workflows
Analysis Workflows — PacketPilot Analyze
Creating a New Case
Via Web UI
- Log in to the Analyze web UI at
http://localhost:3000 - Click New Case in the sidebar
- Enter a case name (e.g.
Core-Switch-2025-05-10) - Optionally tag the case with a device name or site
- Click Create
The case opens. Now upload artifacts.
Uploading Artifacts
Supported File Types
| Type | Extension | Notes |
|------|----------|-------|
| Packet capture | .pcap, .pcapng | Standard libpcap format |
| NetFlow | .nfcapd, .flow | v5/v9 supported |
| Syslog | .log, .txt | Plain-text syslog exports |
| JSON findings | .json | Exported from Config |
Upload via Web UI
- Open a case
- Click Upload Artifact
- Drag files or click to browse
- Select one or more files
- Click Upload
Each file appears as a card in the case. You can upload multiple files per case.
Running Analysis
After uploading artifacts:
- Click Analyze in the case toolbar
- Analyze runs deterministic rules against all uploaded artifacts
- Findings appear in the Findings tab
- AI explanation appears in the AI Summary tab
What Happens During Analysis
Artifacts → Deterministic Rules → Findings + Severity
↓
Ollama (local AI)
↓
Plain-English Summary
The AI explanation is generated from the findings with the highest severity. Lower-severity findings are included but not individually explained unless there is capacity.
Understanding Findings
Findings are structured results from deterministic rules. Each finding has:
- Rule ID — identifier for the rule that fired
- Severity — Critical / High / Medium / Low / Info
- Title — short description (e.g. "SNMP community string in plaintext")
- Description — what the rule detected
- Evidence — the specific packet or log line that triggered the rule
- NIST/CIS mapping — which standard the finding relates to
Severity Definitions
| Severity | Meaning | |----------|---------| | Critical | Immediate security risk (e.g. plaintext password in capture) | | High | Significant vulnerability or misconfiguration | | Medium | Moderate risk, investigation recommended | | Low | Minor deviation from best practice | | Info | Informational, no immediate action needed |
Filtering Findings
Use the filter bar above the findings list to filter by:
- Severity level
- Artifact source
- NIST/CIS category
- Rule ID
AI Summary
The AI Summary tab shows a plain-English explanation of the most significant findings.
It includes:
- What happened — what the data shows
- Likely cause — why this might be occurring
- What to check — concrete next steps
- Confidence — Low / Medium / High
Note: AI explanations are generated by Ollama running locally inside the Docker stack. No data is sent to any external service.
Re-generating the AI Summary
If you upload additional artifacts or the findings change, click Re-analyze to regenerate the AI summary.
Exporting a Case
PDF Report
Click Export PDF in the case toolbar. The report includes:
- Case metadata (name, date, device tags)
- All findings grouped by severity
- AI summary
- Artifact list
JSON Export
Click Export JSON to download a structured export of:
- Case metadata
- All findings with full evidence
- AI summary text
This format is suitable for integration with ticketing systems or SIEM tools.
Importing Config Findings
If you use PacketPilot Config, you can import findings directly:
- In Config: right-click a device → Export Findings → JSON
- In Analyze: open a case → Upload Artifact → select the JSON file
- Click Analyze
The JSON format from Config maps directly to Analyze's finding schema.
Case Management
Searching Cases
Use the search bar in the Cases list to search by:
- Case name
- Device tag
- Date range
Case Tags
Add tags to cases to organize them by site, device, or incident type. Tags are free-form text. Click the tag icon on any case to add or edit tags.
Deleting a Case
Open a case and click Delete Case in the top-right menu. This removes the case and all its artifacts permanently. This action cannot be undone.
REST API Workflows
Analyze also exposes a REST API for programmatic use.
Base URL
http://localhost:8000/api
Authentication
All API calls require a Bearer token. Generate a token in the web UI at Settings → API Tokens.
Key Endpoints
| Method | Endpoint | Description |
|--------|----------|-------------|
| GET | /api/cases | List all cases |
| POST | /api/cases | Create a new case |
| GET | /api/cases/{id} | Get case details |
| POST | /api/cases/{id}/artifacts | Upload artifact to case |
| POST | /api/cases/{id}/analyze | Trigger analysis |
| GET | /api/cases/{id}/findings | Get findings |
| GET | /api/cases/{id}/report | Get PDF report |
Example: Upload and Analyze via API
# Create case
CASE=$(curl -s -X POST http://localhost:8000/api/cases \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"name": "Core-Router-01", "tags": ["core", "router"]}')
CASE_ID=$(echo $CASE | jq -r '.id')
# Upload artifact
curl -s -X POST "http://localhost:8000/api/cases/$CASE_ID/artifacts" \
-H "Authorization: Bearer $TOKEN" \
-F "file=@capture.pcap"
# Trigger analysis
curl -s -X POST "http://localhost:8000/api/cases/$CASE_ID/analyze" \
-H "Authorization: Bearer $TOKEN"
# Get findings
curl -s "http://localhost:8000/api/cases/$CASE_ID/findings" \
-H "Authorization: Bearer $TOKEN"
Full API documentation is available at http://localhost:8000/docs (Swagger UI).