fatcousin
// artifact family

network forensics

63 browser-only forensics tools in this catalog group — browse by artifact family when you know the kind of evidence you are working with, not the investigation pattern.

tools
63
catalog slugs
63
processing
local · in browser

tools in this family

ordered as in the forensics catalog. every tool runs locally — no upload, no account.

  1. pcap readerdrop a .pcap or .pcapng · parse packets · filter by protocol · extract HTTP · DNS · plaintext credentials · runs locally
  2. pcap / pcapng analyzerdrop a pcap or pcapng file · packet list · protocol breakdown · tcp stream reconstruction · dns queries · http requests · connection graph · runs locally
  3. netflow analyzerdrop netflow v5 v9 or ipfix exports · traffic patterns · top talkers · protocol distribution · geographic connections · runs locally
  4. pcap http stream rebuilderdrop a PCAP · reconstruct HTTP request/response pairs · extract headers · detect file transfers · flag suspicious payloads · export sessions · runs locally
  5. PCAP network flow reconstructordrop pcap or pcapng file · parse all packets · reconstruct tcp and udp flows · compute flow statistics · surface top talkers unusual ports and flow anomalies · runs locally
  6. network connection timeline builderdrop pcap pcapng or zeek conn log or windows netstat output · build a chronological connection timeline · reconstruct what connected where and when · surface connection bursts gaps and suspicious temporal patterns · runs locally
  7. ARP spoofing artifact detectordrop pcap or pcapng file · detect arp cache poisoning and spoofing artifacts · identify conflicting mac-to-ip mappings · surface mitm enablement and arp flood patterns · runs locally
  8. port scan pattern detectordrop pcap or pcapng file or zeek conn log · detect port scanning behavior · identify scan techniques syn connect udp and stealth scans · surface scanning source ips targets and scan timing · runs locally
  9. protocol misuse detectordrop pcap or pcapng file · detect protocols being used outside their standard specification · identify c2 channels hidden in legitimate protocols · surface application data on wrong ports and protocol-level anomalies · runs locally
  10. network flow anomaly detectordrop pcap pcapng or zeek conn log · apply statistical anomaly detection to network flows · surface outliers in byte count duration connection rate and port usage · identify scanning exfiltration and tunneling anomalies · runs locally
  11. ICMP tunnel artifact detectordrop pcap or pcapng file · detect data encoded in icmp payloads · identify icmp tunneling tools · surface non-standard icmp usage and covert icmp channels · runs locally
  12. tls handshake parserdrop a PCAP · parse TLS ClientHello · extract SNI · cipher suites · JA3 fingerprint · detect unusual suites · export CSV · runs locally
  13. tls ja3 fingerprinterdrop a pcap file · extract tls client hellos · compute ja3 fingerprints · identify known clients and malware · database of known fingerprints · runs locally
  14. tls certificate chain analyzerpem der p7b pfx · parse chain validity extensions · weak crypto flags · fingerprints · rsa verify via issuer · no outbound ct · runs locally
  15. dns query analyzerdrop a PCAP or paste DNS log · extract queries · detect DGA patterns · DNS tunneling · high-frequency domains · suspicious TLDs · export CSV · runs locally
  16. dns query log analyzerdrop dns server logs · query frequency · dga detection · beaconing · nxdomain patterns · top domains · runs locally
  17. dhcp log analyzerdhcpd dnsmasq windows dhcp csv · ip mac hostname timeline · oui hints · starvation reuse anomalies · csv export · runs locally
  18. vpn log analyzerdrop openvpn wireguard anyconnect logs · sessions · concurrent logins · geo heuristics embedded · anomalies · runs locally
  19. wifi handshake inspectordrop a PCAP · detect WPA2 4-way handshakes · extract SSID · BSSID · client MAC · MIC · export for cracking · runs locally
  20. network beaconing detectordrop connection logs or PCAP · statistical analysis of connection intervals per host · jitter detection · C2 beaconing patterns · periodic callback identification · export CSV · runs locally
  21. beaconing pattern detectordrop pcap or zeek conn log · periodic c2 beacon intervals · regularity and jitter scores · export csv · runs locally
  22. dns query timeline builderdrop pcap or dns log · parse queries and responses · build timeline · nxdomain and dga patterns · export csv · runs locally
  23. dns tunneling detectordrop pcap or dns log · high-entropy subdomains · long query names · dns c2 and exfil channels · export csv · runs locally
  24. c2 callback interval analyzerdrop pcap or zeek conn log · deep interval stats · c2 framework timing profiles · jitter estimation · export csv · runs locally
  25. tls certificate chain forensic analyzerdrop pcap · extract tls handshakes · parse certificates · ja3 and sni anomalies · export csv · runs locally
  26. wireless probe request artifact analyzerdrop monitor-mode pcap · extract 802.11 probe requests · device ssid history · tracking artifacts · export csv · runs locally
  27. pcap malware family fingerprinterdrop pcap · ja3 imphash sni and http signatures · malware family attribution from network traffic · export csv · runs locally
  28. url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
  29. domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
  30. user agent analyzerpaste user agent strings · parse browser · OS · device · version · detect bots · spoofed agents · crawlers · headless browsers · inconsistencies · runs locally
  31. archive password auditordrop a password-protected ZIP · test a custom wordlist locally · no data leaves your device · runs locally
  32. http access log analyzerdrop apache nginx iis access logs · request timeline · top ips · error analysis · scanner detection · web shell access · sqli xss patterns · runs locally
  33. zeek / bro log analyzerdrop zeek tsv logs · conn dns http ssl files weird · correlate across logs · connection timeline · ioc extraction · runs locally
  34. wifi pcap forensicsdrop an 802.11 pcap · probe requests · beacons · deauth attacks · client tracking · ssid history · runs locally
  35. encrypted communication detectordrop network logs pcap or connection data · detect encrypted channels · non-standard ports · tunneling · covert channels · runs locally
  36. irc botnet log analyzerdrop irc log files · detect bot commands · extract c2 channels · nick patterns · command flood · runs locally
  37. smtp pcap reconstructordrop pcap or pcapng · tcp reassembly ports 25 587 465 · mail from rcpt to data · mime attachments · download eml · export csv · runs locally
  38. http2 pcap parserdrop pcap or pcapng · tcp reassembly · h2c preface pri http/2 · tls alpn h2 · hpack decode · stream method path status · export csv · runs locally
  39. bgp log analyzercisco ios · quagga frr · juniper text · mrt binary · update withdrawal peer · hijack more-specific as loop flapping · export csv · runs locally
  40. smb stream reconstructordrop pcap or pcapng port 445 139 · smb2 ntlmssp session setup · tree connect create read write reassembly · download zip · export csv · runs locally
  41. ftp session reconstructordrop pcap or pcapng · control port 21 user pass retr stor pasv port · data channel match · credentials · download zip · export csv · runs locally
  42. smb traffic analyzerdrop smb pcap csv or conn log · admin share access · failed auth bursts · export csv · runs locally
  43. kerberos traffic analyzerparse kerberos pcap csv or evtx 4768/4769 · flag as-rep roast · rc4 kerberoast bursts · runs locally
  44. ldap enumeration detectorparse ldap bind/search logs csv · flag anonymous bind · bulk enumeration · runs locally
  45. wifi probe history analyzerparse probe request csv · timeline ssids per client · suspicious hidden networks · runs locally
  46. quic and http3 flow forensic analyzerdrop pcap · quic udp flows · http3 hints · quic c2 indicators · client fingerprint · tunneling flags · runs locally
  47. icmp covert channel detector and extractordrop pcap · icmp echo analysis · payload encoding · timing patterns · extract covert data · icmp tunneling · runs locally
  48. process to network connection correlatordrop sysmon evtx csv with event 3 · or netstat snapshots · and process creation events · link specific process executions to specific network connections via pid and timestamp · identify which process made which connection · runs locally
  49. socks proxy chain forensic detectordrop pcap · socks4 socks5 tunnels · proxy chaining · destination extraction · topology map · csv export · runs locally
  50. dns over tls and dns over https detectordrop pcap · dot on 853 · doh sni patterns · encrypted dns clients · c2 beaconing hints · csv export · runs locally
  51. ipv6 tunneling and covert channel detectordrop pcap · 6in4 teredo isatap 6to4 · ipv6 extension anomalies · flow label covert hints · bypass assessment · csv export · runs locally
  52. tls session ticket forensic analyzerdrop a pcap file · extract tls session tickets from client hello extensions · link multiple tls connections to the same underlying session · de-anonymize traffic across apparent ip changes · detect session ticket reuse across different source ips · runs locally
  53. tcp retransmission pattern forensic analyzerdrop a pcap file · analyze tcp retransmission patterns · detect network-level manipulation · traffic injection attempts · side-channel information leakage · reconstruct what happened at the network level that caused unusual retransmissions · runs locally
  54. sni certificate mismatch and domain fronting detectordrop a pcap file · scan tls connections for sni hostname mismatch against certificate common name · detect domain fronting · c2 evasion via cdn · interception indicators · flag connections where traffic claims to be somewhere it is not · runs locally
  55. http cookie lifecycle forensic analyzerdrop a pcap file or browser cookie database exports · reconstruct the complete lifecycle of session cookies · creation renewal expiry · detect cross-site cookie sharing that links identities · identify session hijacking indicators · runs locally
  56. passive os fingerprinter from pcapdrop a pcap file · reconstruct the operating system of every host from tcp/ip stack behavior · ttl values · window sizes · tcp options ordering · ip flag patterns · no active probing · identify os from existing captured traffic · runs locally
  57. arp table timeline and mac change detectordrop multiple arp table dumps or pcap with arp traffic · reconstruct the history of which mac was at which ip · detect mac address changes indicating spoofing or device swap · identify arp poisoning attempts · runs locally
  58. http request response artifact extractordrop pcap or pcapng · tcp reassembly · extract http methods urls status codes headers · user agent inventory · credential flags · export csv · runs locally
  59. pcap cleartext credential extractordrop pcap or pcapng · extract cleartext ftp smtp pop3 imap http basic telnet credentials · tcp reassembly · export csv · runs locally
  60. pcap email artifact extractordrop pcap or pcapng · smtp pop3 imap tcp reassembly · sender recipient subject attachments · starttls detection · export csv · runs locally
  61. pcap file transfer reconstructordrop pcap or pcapng · reconstruct http ftp smb file transfers · sha256 magic bytes · download reconstructed files · export csv · runs locally
  62. smb artifact forensic analyzerdrop pcap or pcapng · smb2 sessions shares file ops · ntlm capture formatting · admin share lateral movement alerts · export csv · runs locally
  63. lateral movement network pattern detectordrop pcap pcapng or zeek conn log · detect smb admin share rdp hops credential reuse pivot patterns · movement chain · export csv · runs locally
ready