Deep Network Protocol Analyzers

Wireshark is a network protocol analyzer and traffic inspector used for capturing and inspecting network traffic. It functions as a packet capture tool that intercepts live data from network interfaces and a TCP/IP dissector that decodes network protocol layers to translate raw binary packets into human-readable fields. The system provides capabilities for protocol stream reconstruction, grouping related packets into cohesive conversations between endpoints. It also operates as a packet file converter, allowing for the reading, modification, and conversion of network capture files across vari

Scapy is a network packet manipulation tool and protocol analysis suite designed for crafting, sending, sniffing, and dissecting network traffic. It functions as a framework for building custom network tools that interact directly with low-level packet headers and payloads, enabling users to perform security research and network diagnostics. The system distinguishes itself through a layer-based construction model that allows users to define protocols as stacked objects, which automatically handle checksums and field offsets. It utilizes dynamic field reflection to map packet structures to bin

This application is a desktop network traffic analyzer that provides real-time monitoring and forensic inspection of data packets. By interfacing directly with low-level system drivers, it captures raw network traffic from physical or virtual adapters to identify communication patterns, track bandwidth usage, and diagnose connectivity issues. The system distinguishes itself through an immediate-mode graphical interface that rebuilds the display state every frame, ensuring high responsiveness during live data updates. It maintains performance by using asynchronous message passing to decouple t

Termshark is a terminal-based network packet analyzer and protocol flow inspector. It serves as a keyboard-driven interface for the tshark command-line utility, providing a terminal user interface to monitor data flow and analyze network traffic. The tool functions as a terminal interface for Wireshark, utilizing its filtering and inspection logic to analyze recorded capture files or live network interfaces. It specifically enables the reassembly and inspection of TCP and UDP flows to isolate traffic patterns and analyze network conversations by protocol. The system includes capabilities for

PCredz is a network credential extraction tool and traffic analyzer designed to intercept passwords, hashes, and tokens from IPv4 and IPv6 traffic. It functions as both a real-time monitor for live network interfaces and a parser for saved packet capture files. The tool identifies sensitive information, including credit card numbers and authentication tokens, using protocol-aware parsing. It further acts as a password hash recovery utility by normalizing captured authentication hashes into specific syntaxes compatible with external recovery software. Capabilities include real-time traffic in

ntopng is a web-based network traffic monitoring tool and flow data aggregator. It functions as a network security monitor, an SNMP network management system, and an industrial protocol analyzer for OT and SCADA environments. The system provides specialized inspection for industrial protocols such as Modbus, DNP3, and IEC 60870. It distinguishes itself through behavioral threat detection, encrypted traffic analysis via handshake fingerprinting, and the ability to identify hardware and operating systems using DHCP and MAC address patterns. Its broader capabilities include real-time traffic an

Kubeshark is a network observability platform designed for Kubernetes environments, functioning as an eBPF-powered engine for cluster-wide traffic analysis. It captures, indexes, and visualizes network activity and API calls directly from the kernel, providing deep visibility into service-to-service communication without requiring sidecar proxies or manual code instrumentation. The platform distinguishes itself through its ability to perform protocol-aware traffic dissection and user-space cryptographic hooking, which allows for the inspection of encrypted traffic and the reconstruction of ap

Ettercap is a network utility tool used for ARP spoofing, packet filtering, traffic interception, passive scanning, and DHCP hijacking. It functions as a network traffic interceptor and man-in-the-middle packet filter to monitor and manipulate live TCP/UDP connections on a local area network. The project provides specialized capabilities for traffic redirection via ARP cache poisoning, DHCP server spoofing, ICMP redirects, and switch port stealing. It also enables the emulation of rogue services and the decryption of SSH1 session streams by substituting public keys. Additional capabilities i

Mizu is a suite of tools for capturing, indexing, and visualizing cloud-native network traffic and decrypted payloads for cluster-wide diagnostics. It provides Kubernetes network observability by using eBPF to index and visualize layer 4 and layer 7 traffic with full cluster context, allowing for the mapping of workload dependencies and the diagnosis of network failures. The project distinguishes itself by using kernel-level hooks to decrypt TLS traffic in plain text without requiring private keys. It further integrates a standardized context protocol to expose indexed network telemetry to AI

PCAPdroid is an Android network traffic analyzer and packet capture tool that operates without requiring root access. It functions as a VPN-based firewall and network controller, capable of recording traffic in PCAPng format and blocking connections to specific domains or malicious hosts. The project distinguishes itself through a proxy-based system for decrypting TLS traffic and routing device network traffic through SOCKS5 proxies or the Tor network. It further allows for the modification of live HTTP requests and responses via custom scripts. Its capabilities cover application connection

Mitmproxy is an interactive, programmable network proxy engine designed for traffic analysis and protocol manipulation. It functions as a gateway that intercepts, inspects, and modifies network traffic in real-time, supporting HTTP, HTTPS, WebSocket, DNS, and generic TCP or UDP streams. By acting as a trusted certificate authority, the proxy can dynamically generate and sign certificates to decrypt and analyze secure TLS-encrypted connections. The project distinguishes itself through a highly extensible, event-driven architecture that allows users to automate traffic transformation using cust

bandwhich is a command-line network utility and terminal bandwidth monitor designed for real-time traffic analysis. It functions as a process-based traffic tracker that links network bandwidth usage directly to the system processes and remote hosts responsible for the data transfer. The tool provides a terminal user interface for monitoring active connections and identifying data-consuming applications. It performs background reverse DNS lookups to associate remote IP addresses with human-readable hostnames and tracks cumulative data utilization over the duration of a capture session. Its br