Analyze Docs

using-the-web-ui

Using the Web UI — PacketPilot Analyze

Open the Analyze web UI at:

http://localhost:3000

(Or your server's IP/hostname if running on a remote machine.)

On first launch, you'll be asked to create an admin account. After that, you'll see the main dashboard.


Dashboard

The dashboard shows:

  • Recent Cases — your last 5 cases with status
  • System Status — whether all services are running
  • Quick Actions — New Case, Upload Artifact

Cases List

Click Cases in the sidebar to see all cases.

Each case card shows:

  • Case name
  • Creation date
  • Number of artifacts
  • Severity of the highest finding (if analyzed)
  • Tags

Searching Cases

Use the search bar at the top of the Cases list to filter by:

  • Case name
  • Device tag
  • Date range

Deleting a Case

Open the case and click Delete Case in the top-right menu. This removes the case and all its artifacts permanently.


Creating a Case

  1. Click New Case in the sidebar or the dashboard
  2. Enter a case name (e.g. Core-Switch-A-2025-05-10)
  3. Optionally add tags (e.g. core, switch, site-A)
  4. Click Create

The case opens. You're now in the case view.


Uploading Artifacts

With a case open:

  1. Click Upload Artifact in the case toolbar
  2. Drag files onto the upload area, or click to browse
  3. Select one or more files
  4. Click Upload

Supported files:

  • .pcap, .pcapng — packet captures
  • .log, .txt — syslog exports
  • .json — findings exported from Config

Each uploaded file appears as a card in the case. You can upload multiple files to a single case.


Running Analysis

With artifacts uploaded:

  1. Click Analyze in the case toolbar
  2. The analysis runs — deterministic rules fire against each artifact
  3. When complete, findings appear in the Findings tab
  4. An AI summary appears in the AI Summary tab

Analysis Progress

During analysis, the case shows a spinner. Analysis typically completes in 10–30 seconds depending on file size and the Ollama model being used.


Findings Tab

The Findings tab lists all deterministic rule results.

Each finding shows:

  • Severity badge (Critical / High / Medium / Low / Info)
  • Rule ID — which rule fired
  • Title — short description
  • Source — which artifact triggered this finding

Filtering Findings

Use the filter bar to filter by:

  • Severity
  • Artifact
  • NIST/CIS category
  • Rule ID

Finding Detail

Click any finding to expand it and see:

  • Full description
  • The evidence (the specific packet, log line, or value that triggered the rule)
  • NIST/CIS mapping
  • Recommended remediation

AI Summary Tab

The AI Summary tab shows a plain-English explanation of the top findings.

It includes:

  • What happened — what the capture or logs show
  • Likely cause — why this might be occurring
  • What to check next — concrete next steps
  • Confidence — Low / Medium / High

All AI inference runs locally via Ollama. No data is sent outside your network.

Re-generating the Summary

If you add more artifacts and re-run analysis, click Re-analyze to regenerate the AI summary with the updated findings.


Exporting a Case

PDF Report

Click Export PDF in the case toolbar.

The report includes:

  • Case metadata (name, date, device tags)
  • All findings grouped by severity
  • Evidence for each finding
  • AI summary
  • Artifact list

JSON Export

Click Export JSON to download a structured data export suitable for ticketing system integration or further processing.


Settings

Access settings via the gear icon in the sidebar.

License

Shows current license status:

  • Tier (Solo / Pro / Enterprise)
  • Devices used / limit
  • Cases this month / limit
  • License expiry

API Tokens

Generate Bearer tokens for REST API access. Each token has a name and can be revoked individually.

System

Shows:

  • Ollama model in use
  • AI summaries enabled/disabled
  • Database storage used
  • Stack version

Complete Example Walkthrough

Goal: Analyze a pcap from a suspected network incident

1. Create a case

Name: Incident-2025-05-10-Suspicious-Web-Traffic
Tags: incident, web, external

2. Upload artifacts

  • Drag capture-20250510.pcap onto the upload area
  • Also upload firewall.log for context

3. Run analysis

Click Analyze. Wait for findings.

4. Review findings

You see:

  • CRITICAL — SNMP community string public transmitted in plaintext
  • HIGH — Unencrypted HTTP session detected on port 80
  • MEDIUM — TLS certificate expired on internal web server

5. Read AI summary

The AI summary explains that the expired TLS certificate on the internal web server is the most likely root cause of the reported issues, and recommends renewing the certificate and investigating why HTTP is in use instead of HTTPS.

6. Export PDF

Click Export PDF and attach to your incident ticket.


Keyboard Shortcuts

| Shortcut | Action | |----------|--------| | n | New case | | f | Focus search bar | | ? | Show keyboard shortcuts |