Metadata-Version: 2.4
Name: pcapx
Version: 1.1.1
Summary: Analyst-focused PCAP behavior analysis and finding engine
Author: Vansh Raj Singh - n3tm4t3
License: MIT
Project-URL: Homepage, https://github.com/N3tm4t3/pcapx
Project-URL: Repository, https://github.com/N3tm4t3/pcapx
Project-URL: Issues, https://github.com/N3tm4t3/pcapx/issues
Keywords: pcap,network-security,forensics,blue-team,soc,incident-response
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Classifier: Topic :: System :: Networking :: Monitoring
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Operating System :: POSIX :: Linux
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: scapy
Requires-Dist: rich
Requires-Dist: typer
Requires-Dist: pyshark
Dynamic: license-file

# PCAPX

PCAPX is a lightweight, analyst-focused PCAP analysis tool designed to extract actionable security findings from packet captures **without relying on signatures, malware labels, or assumptions**.

It focuses on **behavioral evidence, protocol misuse, and cleartext exposure**, presenting results in a format familiar to **SOC analysts, blue teams, and incident responders**.

PCAPX does **not** claim malware detection.  
It highlights **observable behaviors** that may warrant investigation.

---

## Why PCAPX?

Most PCAP tools fall into one of two extremes:

- Low-level packet viewers (e.g., Wireshark)
- Heavy IDS engines with opaque alerts

**PCAPX sits in the middle.**

It answers questions like:

- Were credentials exposed?
- Are hosts communicating in automated or periodic patterns?
- Is there evidence of service discovery or probing?
- Are application payloads behaving unusually?

All **without guessing intent**.

---

## Key Features

### 🔐 Cleartext Authentication Detection
- Detects FTP cleartext credentials
- Extracts:
  - Username
  - Password
  - Client & server IPs
- Aggregated into a **single SOC-style finding**
- No duplication across sessions

---

### 🌐 Network Behavior Analysis
- High-frequency and periodic communication patterns
- Bidirectional traffic deduplication
- Broad port interaction (recon-like behavior)

---

### 📡 DNS & Application Observations
- Unusual DNS query structures
- Application payloads *loosely associated* with exploitation techniques  
  *(low confidence, informational only)*

---

### 📊 Analyst-Friendly Output
- Clean terminal tables
- Findings grouped with:
  - ID
  - Severity
  - What happened
  - Why it matters
  - Affected assets

---

### 🧠 Safe, Generalized Language
- No malware family names
- No attribution claims
- No intent assumptions
- Suitable for reports, audits, and legal review

