Portfolio
Analyst Toolkit · Interactive Tool

Zeek Triage — pcap IOC Analyzer

Upload a .pcap file and get an automated IOC threat report — HTTP, TLS, DHCP, and data-volume analysis with severity scoring. Runs entirely in your browser. No data leaves your machine. Built on the zeek_triage.py workflow from Lab Log 006.

BROWSER-BASED · NO SERVER · NO DATA UPLOAD · TRAINING DATASETS ONLY
⚠️
Training & Educational Use Only Do not upload pcap files containing real operational traffic, classified data, CUI, or network captures from production environments. Use only with synthetic, lab-generated, or publicly available training datasets such as malware-traffic-analysis.net.

CMMC / DFARS Compliance Notice — Uploading pcap files from DoD contractor networks, systems processing CUI, or any environment subject to CMMC, DFARS 252.204-7012, or ITAR/EAR controls may constitute a compliance violation. This tool has not been assessed or authorized for use with controlled information. Consult your ISSO before use in any regulated context.

Works well with
HTTP-based C2 beaconing
Suspicious TLD domains (.su .cc .cyou .lat)
Dynamic DNS providers
KNOWN_BAD IOC matches
Limited results with
Pure TLS with clean domain names
New malware with unknown domains
Kerberos username extraction
.pcapng format (use .pcap only)
Drop a .pcap file here
Training datasets only · Click to browse
Output
Results will appear here after running triage…

Suggested test file: Download any exercise pcap from malware-traffic-analysis.net — free, publicly available malware captures intended for training. The January and February 2026 Lumma Stealer exercises work especially well with this tool.