How to install PacketQ on Ubuntu?

Install dependencies with apt-get install zlib1g-dev libmaxminddb-dev, then clone the repository, run autogen.sh and configure, and make install. Detailed steps are in the README for building from source.

PacketQ vs Wireshark for SQL queries?

PacketQ specializes in SQL querying on static PCAP files with minimal dependencies, while Wireshark offers a comprehensive GUI and real-time analysis but requires more setup for SQL-like queries. PacketQ is better for command-line, database-free analysis.

Can PacketQ analyze HTTP traffic?

PacketQ has an extensible protocol decoding design but only includes built-in support for ICMP and DNS. Analyzing HTTP traffic would require adding custom decoding logic, as it's not supported out of the box.

How to use sampling in PacketQ for large PCAP files?

PacketQ supports sampling techniques to query large, uniform PCAP files efficiently; refer to the documentation for specific SQL functions or options to enable sampling during queries, as mentioned in the features.

Does PacketQ support real-time packet capture?

No, PacketQ is designed for querying static PCAP files; for real-time analysis, you'd need to use tools like tcpdump to capture packets first and then analyze them with PacketQ.

What output formats does PacketQ support?

PacketQ outputs results as JSON (default), CSV, or XML, allowing easy integration with other tools and scripts for further processing or reporting, as stated in the key features.

Open-Awesome

PacketQ

GPL-3.0JavaScriptv1.7.3

A command-line tool that runs SQL queries directly on PCAP files and includes a built-in web server for remote inspection.

Visit Website GitHub

396 stars54 forks0 contributors

What is PacketQ?

PacketQ is a command-line tool that allows users to run SQL queries directly on PCAP (packet capture) files, enabling efficient network traffic analysis without the need for intermediate databases. It supports multiple output formats like JSON, CSV, and XML, and includes a built-in web server for remote PCAP inspection. The tool is designed for fast decoding and querying, making it ideal for troubleshooting and analyzing network protocols such as DNS and ICMP.

Target Audience

Network administrators, security analysts, and developers who need to analyze packet capture files for debugging, monitoring, or research purposes. It is particularly useful for those working with DNS traffic or requiring SQL-based querying capabilities on raw network data.

Value Proposition

PacketQ stands out by combining SQL querying with direct PCAP file analysis, eliminating the need for database imports. Its lightweight design, minimal dependencies, and built-in web server offer a self-contained solution for both local and remote packet inspection, with extensible protocol support and performance optimizations for large files.

Overview

Moved to https://codeberg.org/DNS-OARC/PacketQ

Use Cases

Best For

Running SQL queries on packet capture files without intermediate databases
Analyzing DNS traffic and ICMP protocols in PCAPs
Remote inspection of PCAP files via a built-in web server
Exporting network analysis results as JSON, CSV, or XML
Efficiently querying large PCAP files with sampling support
Troubleshooting network issues with fast, in-memory sorting and decoding

Not Ideal For

Real-time network monitoring and live packet analysis
Decoding complex protocols beyond ICMP and DNS without custom extensions
Projects requiring advanced graphical interfaces or rich visualizations

Pros & Cons

Pros

Fast Native Decoding

Super-fast native decoding of PCAP files, even gzipped, with dirt-quick in-memory sorting algorithms, enabling rapid query performance as stated in the features.

Minimal Dependencies

Only dependent on zlib, with no other hard-to-find libraries, making it easy to compile on various systems per the dependencies section.

SQL Query Flexibility

Allows running SQL queries directly on PCAP files without intermediate databases, supporting grouping, sorting, and most SQL functions for efficient analysis.

Built-in Remote Access

Includes a web server for remote PCAP inspection via a simple JQuery-based GUI and JSON API, useful for team troubleshooting and remote access.

Sampling for Efficiency

Supports sampling to efficiently query large, uniform PCAP files, optimizing performance for big data analysis as highlighted in the features.

Cons

Limited Protocol Support

Only built-in support for ICMP and DNS; other protocols require extensible decoding, which may involve custom development work, limiting out-of-the-box usability.

Simplistic Web Interface

The web server and GUI are described as 'simplistic,' lacking advanced features for complex data visualization or interactive analysis compared to full-fledged tools.

GPL Licensing Restriction

Licensed under GPL v3, which can be a barrier for integration into proprietary or closed-source commercial projects due to copyleft requirements.

Frequently Asked Questions

Related Projects

BruteShark

Network Analysis Tool

Stars3,358

Forks355

Last commit3 years ago

PcapPlusPlus

PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use. It provides C++ wrappers for the most popular packet processing engines such as libpcap, Npcap, WinPcap, DPDK, AF_XDP and PF_RING.

Ettercap Project

Last commit20 days ago

tcpflow

TCP/IP packet demultiplexer. Download from:

Stars1,769

Forks244

Last commit3 months ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub