Network Traffic Capture and Analysis

Arkime is a distributed packet analysis platform and full packet capture system designed for recording raw network traffic, indexing metadata, and performing network forensics. It functions as a network traffic indexer and security tool that enables the monitoring, querying, and browsing of large-scale network traffic across multi-cluster architectures. The platform distinguishes itself through its ability to manage distributed capture clusters from a centralized administrative dashboard. It integrates external data feeds with internal traffic logs to identify known threats and provides a programmatic interface for exporting raw traffic streams and session metadata to external analysis software. The system covers broad capability areas including network security monitoring, multi-cluster health observability, and traffic data search. It incorporates role-based access control to protect sensitive packet data and provides a web-based interface for packet capture browsing and forensic investigation.

This application is a desktop network traffic analyzer that provides real-time monitoring and forensic inspection of data packets. By interfacing directly with low-level system drivers, it captures raw network traffic from physical or virtual adapters to identify communication patterns, track bandwidth usage, and diagnose connectivity issues. The system distinguishes itself through an immediate-mode graphical interface that rebuilds the display state every frame, ensuring high responsiveness during live data updates. It maintains performance by using asynchronous message passing to decouple the packet capture engine from the rendering thread. To provide context for network activity, the application performs real-time enrichment through high-speed database lookups, enabling features like autonomous system identification, host location mapping, and reverse DNS resolution. Beyond basic monitoring, the tool includes comprehensive diagnostic and security capabilities. Users can apply granular traffic filtering, manage alert conditions for specific network events, and utilize automated threat detection to identify and block suspicious connections. The software also supports the recording of traffic data into standard file formats for offline analysis and provides configuration options for operation within isolated containerized environments.

Wireshark is a network protocol analyzer and traffic inspector used for capturing and inspecting network traffic. It functions as a packet capture tool that intercepts live data from network interfaces and a TCP/IP dissector that decodes network protocol layers to translate raw binary packets into human-readable fields. The system provides capabilities for protocol stream reconstruction, grouping related packets into cohesive conversations between endpoints. It also operates as a packet file converter, allowing for the reading, modification, and conversion of network capture files across various storage formats and compression standards. The project covers a broad surface of traffic analysis, including network address resolution, packet filtering, and binary pattern searching. It supports specialized protocol decoding, such as SNMP packet decoding using MIB files and DECT traffic analysis, alongside utilities for synthetic packet trace generation. Analysis can be performed through both a graphical interface and a text-mode command line interface for environments without a graphical user interface.

Scapy is a network packet manipulation tool and protocol analysis suite designed for crafting, sending, sniffing, and dissecting network traffic. It functions as a framework for building custom network tools that interact directly with low-level packet headers and payloads, enabling users to perform security research and network diagnostics. The system distinguishes itself through a layer-based construction model that allows users to define protocols as stacked objects, which automatically handle checksums and field offsets. It utilizes dynamic field reflection to map packet structures to binary data formats and employs a raw socket interface to bypass standard transport layer restrictions for custom packet injection. The platform provides a comprehensive capability set for network security testing, automated scanning, and traffic simulation. It includes a protocol dissection engine that recursively parses binary streams into structured objects, supported by stateful flow tracking to correlate packets into logical sessions. Users can capture and analyze live traffic through a background sniffing loop to troubleshoot communication patterns and verify protocol implementations.

Termshark is a terminal-based network packet analyzer and protocol flow inspector. It serves as a keyboard-driven interface for the tshark command-line utility, providing a terminal user interface to monitor data flow and analyze network traffic. The tool functions as a terminal interface for Wireshark, utilizing its filtering and inspection logic to analyze recorded capture files or live network interfaces. It specifically enables the reassembly and inspection of TCP and UDP flows to isolate traffic patterns and analyze network conversations by protocol. The system includes capabilities for packet capture filtering to isolate specific data based on defined criteria and supports exporting selected packet ranges to the system clipboard for external analysis.

Moloch is a full packet capture system and network forensics platform designed for large scale network traffic recording and indexing. It functions as a distributed packet indexer that stores raw data in PCAP format for deep packet analysis and security investigations. The system distinguishes itself through a decentralized architecture that distributes capture and viewing components across multiple nodes to handle high volumes of network traffic. It utilizes a web-based management interface for browsing network sessions and provides a programmable API for exporting captured traffic and metadata. The platform covers several core capability areas, including network metadata indexing for rapid event retrieval, distributed network monitoring, and detailed network traffic forensics. Data access is protected through authentication proxies, API keys, passwords, and encrypted connections.

ntopng is a web-based network traffic monitoring tool and flow data aggregator. It functions as a network security monitor, an SNMP network management system, and an industrial protocol analyzer for OT and SCADA environments. The system provides specialized inspection for industrial protocols such as Modbus, DNP3, and IEC 60870. It distinguishes itself through behavioral threat detection, encrypted traffic analysis via handshake fingerprinting, and the ability to identify hardware and operating systems using DHCP and MAC address patterns. Its broader capabilities include real-time traffic analysis and packet capture, network topology mapping, and the orchestration of tiered collector hierarchies. The platform also manages network access control through captive portals, enforces traffic quotas, and exports flow and alert data to external databases such as ClickHouse, Elasticsearch, and Kafka. The project supports executing multiple independent monitoring instances on a single host using isolated configurations.

PCAPdroid is an Android network traffic analyzer and packet capture tool that operates without requiring root access. It functions as a VPN-based firewall and network controller, capable of recording traffic in PCAPng format and blocking connections to specific domains or malicious hosts. The project distinguishes itself through a proxy-based system for decrypting TLS traffic and routing device network traffic through SOCKS5 proxies or the Tor network. It further allows for the modification of live HTTP requests and responses via custom scripts. Its capabilities cover application connection monitoring, DNS request analysis, and protocol payload inspection. The tool provides IP data enrichment using offline databases and supports exporting captured data to local files or remote servers for external analysis.

bandwhich is a command-line network utility and terminal bandwidth monitor designed for real-time traffic analysis. It functions as a process-based traffic tracker that links network bandwidth usage directly to the system processes and remote hosts responsible for the data transfer. The tool provides a terminal user interface for monitoring active connections and identifying data-consuming applications. It performs background reverse DNS lookups to associate remote IP addresses with human-readable hostnames and tracks cumulative data utilization over the duration of a capture session. Its broader capabilities include network traffic filtering to isolate specific connections and the export of raw bandwidth metrics into machine-readable, delimited formats for external analysis.

Proxypin is a cross-platform HTTP and HTTPS proxy debugger designed to capture, inspect, and modify network traffic. It functions as a man-in-the-middle interceptor, allowing developers to analyze application data flows and validate network communication during development and testing. The tool distinguishes itself through its focus on mobile and remote device integration, utilizing QR-code-based configuration synchronization to simplify the setup of proxy settings and security certificates. It includes an event-driven scripting engine that enables programmatic manipulation of requests and responses, alongside command-line interface capabilities for automating traffic processing workflows. The platform provides a comprehensive suite of observability and traffic management utilities, including real-time payload decryption, persistent local log storage, and rule-based filtering. Users can isolate specific network streams using domain or keyword patterns, block requests to simulate connection failures, and export captured history for long-term analysis.

Kubeshark is a network observability platform designed for Kubernetes environments, functioning as an eBPF-powered engine for cluster-wide traffic analysis. It captures, indexes, and visualizes network activity and API calls directly from the kernel, providing deep visibility into service-to-service communication without requiring sidecar proxies or manual code instrumentation. The platform distinguishes itself through its ability to perform protocol-aware traffic dissection and user-space cryptographic hooking, which allows for the inspection of encrypted traffic and the reconstruction of application-layer protocols like HTTP, gRPC, and Kafka. It supports advanced diagnostic capabilities, including AI-driven troubleshooting, forensic analysis of network snapshots, and the correlation of infrastructure events with application-level traffic patterns. Beyond core monitoring, the system provides a comprehensive suite of tools for managing traffic data, including granular role-based access control, sensitive data redaction, and flexible storage options ranging from ephemeral local buffers to cloud-based object storage. It is built to operate in diverse environments, supporting air-gapped deployments and integrating with standard Kubernetes ingress resources for secure dashboard access. The project is managed via a command-line interface that facilitates deployment control, custom script execution, and the sharing of specific traffic analysis views through encoded search queries.

Mitmproxy is an interactive, programmable network proxy engine designed for traffic analysis and protocol manipulation. It functions as a gateway that intercepts, inspects, and modifies network traffic in real-time, supporting HTTP, HTTPS, WebSocket, DNS, and generic TCP or UDP streams. By acting as a trusted certificate authority, the proxy can dynamically generate and sign certificates to decrypt and analyze secure TLS-encrypted connections. The project distinguishes itself through a highly extensible, event-driven architecture that allows users to automate traffic transformation using custom scripts. It provides a unified command-based interface for manual interaction, enabling users to define custom key bindings, content views, and command-line tools. The engine supports multiple operational modes, including explicit, transparent, reverse, and SOCKS proxying, as well as a userspace WireGuard VPN mode for capturing traffic without requiring client-side configuration changes. Beyond basic interception, the platform includes comprehensive tools for recording and replaying network conversations to simulate complex interactions or automate repetitive tasks. It offers advanced capabilities such as request blocking, header and body modification, and local resource mapping. The system also provides robust support for debugging and performance analysis, including integration with external tools through secret logging and structured data representation. The software is designed for rapid iteration, featuring live script reloading that updates custom logic without restarting the proxy process. It includes extensive documentation for managing certificates, configuring proxy modes, and implementing custom addons through a well-defined programmatic interface.