{"id":46350267,"url":"https://github.com/microsoft/packetcapturetools","last_synced_at":"2026-03-04T23:00:55.463Z","repository":{"id":320957237,"uuid":"1060859285","full_name":"microsoft/PacketCaptureTools","owner":"microsoft","description":"Tools related to packet capture and network traffic analysis.","archived":false,"fork":false,"pushed_at":"2025-10-16T11:51:33.000Z","size":346,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-04T15:58:43.751Z","etag":null,"topics":["analysis","capture","network","packet","pcap","pcapng","traffic"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/microsoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-20T18:31:26.000Z","updated_at":"2025-11-06T09:59:27.000Z","dependencies_parsed_at":null,"dependency_job_id":"b0e7ac82-1161-483b-a784-3d71aa56bea8","html_url":"https://github.com/microsoft/PacketCaptureTools","commit_stats":null,"previous_names":["microsoft/packetcapturetools"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/microsoft/PacketCaptureTools","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2FPacketCaptureTools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2FPacketCaptureTools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2FPacketCaptureTools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2FPacketCaptureTools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/microsoft","download_url":"https://codeload.github.com/microsoft/PacketCaptureTools/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2FPacketCaptureTools/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30098078,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T22:49:54.894Z","status":"ssl_error","status_checked_at":"2026-03-04T22:49:48.883Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","capture","network","packet","pcap","pcapng","traffic"],"created_at":"2026-03-04T23:00:31.270Z","updated_at":"2026-03-04T23:00:55.445Z","avatar_url":"https://github.com/microsoft.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Packet Capture Tools\n\nThis repository contains several tools to process packet captures for network analysis. The tools don't perform the packet capture itself, to perform packet captures use other tools such as `tcpdump` in linux or `pktmon` in windows, for example in windows:\n\n```shell\npktmon stop\npktmon filter remove\npktmon start -c -f capture.etl\n# capture in progress...\npktmon stop\npktmon etl2pcap capture.etl\n```\n\n## Requirements\n\n- [dotnet](https://dotnet.microsoft.com/en-us/)\n\n## How to build\n\nUse `dotnet build` in the root directory of the repo to build the entire solution.\n\n## Tools\n\n- **Analyzer**: Packet Capture analyzer that can read [pcapng](https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-pcap) files and perform network traffic analysis.\n- **Converter**: Packet Capture converter that converts captures between different formats, for example converting from [ETL](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-log) files generated by [PktMon](https://learn.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon) to [pcapng](https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-pcap) files.\n\n### Analyzer\n\nThe Analyzer contains logic for reading pcapng files and process captured packets to generate metrics and output a report based on the the captured network traffic.\n\nThe library is fully extensible, supporting different types of protocols and analysis which can be outputed in different report formats.\n\nHow to use:\n\n- Import the library into a dotnet project\n- Create a `SessionMetadata` object with the metadata of the capture, such as start and end time, and other environment information as needed. It is important to pass a valid `captureAddresses` parameter to this class. The `captureAddresses` is used to determine the transmission direction of packets, such as if a packet is generated from the host where the packet capture was performed or if a packet is incoming from the network to the host.\n- Define an analysis configuration or use one of the existing ones (`DefaultTrafficAnalysisConfiguration`, `TdsTrafficAnalysisConfiguration`). The `IAnalysisConfiguration` interface defines the middlewares that are used to process packets, the analysis that will be performed and the sections that will be rendered in the report.\n- Create an `AnalysisController` with the analysis configuration and the path/stream of the packet capture file(s).\n- Execute the analysis (_this operation might take some seconds/minutes depending on the size of the packet capture file(s)_)\n- Create a renderer (such as `TextRenderer` or `JsonRenderer`) to render the report based on the analysis. A report can be rendered in multiple formats.\n\nExample code:\n\n```cs\nvar sessionMetadata = new SessionMetadata(/* No Capture Addresses specified, the library will obtain the local machine interface addresses */);\nusing var analysisController = new AnalysisController(new DefaultTrafficAnalysisConfiguration(sessionMetadata), \"capture.pcapng\");\nanalysisController.Execute();\n\nvar renderer = new TextRenderer();\n\nConsole.OutputEncoding = Encoding.UTF8;\nConsole.WriteLine(analysisController.Report.Render(renderer).ToString());\n```\n\nExample output:\n\n```plaintext\nPacket Counters\n---------------\n\n[Global Packet Counters]\nA Total breakdown of all captured packets metrics.\n\n+---------------+-------------+--------+-------------+-----------------+----------+--------------+---------------+------------+\n| Total Packets | TCP Packets | Resets | Retransmits | TCP Connections | TCP Sent | TCP Received | TCP Control % | TCP Data % |\n+---------------+-------------+--------+-------------+-----------------+----------+--------------+---------------+------------+\n| 1940722 | 1939695 | 302 | 189776 | 82 | 1.477 GB | 1.831 GB | 1.36% | 98.64% |\n+---------------+-------------+--------+-------------+-----------------+----------+--------------+---------------+------------+\n\n[Packet Counters per protocol]\nThe percent and count of packets received / sent for each protocol.\n\n[Network Layer]\n\n+----------+---------+------------+----------+--------+\n| Protocol | Count | Percentage | Received | Sent |\n+----------+---------+------------+----------+--------+\n| IPv4 | 1940503 | 100.00% | 1148908 | 791595 |\n| IPv6 | 0 | 0.00% | 0 | 0 |\n| ARP | 23 | 0.00% | 16 | 7 |\n+----------+---------+------------+----------+--------+\n\n[Transport Layer]\n\n+----------+---------+------------+----------+--------+\n| Protocol | Count | Percentage | Received | Sent |\n+----------+---------+------------+----------+--------+\n| TCP | 1939695 | 99.96% | 1148485 | 791210 |\n| UDP | 808 | 0.04% | 423 | 385 |\n+----------+---------+------------+----------+--------+\n\n[Throughput]\nThe average, minimum and maximum number of packets and data transferred per second.\n\n+-------------------+--------------+---------+--------------+\n| Value | Average | Min | Max |\n+-------------------+--------------+---------+--------------+\n| Number of Packets | 66956.081 /s | 15 /s | 287525 /s |\n| Speed | 119.136 MB/s | 900 B/s | 542.848 MB/s |\n+-------------------+--------------+---------+--------------+\n\n[Per IP Packet Counters]\nA Total breakdown of all captured packets metrics by IP address.\n\n+-----------------+---------------+-------------+-------------------+-------------+-----------------------------------------+----------------+\n| Dst IP | Total Packets | TCP Packets | Resets (src, dst) | Retransmits | TCP Connections (New, Existing, Closed) | Average RTT(s) |\n+-----------------+---------------+-------------+-------------------+-------------+-----------------------------------------+----------------+\n| 10.0.0.1 | 309 | 309 | (0, 0) | 31 | (1, 1, 0) | 0.003 |\n| 10.0.0.2 | 45 | 45 | (0, 0) | 13 | (2, 2, 0) | 0.005 |\n| 10.0.0.3 | 22 | 22 | (0, 0) | 6 | (1, 1, 0) | 0.004 |\n| 10.0.0.4 | 10 | 10 | (0, 0) | 1 | (1, 1, 0) | 0.116 |\n| 10.0.0.5 | 1017839 | 1017839 | (64, 77) | 187761 | (14, 14, 14) | 0.004 |\n+-----------------+---------------+-------------+-------------------+-------------+-----------------------------------------+----------------+\n\n[TCP Traffic Timings]\nThe percentiles of time for connection operations.\n\n+---------------------+--------+--------+--------+--------+\n| Timing | 50th % | 90th % | 95th % | 99th % |\n+---------------------+--------+--------+--------+--------+\n| Connection Duration | 15 s | 15.5 s | 15.5 s | 15.5 s |\n| Handshake Duration | 35 ms | 131 ms | 188 ms | 282 ms |\n| Between RST and SYN | _ | _ | _ | _ |\n+---------------------+--------+--------+--------+--------+\n\nTCP Resets\n----------\n\n[TCP Total Reset Analysis]\nGraph showing TCP connection resets over the period of the packet capture operation.\n\n 190┤ ╭╮\n 180┤ ││\n 170┤ ││\n 160┤ ││\n 150┤ ││\nT 140┤ ││\nC 130┤ ││\nP 120┤ ││\n 110┤ ││\nR 100┤ ││\nE 90┤ ││\nS 80┤ ││ ╭╮\nE 70┤ ││ ││\nT 60┤ ││ ││\nS 50┤ ││ ││\n 40┤ ││ ││\n 30┤ ││ ││\n 20┤ ││ ││\n 10┤ ││ ││\n 0┤─ ─ ─ ─ ─ ╯╰ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ╯╰ ─ ─ ─ ─ ─ ─\n ----------------|---------------|---------------|---------------|---------------|-----\n 09:30:48 09:30:53 09:30:59 09:31:04 09:31:10 09:31:16\n TIME PERIOD OF DAY (HH:MM:SS)\n\n```\n\n### Converter\n\nThe Converter is an extensible library to convert packet captures between formats. The library provides the base infrastructure and supports multiple file formats, currently it has implementations for:\n\n- Reading ETL files generated by PktMon (_only supported on Windows_)\n- Reading ETL files generated by Ndiscap/NetSH (_only supported on Windows_)\n- Writing pcapng files\n\nExample usage:\n\n```cs\nusing var captureConverter = new CaptureConverter(\n new EtlPacketReader(\n new EventLogReaderWrapper(new EventLogReader(\"pktmon-capture.etl\", PathType.FilePath)),\n new PktmonEventAdapter()),\n new PcapngWriter(File.Create(\"converted-capture.pcapng\"))));\ncaptureConverter.Convert();\n```\n\n## Contributing\n\nThis project welcomes contributions and suggestions. Most contributions require you to agree to a\nContributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us\nthe rights to use your contribution. For details, visit [Contributor License Agreements](https://cla.opensource.microsoft.com).\n\nWhen you submit a pull request, a CLA bot will automatically determine whether you need to provide\na CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions\nprovided by the bot. You will only need to do this once across all repos using our CLA.\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).\nFor more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or\ncontact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\n\n## Trademarks\n\nThis project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft\ntrademarks or logos is subject to and must follow\n[Microsoft's Trademark \u0026 Brand Guidelines](https://www.microsoft.com/legal/intellectualproperty/trademarks/usage/general).\nUse of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.\nAny use of third-party trademarks or logos are subject to those third-party's policies.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fpacketcapturetools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicrosoft%2Fpacketcapturetools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fpacketcapturetools/lists"}