using-the-web-ui
Using the Web UI — PacketPilot Analyze
Open the Analyze web UI at:
http://localhost:3000
(Or your server's IP/hostname if running on a remote machine.)
On first launch, you'll be asked to create an admin account. After that, you'll see the main dashboard.
Dashboard
The dashboard shows:
- Recent Cases — your last 5 cases with status
- System Status — whether all services are running
- Quick Actions — New Case, Upload Artifact
Cases List
Click Cases in the sidebar to see all cases.
Each case card shows:
- Case name
- Creation date
- Number of artifacts
- Severity of the highest finding (if analyzed)
- Tags
Searching Cases
Use the search bar at the top of the Cases list to filter by:
- Case name
- Device tag
- Date range
Deleting a Case
Open the case and click Delete Case in the top-right menu. This removes the case and all its artifacts permanently.
Creating a Case
- Click New Case in the sidebar or the dashboard
- Enter a case name (e.g.
Core-Switch-A-2025-05-10) - Optionally add tags (e.g.
core,switch,site-A) - Click Create
The case opens. You're now in the case view.
Uploading Artifacts
With a case open:
- Click Upload Artifact in the case toolbar
- Drag files onto the upload area, or click to browse
- Select one or more files
- Click Upload
Supported files:
.pcap,.pcapng— packet captures.log,.txt— syslog exports.json— findings exported from Config
Each uploaded file appears as a card in the case. You can upload multiple files to a single case.
Running Analysis
With artifacts uploaded:
- Click Analyze in the case toolbar
- The analysis runs — deterministic rules fire against each artifact
- When complete, findings appear in the Findings tab
- An AI summary appears in the AI Summary tab
Analysis Progress
During analysis, the case shows a spinner. Analysis typically completes in 10–30 seconds depending on file size and the Ollama model being used.
Findings Tab
The Findings tab lists all deterministic rule results.
Each finding shows:
- Severity badge (Critical / High / Medium / Low / Info)
- Rule ID — which rule fired
- Title — short description
- Source — which artifact triggered this finding
Filtering Findings
Use the filter bar to filter by:
- Severity
- Artifact
- NIST/CIS category
- Rule ID
Finding Detail
Click any finding to expand it and see:
- Full description
- The evidence (the specific packet, log line, or value that triggered the rule)
- NIST/CIS mapping
- Recommended remediation
AI Summary Tab
The AI Summary tab shows a plain-English explanation of the top findings.
It includes:
- What happened — what the capture or logs show
- Likely cause — why this might be occurring
- What to check next — concrete next steps
- Confidence — Low / Medium / High
All AI inference runs locally via Ollama. No data is sent outside your network.
Re-generating the Summary
If you add more artifacts and re-run analysis, click Re-analyze to regenerate the AI summary with the updated findings.
Exporting a Case
PDF Report
Click Export PDF in the case toolbar.
The report includes:
- Case metadata (name, date, device tags)
- All findings grouped by severity
- Evidence for each finding
- AI summary
- Artifact list
JSON Export
Click Export JSON to download a structured data export suitable for ticketing system integration or further processing.
Settings
Access settings via the gear icon in the sidebar.
License
Shows current license status:
- Tier (Solo / Pro / Enterprise)
- Devices used / limit
- Cases this month / limit
- License expiry
API Tokens
Generate Bearer tokens for REST API access. Each token has a name and can be revoked individually.
System
Shows:
- Ollama model in use
- AI summaries enabled/disabled
- Database storage used
- Stack version
Complete Example Walkthrough
Goal: Analyze a pcap from a suspected network incident
1. Create a case
Name: Incident-2025-05-10-Suspicious-Web-Traffic
Tags: incident, web, external
2. Upload artifacts
- Drag
capture-20250510.pcaponto the upload area - Also upload
firewall.logfor context
3. Run analysis
Click Analyze. Wait for findings.
4. Review findings
You see:
CRITICAL— SNMP community stringpublictransmitted in plaintextHIGH— Unencrypted HTTP session detected on port 80MEDIUM— TLS certificate expired on internal web server
5. Read AI summary
The AI summary explains that the expired TLS certificate on the internal web server is the most likely root cause of the reported issues, and recommends renewing the certificate and investigating why HTTP is in use instead of HTTPS.
6. Export PDF
Click Export PDF and attach to your incident ticket.
Keyboard Shortcuts
| Shortcut | Action |
|----------|--------|
| n | New case |
| f | Focus search bar |
| ? | Show keyboard shortcuts |