Open a .pcap File and Actually Read It.
Got a .pcap or .pcapng capture and no easy way to open it? PCAP Analyzer is a full packet analyzer that runs on your iPhone, iPad, or Mac — dissecting every frame to the field, applying a familiar display filter, following streams, and surfacing the problems in a capture. It opens files saved by tcpdump, tshark, and any standard pcap tool, decodes 30+ protocols, and even computes JA3 and JA4 TLS fingerprints — all entirely on your device. Explore the built-in demo capture for free; unlock unlimited file opening with Pro.
100% on-device · captures never uploaded · opens .pcap & .pcapng · reads tcpdump/tshark files · multi-gigabyte captures · no account
A .pcap file is a saved recording of network traffic — every packet that crossed an interface, frozen on disk so you can study it later. Tools like tcpdump and tshark write these files all day, and the moment something breaks on a network, a capture is usually the first thing someone hands you. The catch is that reading one has traditionally meant installing desktop software and sitting at a computer. PCAP Analyzer from Rush Tools changes that: it's a genuine pcap file analyzer that lives on your iPhone, iPad, or Mac. Open a .pcap or .pcapng and it dissects every frame down to the field, with a tappable detail tree and a raw hex view, so you can read a capture the way you would on a workstation — only now it's in your pocket, fully offline.
This is a real packet analyzer, not a thin viewer. It decodes more than 30 protocols across the stack — Ethernet with 802.1Q VLAN tags, IPv4 and IPv6, TCP, UDP, SCTP, ICMP and ICMPv6, IGMP, ARP, GRE, and ESP at the lower layers, and DNS, mDNS, LLMNR, DHCP, HTTP, HTTP/2, TLS, DTLS, QUIC, SMB2, SNMP, RADIUS, TFTP, NTP, MQTT, and NetFlow v5 / IPFIX above them. From a TLS ClientHello it computes both JA3 and JA4 client fingerprints natively, right on the device — the same fingerprints threat hunters use to spot a client regardless of its IP. Whether you call it a pcap viewer, a pcap reader, a packet capture analyzer, or a network protocol analyzer, this is the tool that opens the file and tells you what's inside it.
Finding the packets that matter is where a capture lives or dies, so PCAP Analyzer ships a field-aware display filter language with autocomplete and saved filters. If you've written filters before, the syntax will feel immediately familiar — tcp.port == 443, tls.sni contains "example", tcp.analysis.zero_window, or a simple dns or http. Tap any field inside a packet and the app builds a filter from it instantly, so you can pivot from one interesting frame to every related one without typing. On top of filtering, expert diagnostics flag the trouble automatically: TCP retransmissions, duplicate ACKs, zero-window stalls, connection resets, ICMP unreachable and TTL-expired messages, HTTP 4xx/5xx errors, TLS alerts, and DNS failures like NXDOMAIN and SERVFAIL. Packets are color-coded so the problems jump out of a busy capture instead of hiding in it.
Beyond protocol decoding, the app gives you the statistics and visuals that turn a wall of packets into a story. There's a Conversations view and an Endpoints view, a Protocol Hierarchy breakdown, a network topology map, an I/O graph and packet timeline, a packet-size distribution, and Follow Stream with a TCP sequence/time graph — plus automatic name resolution so you see hostnames instead of raw IP addresses. For security work it adds threat detection: it flags port and host scans, suspicious C2 and backdoor ports, possible DNS tunneling, and cleartext credentials sent over FTP, Telnet, or HTTP. That makes it a practical companion for network forensics, malware traffic analysis, and CTF pcap challenges — the kind of work where you need to read a capture carefully, not just glance at it. A native streaming engine opens very large, multi-gigabyte captures without running out of memory, so files that crash other mobile viewers open here.
Everything happens on your device, and that's the whole point. PCAP Analyzer analyzes saved capture files only — it captures no live traffic, needs no special permissions, and never uploads your data. A capture can carry sensitive internal hostnames, credentials, and private payloads, so it stays local: nothing is sent to a server, there's no account to create, and there's nothing phoning home. On supported iPhones where Apple Intelligence is available (iOS 26 and later), an optional on-device AI can summarize a capture in plain language and turn plain-English requests like "show failed connections" into a display filter — and even that runs entirely on the phone, so the capture never leaves it. You can explore a built-in demo capture for free to see exactly how the app reads a file; PCAP Analyzer Pro unlocks unlimited file opening with a weekly or annual subscription, and there's no account on any of it.
Deep packet analysis, right on your device.
Open a capture and PCAP Analyzer dissects every frame down to the field — then surfaces what matters: protocol decoding, TLS fingerprints, expert diagnostics, and threats, all on your iPhone, iPad, or Mac with nothing uploaded.
Deep protocol decoding
30+ protocols dissected to the field — Ethernet, IPv4/IPv6, TCP, UDP, DNS, HTTP, HTTP/2, TLS, QUIC, SMB2, DHCP, SNMP, NTP and more — with a tappable detail tree and a hex view.
JA3 & JA4 fingerprinting
Computes JA3 and JA4 TLS client fingerprints natively from the ClientHello — analysis that usually needs desktop plugins.
Expert diagnostics
TCP retransmissions, duplicate ACKs, zero-window stalls, connection resets, HTTP 4xx/5xx and DNS failures — flagged and color-coded so problems jump out.
Threat detection
Port and host scans, suspicious C2/backdoor ports, possible DNS tunneling and cleartext credentials, surfaced automatically.
From capture to clarity in seconds.
Open your capture
Add a .pcap or .pcapng file from the Files app, a download, AirDrop, or the share sheet — including captures saved by tcpdump, tshark, or any standard pcap tool. It opens on your device; nothing is uploaded and the file is never modified.
Filter to what matters
Scroll the color-coded packet list or type a familiar display filter like tcp.port == 443 or tls.sni contains "example" — with autocomplete and saved filters. Tap any field in a packet to filter by it instantly.
Dig into a packet
Open any frame to see it dissected to the field in a tappable detail tree, with a raw hex view alongside. Use Follow Stream to reassemble a conversation and read it end to end.
Analyze and export
Check the expert diagnostics, Conversations, Endpoints, Protocol Hierarchy, I/O graph, and topology map. Export the packet list to CSV or JSON through the share sheet when you need to take findings elsewhere.
Every standard capture, any size.
The classic libpcap capture format written by tcpdump, tshark, and most network tools. Open it and read the wire.
The modern next-generation capture format, with multiple interfaces and richer metadata — fully supported.
A complete mobile packet analyzer.
Deep Protocol Decoding
Every frame is dissected to the field with a tappable detail tree and a raw hex view. More than 30 protocols are decoded — Ethernet with VLAN, IPv4/IPv6, TCP, UDP, SCTP, ICMP, ARP, DNS, DHCP, HTTP, HTTP/2, TLS, DTLS, QUIC, SMB2, and many more.
Field-Aware Display Filters
A familiar, Wireshark-style display filter language with autocomplete and saved filters. Write tcp.port == 443, tls.sni contains "example", tcp.analysis.zero_window, or dns or http — or just tap a field in any packet to filter by it instantly.
JA3 & JA4 Fingerprints
Computes both JA3 and JA4 client TLS fingerprints natively from the ClientHello, right on the device — so you can identify a client across changing IPs the way threat hunters do, without any external service.
Expert Diagnostics
Automatically flags TCP retransmissions, duplicate ACKs, zero-window stalls, connection resets, ICMP unreachable and TTL-expired, HTTP 4xx/5xx errors, TLS alerts, and DNS failures like NXDOMAIN and SERVFAIL. Color-coded packets make problems jump out.
Follow Stream
Reassemble a TCP conversation and read it end to end, with a TCP sequence/time graph to see exactly how the exchange progressed — retransmits, stalls, and all.
Statistics & Visuals
Conversations, Endpoints, Protocol Hierarchy, a network topology map, an I/O graph and packet timeline, and a packet-size distribution turn a wall of packets into something you can read at a glance.
Threat Detection
Flags port and host scans, suspicious C2 and backdoor ports, possible DNS tunneling, and cleartext credentials sent over FTP, Telnet, or HTTP — useful for security triage, network forensics, and malware traffic analysis.
Opens Huge Captures
A native streaming engine opens very large, multi-gigabyte captures without running out of memory — files that crash other mobile pcap viewers open here and stay responsive.
On-Device AI (where available)
On supported iPhones where Apple Intelligence is available (iOS 26+), an optional AI summarizes a capture in plain language and turns requests like "show failed connections" into a display filter — entirely on-device, so the capture never leaves the phone.
Name Resolution & Export
Automatic name resolution shows hostnames instead of raw IPs, so a capture reads more clearly. When you need findings elsewhere, export the packet list to CSV or JSON through the share sheet.
Opening, decoding, filtering, and every visualization run entirely on your iPhone, iPad, or Mac. Your capture is never uploaded to a server, routed through the cloud, or sent to any service — no account, no telemetry, no internet required. Even the optional AI runs on-device.
This is a packet analyzer for files you already have, not a sniffer. It reads saved .pcap and .pcapng captures only, captures no live traffic, and needs no special permissions — so there's nothing intrusive running and nothing left listening on your network.
A built-in demo capture lets you explore the full analyzer for free, so you can see exactly how it reads a file before paying. PCAP Analyzer Pro unlocks unlimited file opening with a weekly or annual subscription — your choice, and no account required.
- A site is slow and someone hands you a tcpdump capture — open it on your iPhone, filter to the affected host, and let the expert diagnostics surface the retransmissions, zero-window stalls, and resets behind the problem.
- You're away from your desk when an alert fires, so you pull the .pcapng onto your iPad and read it there instead of waiting to get back to a workstation with desktop software installed.
- Working a CTF pcap challenge — Follow Stream to reassemble the conversation, run a display filter to isolate the interesting packets, and read the payload in the hex view to find the flag.
- Malware traffic analysis and network forensics — capture the JA3 and JA4 fingerprints from suspicious TLS, spot beaconing to odd C2 ports, and check for possible DNS tunneling, all without uploading a sensitive capture anywhere.
- Auditing a capture for cleartext credentials sent over FTP, Telnet, or HTTP, and confirming which protocols are actually on the wire using the Protocol Hierarchy view.
- Reviewing a large, multi-gigabyte capture that other mobile apps refuse to open — the streaming engine loads it smoothly so you can still filter, follow streams, and read it on the go.
- A student learning how the network stack really works — opening real captures, tapping through the dissection tree, and watching how DNS, TCP, TLS, and HTTP fit together packet by packet.
Free to explore a built-in demo capture with the full analyzer — deep protocol decoding, the display filter, Follow Stream, expert diagnostics, JA3/JA4, and the statistics and topology views. PCAP Analyzer Pro unlocks unlimited opening of your own .pcap and .pcapng files with a weekly or annual subscription — your choice, and no account is required.
PCAP & PCAPNG analysis.
What is a .pcap file?
A .pcap file is a saved recording of network traffic — a copy of the packets that crossed an interface, written to disk so you can analyze them later. Tools like tcpdump and tshark create these files. PCAP Analyzer opens them, dissects every frame to the field, and lets you filter, follow streams, and read the capture on your device.
What is a .pcapng file, and how is it different from .pcap?
PCAPNG (Pcap Next Generation) is the newer capture format that can store extra metadata — interface details, comments, and more — that the classic .pcap format can't. PCAP Analyzer is a full pcapng viewer and reader as well as a pcap one, so it opens both formats the same way; you don't need to convert anything first.
Do I need Wireshark or a desktop computer to use this?
No. PCAP Analyzer is a standalone Apple app that opens the same captures you'd otherwise analyze in Wireshark or tshark, right on your iPhone, iPad, or Mac. There's no desktop software to install and no setup — you just open the file and start reading it.
Is this an online pcap analyzer? Does it upload my capture?
No, and that's deliberate. An online pcap analyzer uploads your capture to a server to process it, which means your packets — internal hostnames, credentials, private payloads — leave your control. PCAP Analyzer runs 100% on your device. Nothing is uploaded, there's no account, and the capture never leaves your iPhone, iPad, or Mac.
Can I open a pcap file online without installing anything?
People search for an "online pcap viewer" wanting a no-install web tool, but those send your file to a remote server. This app gives you the same convenience — open a .pcap or .pcapng instantly, no heavy desktop install — while keeping the capture entirely on-device. You get the speed without uploading anything.
Does it capture live network traffic? Is it a packet sniffer?
No. PCAP Analyzer is not a packet sniffer, network sniffer, or wifi sniffer — it does not capture live traffic and needs no special permissions. It analyzes capture files you already have on disk, the kind saved by tcpdump, tshark, or another tool. Think of it as the analyzer half of the workflow, not the capture half.
Which protocols does it decode?
More than 30, across the whole stack: Ethernet (including 802.1Q VLAN), IPv4, IPv6, TCP, UDP, SCTP, ICMP/ICMPv6, IGMP, ARP, GRE, ESP, DNS, mDNS, LLMNR, DHCP, HTTP, HTTP/2, TLS, DTLS, QUIC, SMB2, SNMP, RADIUS, TFTP, NTP, MQTT, and NetFlow v5 / IPFIX. Every frame is dissected to the field with a detail tree and a hex view.
What are JA3 and JA4, and does the app compute them?
JA3 and JA4 are TLS client fingerprints derived from the ClientHello — a compact signature that helps identify a client even as its IP changes, which is valuable in threat hunting. PCAP Analyzer computes both JA3 and JA4 natively, on-device, straight from the capture, with no external lookup or service involved.
How does the display filter syntax work?
It's a field-aware display filter language with autocomplete and saved filters, using familiar field names. You can write things like tcp.port == 443, tls.sni contains "example", tcp.analysis.zero_window, or combine conditions like dns or http. If you'd rather not type, tap any field inside a packet and the app builds the filter for you instantly.
What is Follow Stream?
Follow Stream reassembles a single conversation from the capture so you can read it end to end instead of hopping between scattered packets. For TCP it also draws a sequence/time graph, so you can see how the exchange unfolded — including retransmissions and stalls — at a glance.
Can it open very large or multi-gigabyte captures?
Yes. A native streaming engine is built specifically to open large captures without running out of memory, so multi-gigabyte .pcap and .pcapng files that crash other mobile viewers open here and stay responsive while you filter and analyze them. It's a genuine large-pcap analyzer, not just a small-file viewer.
Can I export the capture, and to what?
You can export the packet list to CSV or JSON through the share sheet — handy for taking a filtered view into a spreadsheet, a script, or a report. CSV and JSON are the only export formats; the app's job is to analyze the capture in place, not to produce a new copy of it.
Can it convert pcap to another format, or export to HAR?
No. PCAP Analyzer is an analyzer, not a converter. It does not convert between capture formats (no pcap-to-pcapng or the reverse, no text or XML conversion) and there is no HAR export. The only export is the packet list as CSV or JSON. For everything else, you read and analyze the capture directly inside the app.
Tell me about the on-device AI and what it needs.
On supported iPhones where Apple Intelligence is available (iOS 26 and later), an optional AI can summarize a capture in plain language and turn plain-English requests like "show failed connections" into a display filter. It runs entirely on-device, so the capture never leaves the phone. This feature is only on devices with Apple Intelligence — it isn't available everywhere.
What expert diagnostics does it flag?
It automatically highlights TCP retransmissions, duplicate ACKs, zero-window stalls, connection resets, ICMP unreachable and TTL-expired messages, HTTP 4xx/5xx errors, TLS alerts, and DNS failures such as NXDOMAIN and SERVFAIL. Packets are color-coded so these problems stand out from normal traffic without you hunting for them.
Does it do any threat detection?
Yes. Alongside the protocol decoding it flags port and host scans, suspicious C2 and backdoor ports, possible DNS tunneling, and cleartext credentials sent over FTP, Telnet, or HTTP. That makes it useful for security triage and for spotting the obvious red flags early in an investigation.
Is it good for CTFs and malware traffic analysis?
Very. Follow Stream, the field-aware display filter, the hex view, JA3/JA4 fingerprints, and the threat-detection flags are exactly what you reach for in a CTF pcap challenge or a malware traffic analysis. And because nothing is uploaded, you can examine a hostile capture without sending it to a third-party service.
What statistics and visualizations are included?
Conversations and Endpoints views, a Protocol Hierarchy breakdown, a network topology map, an I/O graph and packet timeline, and a packet-size distribution. Together they let you see who talked to whom, which protocols dominate, and how traffic changed over time — well beyond a flat packet list.
Does it show hostnames instead of raw IP addresses?
Yes. Automatic name resolution shows hostnames in place of raw IPs where it can, so a capture reads more clearly and the Conversations and Endpoints views make immediate sense — without you cross-referencing addresses by hand.
Which devices does it run on, and what's free versus Pro?
PCAP Analyzer runs on iPhone, iPad, and Mac. A built-in demo capture is free to explore with the full analyzer, so you can see exactly how it reads a file. PCAP Analyzer Pro then unlocks unlimited opening of your own .pcap and .pcapng files with a weekly or annual subscription — and there's no account to create.
Open that capture and read it now.
Drop a .pcap or .pcapng onto your iPhone, iPad, or Mac and get a full packet analyzer — deep protocol decoding, a familiar display filter, Follow Stream, JA3/JA4, expert diagnostics, and the stats and topology views — all running entirely on your device, with nothing uploaded and no desktop software needed.
PCAP Analyzer is an independent app and is not affiliated with, endorsed by, or sponsored by the Wireshark Foundation or any other tool referenced. Wireshark, tcpdump, and tshark are named only to describe file-format and workflow compatibility.