📚 Documentation

💻 Installation

System Requirements

Installation Steps

Windows

1. Download PCaptor.exe from your purchase email
2. Place the executable in your preferred directory
3. Open Command Prompt or PowerShell
4. Navigate to the directory: cd C:\path\to\pcaptor
5. Run: pcaptor.exe -version to verify installation

Linux / macOS

1. Download the appropriate binary for your platform
2. Make it executable: chmod +x pcaptor
3. Move to /usr/local/bin (optional): sudo mv pcaptor /usr/local/bin/
4. Verify: pcaptor -version

Directory Structure

PCaptor Pro automatically creates and uses these directories:

📖 Basic Usage

Command Line Syntax

Common Commands

1. Basic Analysis with HTML Report

Generates an interactive HTML report with all basic detections.

2. Full Analysis with All Features

Enables YARA scanning and threat intelligence feeds.

3. Export Multiple Formats

Generates HTML, CSV, and JSON reports simultaneously.

4. Custom Output Directory

Saves reports to a specific directory.

Command Line Options

Required Options

• -f <file> - PCAP file to analyze (required)

Output Options

• -html - Generate HTML report
• -csv - Export CSV files
• -json - Export JSON report
• -o <dir> - Output directory

Detection Engines

• -yara-dir <dir> - YARA rules directory
• -yara-file <file> - Single YARA rule file
• -sig-dir <dir> - Custom signatures directory
• -ti-feeds - Enable threat intelligence feeds
• -vt-api <key> - VirusTotal API key
• -otx-api <key> - AlienVault OTX API key

Performance Options

• -w <num> - Number of worker threads (default: 24)
• -config <file> - Configuration file

Logging Options

• -log-level <level> - debug, info, warn, error
• -log-file <file> - Log file path
• -q - Quiet mode
• -v - Verbose mode

⚡ Advanced Features

YARA Integration

PCaptor Pro includes 92 network-optimized YARA rules across 10 categories:

• Malware C2 (11 rules) - C2 framework detection
• Credential Theft (9 rules) - Credential harvesting
• Network Threats (11 rules) - Network-based attacks
• Recon Scanners (10 rules) - Reconnaissance tools
• Web Shells (8 rules) - PHP, ASP, JSP webshells
• Data Exfiltration (8 rules) - Cloud uploads, DNS tunneling
• Exploit Kits (10 rules) - Angler, RIG, Magnitude, etc.
• APT Network (10 rules) - Cobalt Strike, Mimikatz, etc.
• Backdoors (12 rules) - Netcat, SSH tunnels, C2 channels
• HTTP Exploits (1 rule) - Command injection

Using YARA Rules

Custom Signatures

Create targeted detection signatures in JSON format. PCaptor Pro includes 62 default signatures.

Example Signature

Using Custom Signatures

Threat Intelligence

PCaptor Pro integrates with 18 threat intelligence feeds:

• Feodo Tracker (Botnet C2)
• SSL Blacklist (Malicious SSL certs)
• URLhaus (Malicious URLs)
• Tor Exit Nodes
• ThreatView (6 feeds: Ransomware, Phishing, Malware, Botnets, Exploits, APT)
• Custom feeds support

Enable Threat Intelligence

🔍 Detection Engines

C2 Framework Detection (25 Frameworks)

Industry-leading detection of Command & Control frameworks:

Commercial Frameworks

• Cobalt Strike
• Brute Ratel C4
• Nighthawk

Open Source Frameworks

• Metasploit, PowerShell Empire, Sliver, Covenant
• Mythic, Havoc, PoshC2, Pupy RAT, Koadic
• Merlin, Villain, Silver, Deimos, Ninja
• Ares, Faction, Apfell, SharpC2, Athena
• Octopus, SilentTrinity

Ransomware Detection (16 Families)

• WannaCry, Ryuk, REvil/Sodinokibi, Conti
• LockBit (2.0, 3.0), BlackCat/ALPHV, Hive
• Maze/Egregor, DarkSide/BlackMatter, Ragnar Locker
• Cerber, Locky, GandCrab, Dharma, Phobos, STOP/Djvu

Crypto Mining Detection

• 8 Wallet Types: Bitcoin, Ethereum, Monero, Litecoin, Dogecoin, Ripple, Zcash, Dash
• 20+ Mining Pools: Monero, Ethereum, Bitcoin, multi-coin pools
• Browser Cryptojacking: Coinhive, Cryptoloot, JSEcoin
• Mining Software: XMRig, Claymore, Phoenix, GMiner, LOLMiner, NBMiner, TeamRedMiner, ETHMiner
• Stratum Protocol: Session tracking with method detection

LOLBin Detection (82 Patterns)

Living-off-the-Land Binary abuse detection across 7 tools:

• PowerShell (32 patterns) - Download cradles, Invoke-Expression, encoded commands
• Certutil (11 patterns) - File downloads, decode operations
• Bitsadmin (8 patterns) - File transfers
• WMI (11 patterns) - Remote execution, reconnaissance
• Mshta (7 patterns) - Remote script execution
• Regsvr32 (6 patterns) - Squiblydoo technique
• Rundll32 (7 patterns) - Script execution

IoT/OT Security (4 Protocols)

• Modbus/TCP: Write attacks, illegal function codes
• MQTT: Command injection, suspicious topics
• BACnet: Unauthorized write operations
• CoAP: Suspicious URI access

🔌 Plugins

PCaptor Pro includes 13 intelligent plugins that auto-load and provide specialized analysis:

Threat Detection Plugins

1. Ransomware Detection v2.0.0

• 16 ransomware families
• Shadow copy deletion detection
• 70+ file extensions monitored
• Behavioral detection

2. Crypto Wallet Detection v3.0.0

• 8 cryptocurrency types
• 20+ mining pools
• Browser cryptojacking detection
• Mining software detection (17 tools)
• Stratum protocol session tracking

3. LOLBin Detection v2.0.0

• 82 patterns across 7 tools
• MITRE ATT&CK mapping (20 techniques)
• Attack chain detection
• Targeted host tracking

4. IoT/OT Detection v1.0.0

• Modbus/TCP security monitoring
• MQTT command injection detection
• BACnet unauthorized write detection
• CoAP suspicious URI detection

5. ML C2 Detection v1.0.0

• Machine learning-based C2 identification
• 10,000+ historical flow patterns
• Unknown C2 framework detection
• Behavioral analysis

6. Messaging C2 Detection v1.0.0

• Telegram C2 detection (13 CIDRs)
• WhatsApp abuse detection (13 CIDRs)
• Discord, Slack monitoring

Intelligence & Analysis Plugins

7. Geo Intelligence v1.0.0

• Binary search GeoIP (10-100x faster)
• 10M+ IP ranges
• High-risk country detection
• VPN detection

8. VirusTotal Integration v1.0.0

• IP/Domain/Hash reputation checks
• Paid API support
• Automatic caching

9. AlienVault OTX Integration v1.0.0

• Open threat intelligence
• Pulse-based threat feeds
• Community indicators

10. Protocol Decoders v1.0.0

• 12+ protocols (IRC, SNMP, LDAP, SIP, XMPP, TFTP, Syslog)
• Message extraction
• Rich protocol analysis

11. HTTP Content Analysis v1.0.0

• API endpoint extraction
• Credential detection
• POST data analysis

12. Connection Graph v1.0.0

• Network topology mapping
• Communication patterns
• Node and edge analysis

13. Protocol Anomaly v1.0.0

• Unusual protocol behavior
• Behavioral analysis
• Anomaly scoring

📊 Reports

HTML Reports

Interactive HTML reports are the primary output format, featuring:

Generate HTML Report

CSV Exports

Export structured data for analysis in Excel, databases, or SIEM systems:

• connections.csv: All network connections with metadata
• threats.csv: Detected threats with severity and details
• dns.csv: DNS queries and responses
• http.csv: HTTP requests and responses
• tls.csv: TLS/SSL connections and certificates

Generate CSV Exports

JSON Format

Machine-readable JSON output for automation and integration:

Generate JSON Report

Report Customization

Control what appears in reports:

⚙️ Configuration

Configuration Files

PCaptor Pro supports JSON configuration files for persistent settings:

Basic Configuration (pcaptor.json)

High-Memory Configuration (pcaptor-highmem.json)

For large PCAP files (1GB+) and systems with 16GB+ RAM:

Using Configuration Files

Performance Tuning

Worker Threads

Adjust based on your CPU cores:

Memory Management

For large PCAP files:

• Streaming Mode: Process packets in chunks to reduce memory usage
• Buffer Size: Increase for better throughput on fast systems
• Packet Limit: Set max packets in memory to prevent OOM errors

Logging Configuration

Environment Variables

Set default behavior via environment variables:

🔧 Troubleshooting

Common Issues

Issue: "Failed to open PCAP file"

Issue: Slow Performance

Issue: Out of Memory

Issue: YARA Rules Not Loading

Issue: Threat Intelligence Feeds Not Working

Performance Tips

Error Messages

"Invalid PCAP format"

File is PCAPNG format. Convert to PCAP using:

"Permission denied"

Run with appropriate permissions or move file to accessible location.

"YARA compilation failed"

Check YARA rule syntax. Use -log-level debug to see specific errors.

Getting Help

If you encounter issues not covered here:

• Check log files with -log-level debug
• Review documentation files in installation directory
• Contact support with log file and error details
• Include system specs and PCAP file size

❓ FAQ

General Questions

Q: What file formats are supported?

A: PCaptor Pro supports standard PCAP format. PCAPNG files need to be converted to PCAP first using tools like tshark or Wireshark.

Q: How large of a PCAP file can I analyze?

A: PCaptor Pro can handle multi-gigabyte PCAP files. For files over 1GB, use the high-memory configuration. The largest tested file is 50GB with streaming mode enabled.

Q: What's the processing speed?

A: PCaptor Pro processes up to 88,000+ packets/second with all features enabled on modern hardware (8+ cores, 16GB RAM, SSD storage).

Q: Can I use PCaptor Pro for live capture?

A: PCaptor Pro analyzes PCAP files. For live capture, use tools like tcpdump or Wireshark to capture traffic, then analyze with PCaptor Pro.

Features & Detection

Q: How many C2 frameworks can PCaptor Pro detect?

A: PCaptor Pro detects 25 C2 frameworks including Cobalt Strike, Metasploit, Brute Ratel C4, and 22 others. It uses 62 signatures with 90%+ real-world threat coverage.

Q: What ransomware families are detected?

A: 16 ransomware families including WannaCry, Ryuk, REvil, Conti, LockBit, BlackCat, Hive, Maze, DarkSide, and more. Detection includes behavioral analysis and C2 communication patterns.

Q: How accurate is the crypto mining detection?

A: Very high accuracy with 8 wallet types, 20+ mining pools, and 17 mining software signatures. Includes browser cryptojacking detection (Coinhive, Cryptoloot, JSEcoin).

Q: What are YARA rules and do I need them?

A: YARA rules are pattern-matching signatures for threat detection. PCaptor Pro includes 92 network-optimized rules that add only ~10% overhead. They're optional but highly recommended for comprehensive analysis.

Q: Can I create custom detection signatures?

A: Yes! PCaptor Pro supports custom JSON signatures. See the CUSTOM_SIGNATURES_GUIDE.md for detailed instructions and examples.

Licensing & Pricing

Q: What's the difference between Free and Pro versions?

A: Free version includes basic packet analysis and 5 YARA rules. Pro version adds 25 C2 frameworks, 92 YARA rules, 16 ransomware families, crypto mining detection, LOLBin detection, IoT/OT security, 13 plugins, and 18 threat intelligence feeds.

Q: Is the pricing one-time or subscription?

A: PCaptor Pro uses annual subscription pricing. Regular price is $599/year, currently available for $189/year (68% discount).

Q: Can I use PCaptor Pro commercially?

A: Yes, the Pro license includes commercial use rights for security analysis, incident response, and threat hunting.

Technical Questions

Q: Does PCaptor Pro require internet connectivity?

A: No, PCaptor Pro works offline. Internet is only needed for threat intelligence feed downloads (optional feature).

Q: What operating systems are supported?

A: Windows 10+, Linux (Ubuntu 20.04+), and macOS 11+. Binaries are provided for each platform.

Q: Can I integrate PCaptor Pro with my SIEM?

A: Yes, use CSV or JSON export formats for SIEM integration. The structured output includes all detection results and metadata.

Q: How often are threat intelligence feeds updated?

A: Free feeds (Feodo, URLhaus, SSL Blacklist, Tor nodes) update daily. Premium feeds (ThreatView) update hourly. PCaptor Pro caches feeds locally for offline analysis.

Q: Are plugins automatically loaded?

A: Yes, all 13 plugins are auto-discovered and loaded. No configuration needed.

Best Practices

Q: What's the recommended workflow for incident response?

A:

1. Capture traffic during incident (tcpdump, Wireshark)
2. Run full analysis: pcaptor.exe -f capture.pcap -html -yara-dir ./yara/ -ti-feeds
3. Review HTML report for threats and anomalies
4. Export CSV/JSON for detailed investigation
5. Use findings to guide remediation

Q: Should I enable all features for every analysis?

A: For comprehensive threat hunting, yes. For quick triage, start with basic analysis then enable specific features as needed.

Q: How do I optimize for large PCAP files?

A: Use high-memory configuration, increase worker threads, enable streaming mode, and use SSD storage. See Configuration section for details.