# Analyze packet captures in your browser

> PCAP Analyzer opens packet captures (.pcap and .pcapng) entirely in your browser. It dissects Ethernet, IP, TCP, UDP, DNS, HTTP, TLS and more, with a Wireshark-style display filter, conversation and endpoint tables, protocol hierarchy, an IO graph, expert info, and follow-stream — and never uploads your capture to any server.

Live tool: https://lofttools.com/tools/network-tools/pcap-analyzer

Category: Network & Sysadmin


## What it does

- Opens .pcap, .pcapng and .cap captures — drag-and-drop, no install, no account
- Wireshark-style display filter (ip.addr, tcp.port, http, dns, frame contains, &&/||/!)
- Per-packet protocol dissection tree + hex view with byte-range highlighting
- Dissects Ethernet, ARP, IPv4/IPv6, ICMP, TCP, UDP, DNS, HTTP, TLS (SNI/cert), DHCP and more
- Conversations, endpoints, and protocol-hierarchy tables — click to filter
- Follow TCP/UDP stream, IO graph, and expert info (retransmits, resets)
- Export the filtered subset to .pcap, or the packet list to CSV/JSON
- 100% in-browser (WebAssembly) — your capture never leaves the device

## How it works

1. **Open a capture** — Drag a .pcap or .pcapng file onto the drop zone, or click to browse. It loads entirely in your browser.
2. **Filter and inspect** — Type a display filter (e.g. tcp.port == 443 && http) to narrow the list, then click any packet to see its protocol tree and bytes.
3. **Analyze and export** — Open Conversations, Endpoints, IO graph or Expert info; follow a TCP/UDP stream; then export the filtered packets to .pcap, CSV or JSON.

## FAQ

### Is my packet capture uploaded anywhere?

No. The whole tool runs in your browser through a local WebAssembly engine — your capture never touches a server. Open your browser's DevTools Network tab and you will see nothing leave the page. That matters because captures are full of internal IPs, hostnames, and sometimes credentials.

### How do I get a packet capture without Wireshark?

You often already have one, or can make one without installing anything. On Windows 10/Server 2019+, pktmon is built in: run `pktmon start --capture`, reproduce the issue, `pktmon stop`, then `pktmon pcapng PktMon.etl -o cap.pcapng`. On Linux/macOS, use tcpdump. Network gear, firewalls, and cloud VPC traffic mirroring also export pcap/pcapng.

### Is this a full replacement for Wireshark?

No. Desktop Wireshark is free, local, and ships thousands of dissectors. This is a privacy-first triage analyzer for the common-case protocols (Ethernet, IP, TCP/UDP, DNS, HTTP, TLS, DHCP and more) — for when you cannot or do not want to install software but still need to read a capture quickly and privately. There is no live capture; you bring the file.

### What is the largest capture I can open?

The drop zone accepts captures up to 256 MB — a tested ceiling for a 32-bit WebAssembly engine that holds the file plus a packet index in memory. There is no server-imposed limit; the bound is your device's memory. The packet list is virtualized (up to 1 million rows) so scrolling stays smooth, and you can apply a display filter to narrow a larger capture.

### Can it decrypt TLS?

It shows the TLS handshake, including the Server Name (SNI) and certificate details, which is enough to identify most encrypted sessions. Decrypting TLS application data with a keylog file is on the roadmap; it is not yet available.

## Tips

- **Filter like Wireshark** — Combine fields with && and ||, e.g. `ip.addr == 10.0.0.5 && tcp.port == 443`. Click a conversation or endpoint to auto-apply its filter.
- **Follow the stream** — Select a TCP or UDP packet and hit Follow stream to reassemble the whole conversation, client and server colored separately.
- **Everything stays local** — The capture is parsed in a WebAssembly worker on your device. Open DevTools → Network and watch nothing upload.

## PCAP Analyzer vs. online packet analyzers

|  | Loft PCAP Analyzer | CloudShark | A-Packets | PacketSafari |
| --- | --- | --- | --- | --- |
| Runs locally (no upload) | Yes | No — uploads | No — uploads | No — uploads |
| Free file-size limit | Up to 256 MB, memory-bound | Paid tiers | 25 MB | 1 MB (Copilot) |
| Results kept private | Always (never sent) | Account-scoped | Public on free tier | Account-scoped |
| Display filter | Yes (subset) | Yes | Limited | Yes |
| Follow stream | Yes | Yes | Yes | Yes |
| Install required | No | No | No | No |

_Comparison of the privacy and access model, not a claim of full Wireshark dissector parity. PCAP Analyzer targets the common-case protocols for fast, private triage._

## Privacy — what we do not do

This tool runs entirely in the browser via WebAssembly. Your file never reaches a Loft Tools server. Specifically:

- **No upload.** The file bytes load into the browser tab's memory and process on your own CPU. Open DevTools → Network and observe zero outbound requests carrying file data while Analyze packet captures in your browser runs.
- **No AI training on your file.** Loft does not train models. We could not train on a file we cannot see.
- **No content scanning.** No virus, copyright, or content-moderation pass against your file. The bytes are not accessible to us.
- **No server-side log of file contents, filenames, or EXIF metadata.** Cloudflare edge captures URL and truncated IP for abuse defense (standard CDN behaviour). Cloudflare Web Analytics records anonymous page hits, no cookies, no PII. Nothing about your file content reaches any log.
- **No retention.** Close the tab and the file leaves browser memory. No backups exist on our side because no copy ever existed on our side.
- **No account.** No email, no signup, no auth, no telemetry tied to you.
- **Offline-capable after first visit** (PWA). Once you've loaded a tool, it caches; later sessions work without internet. For high-sensitivity files, run the tool once online to warm the cache, then disconnect before processing.

Compare with upload-based services: each transmits your file to a processing server. Even over HTTPS, each has logs, retention windows, and subpoena exposure. Loft has none of these because the server architecture does not include your file.

## More

- All tools: https://lofttools.com/tools
- Category: https://lofttools.com/tools/network-tools
- LLM index: https://lofttools.com/llms.txt