.

01

Import evidence

Bring in packets from wherever the evidence lives.

  • PCAP / PCAPNG files
  • Live capture from interfaces
  • Text captures, FortiGate logs, hex dumps
02

Normalize & inspect

Every source becomes one inspectable packet model.

  • Packet log
  • Protocol tree
  • Filters
  • Packet details
03

Prioritize

See what deserves attention first.

  • Anomalies
  • TCP / TLS issues
  • Top talkers
  • Threat context
04

Investigate

Move from a signal to a conclusion you can defend.

  • Stream content
  • Flow sequence
  • Timeline
  • Guided diagnosis
  • Local Analyst Assistant
05

Package

Turn evidence into something you can hand off.

  • Reports
  • CSV / PCAP slices
  • Evidence-backed summaries
Capabilities

A full investigation surface, built on the packet.

Every capability keeps packet-level traceability — so findings stay defensible from first triage to final report.

Packet Log

A professional packet log built for analyst navigation — filter, inspect, and classify without losing the raw frame.

  • Filtering & protocol categorization
  • Packet details & packet bytes
  • Right-click context actions
  • Follow-stream navigation

Stream Content

Reconstruct HTTP/TCP/UDP-style conversations where the capture supports it — and explain gracefully when a stream can't be rebuilt.

  • Follow-stream reconstruction
  • Request/response context
  • Honest gaps, not guesses

Text Capture Import

Turn text-based evidence into analyzable capture data — FortiGate-style logs, hex dumps, and text packet data.

  • FortiGate-style log import
  • Hex-dump conversion
  • Text-to-capture normalization

Local Analyst Assistant

A local assistant that summarizes capture evidence, suggests next steps, and creates actionable drilldowns — always linked back to packets.

  • Evidence summaries
  • Follow-up questions
  • Guided drilldowns & next steps

Threat Hunting

Surface what's worth a closer look — anomaly summaries, local rules, and threat-intelligence enrichment where configured.

  • Anomaly summaries
  • Local rules
  • Threat-intel enrichment where enabled

TLS / Security

Understand the security posture of a capture with TLS visibility, handshake context, and clear warning surfaces.

  • TLS handshake visibility
  • Security context
  • Warning surfaces

Network Intelligence

See who's talking to whom — top talkers, geolocation-style summaries where the data exists, and topology-style context.

  • Top talkers
  • Geolocation-style summaries
  • Topology-style context

Reports & Exports

Share investigation findings without losing packet-level traceability — reports plus CSV/PCAP slices.

  • Evidence-backed reports
  • CSV / PCAP slices
  • Traceable findings

Enterprise Controls

Governance for teams that handle sensitive evidence — seats, admin-only controls, policy, and cloud-AI governance.

  • Seat & device management
  • Admin-only controls
  • Local-only mode & AI policy
Evidence, not a black box

Every conclusion links back to the packet.

Senior analysts need deterministic, inspectable evidence — and juniors need a way in that doesn't start with a wall of raw rows. PacketSense gives you both.

  • Filter, inspect, and classify without losing the raw frame
  • Protocol tree, packet details, and packet bytes side by side
  • Right-click context actions and follow-stream navigation
  • Anomalies surfaced inline, not hidden behind a score
PacketSense
tls.handshake || tcp.flags.reset==1
No.TimeSourceDestProtoLen

Packet details · frame 218

  • Frame 218: 583 bytes on wire (4664 bits)

    • Arrival Time: Jun 12, 2026 09:41:03.199402
    • Frame Length: 583 bytes
    • Protocols in frame: eth:ethertype:ip:tcp:tls
  • Internet Protocol Version 4, Src: 198.51.100.24, Dst: 192.0.2.44

    • Time to Live: 64
    • Protocol: TCP (6)
    • Header Checksum: 0x0000 [validation disabled]
  • Transport Layer Security

    • TLSv1.3 Record Layer: Handshake Protocol: Client Hello
    • Version: TLS 1.2 (0x0303)
    • Extension: server_name (SNI=telemetry-edge.example)

Packet bytes

000045 00 02 47 1c 42 40 00 40 06 00 00 c6 33 64 18
0010c0 00 02 2c c3 ca 01 bb 6b 2f a1 04 00 00 00 00
0020b0 02 fa f0 4f 21 00 00 02 04 05 b4 01 03 03 08
003016 03 01 02 12 01 00 02 0e 03 03 5f a1 c8 2b 74
Local-first security

Built for sensitive packet evidence.

Sensitive captures should not need to leave the analyst's machine just to get useful answers. PacketSense is designed for local analysis first, with enterprise policy controlling optional cloud workflows.

Your machinetrust boundary

PacketSense app

Where analysis happens

Captures & reports

Stored locally, by you

Your raw captures never leave this boundary. Analysis runs on your machine.

license
updates
License check

Confirms your license is active. No capture data is uploaded.

Threat intelligence

Keeps detections current, verified before use — your captures stay put.

Optional cloud AI
off by default

Stays off unless an enterprise explicitly enables and approves it.

Local Analyst Assistantruns on-device · cites packet evidence

This capture shows a workstation resolving and briefly contacting an unknown host. Two signals are worth reviewing:

  1. 1Failed handshakes to 192.0.2.71:9099

    5 SYN attempts, no completed TCP handshake — a RST arrives from an unexpected source port. Consistent with a blocked or dead service.

    → frames 221, 222

  2. 2NXDOMAIN lookup: c2-beacon.example

    A non-cached DNS query for a suspicious name returned NXDOMAIN. No follow-on connection was observed in this capture.

    → frames 223, 224

Suggested next steps

  • · Follow the TCP stream to 192.0.2.71 and confirm the reset origin.
  • · Check whether c2-beacon.example appears in signed intelligence bundles.
Local Analyst Assistant

Guidance that still shows its work.

The Local Analyst Assistant summarizes capture behavior, identifies investigation patterns, suggests next steps, and links back to packet-level evidence so analysts can validate every conclusion.

  • Summarizes capture behavior in plain language
  • Identifies investigation patterns and next steps
  • Every finding links back to specific frames
  • Runs on-device — no raw capture leaves the machine
Enterprise

Controls for teams that handle sensitive evidence.

Enterprise controls let organizations manage seats, enforce local-only workflows, control cloud AI providers, and distribute signed intelligence updates without turning raw captures into cloud telemetry.

Enterprise Admin
ADMIN

Policy controls

Local-only mode

Block all remote export & cloud AI

Allow cloud AI providers

Enterprise-approved providers only

Detailed audit logging

Record analyst actions

Signed intelligence updates

Verify bundle signatures before apply

Seat & device inventory

soc-analyst-01 · macOS

Pro seat

active

ir-lead-02 · Windows

Pro seat

active

msp-field-07 · Linux

Individual seat

idle
Admin can deactivate any device seat from this view.
Managed service providersSOC teamsInternal securityIncident responseNetwork operations
Enterprise details
Roadmap

An honest view of where PacketSense is going.

PacketSense is maturing across three horizons — a capable local-first investigation experience today, deeper enterprise workflows next, and broader deployment options later — while preserving the core promise that raw captures stay local.

Now / Pilot
  • Local-first desktop analysis
  • PCAP / PCAPNG import
  • Text capture import
  • Live capture
  • Packet log & stream workflows
  • Local Analyst Assistant
  • Enterprise admin foundations
  • Threat-intelligence updates
Next
  • Deeper enterprise admin workflows
  • Expanded threat-intelligence coverage
  • Broader protocol & capture coverage
  • Guided investigation improvements
  • Public documentation & support site
  • Richer reporting & export options
Later
  • Hosted customer & admin portal
  • Additional deployment options
  • Broader cloud AI provider options
  • Expanded detection & rule coverage
  • Partner & channel programs

Bring PacketSense into your investigation workflow.

Request pilot access and evaluate the full local workflow — PCAP and text import, live capture, the Local Analyst Assistant, threat hunting, and reports.