Everything you need to know — from uploading your first capture to understanding MITRE ATT&CK results.
NetNerve accepts .pcap and .pcapng capture files. The free tier supports files up to 2MB, while Pro and Forensics tiers support up to 20MB and 100MB respectively.
Simply drag and drop your packet capture file onto the upload area on the homepage, or click to browse your file system. Processing begins immediately — no configuration required.
Your capture file is processed entirely in-memory and is never persisted to disk. Once analysis completes, the file is discarded from the server.
The backend parses your capture using pyshark and scapy to extract protocol metadata, flow records, DNS queries, TLS SNI fields, and raw payload samples.
Extracted data is sent to a large language model that generates a structured threat summary in plain English — covering anomalies, suspicious patterns, and recommended actions.
For Forensics-tier users, the capture is simultaneously run through the Suricata intrusion detection engine with 40,000+ community and custom rules.
Results from the AI engine and Suricata are correlated and mapped to MITRE ATT&CK sub-techniques, producing a unified threat intelligence report.
The AI-generated narrative overview of your capture — including key findings, severity ratings, and recommended next steps.
Deep-dive into threats: Suricata alerts grouped by severity, custom rule detections, IP reputation lookups, and MITRE ATT&CK technique mappings.
Protocol distribution charts, top talkers by bandwidth, port analysis, and flow-level breakdowns of your network traffic.
WiFi metadata, Telnet session detection, TLS certificate analysis, DNS query logging, and plaintext credential exposure alerts.
NetNerve uses the Emerging Threats (ET Open) community ruleset updated daily, supplemented with custom NetNerve rules targeting specific attack patterns.
Our custom ruleset includes detection for SQL injection attempts in HTTP payloads, cross-site scripting patterns, command injection sequences, and suspicious DNS tunneling.
Suricata alerts are deduplicated and correlated with the AI engine's findings. Each alert is mapped to its MITRE ATT&CK sub-technique for standardized reporting.
Upload a packet capture file for analysis. Accepts multipart/form-data with a file field. Returns a JSON response containing the full analysis payload.
API access requires a valid Clerk session token. Include the Authorization header with your bearer token for authenticated requests.
Free tier: 5 analyses per day. Pro tier: 50 analyses per day. Forensics tier: 200 analyses per day. Rate limits reset at midnight UTC.