Step 1 — Get an Anthropic API Key (free)
2Click API Keys → Create Key
3Copy the key (starts with sk-ant-)
4Paste into the API key field when uploading a PCAP
🔒 Your key is stored in browser memory only — never sent to our server
Step 2 — Try a Synthetic Scenario (no PCAP needed)
Click any scenario button at the top: WPA2-Personal, WPA2-Enterprise, 802.11r FT, OKC Roam, WPA3-Personal, Wi-Fi 7 MLO
The frame timeline loads immediately. Click any frame to see its decoded content in the centre panel.
🎓 Great for CWNA/CWAP study — walk through each frame with AI explanations
🔒 Acceptable Use & Compliance
You must have authority to analyse the captured traffic.
Uploading a PCAP you do not own or have permission to analyse may violate:
• CFAA (Computer Fraud and Abuse Act, US)
• Computer Misuse Act 1990 (UK)
• GDPR Article 5 β lawfulness of processing personal data
• Your employer’s acceptable use policy
Permitted use:
Networks you own, networks you administer, lab/test captures,
captures provided to you by the network owner for diagnosis,
educational captures (Wireshark sample PCAPs).
Data in captures:
PCAPs can contain MAC addresses, SSIDs, and EAP usernames
which are personal data under GDPR. Treat them accordingly.
Step 3 — Upload Your Own PCAP
1Capture in monitor mode using Wireshark, tcpdump, or similar
2Click Upload PCAP top-right
3Paste your API key and drop your .pcap / .pcapng / .cap file
4Analysis runs automatically — typically 10–20 seconds
💡 Monitor mode gives radiotap headers with RSSI, channel and data rate per frame. Managed mode captures still work but lack radio layer data.
Enable Monitor Mode
macOS: Wireshark → Capture → Options → tick Enable monitor mode
Linux: sudo iw dev wlan0 set type monitor
Windows: requires Alfa AWUS036ACH or compatible USB adapter
♥ Health Score (F13)
Composite 0–100: Security 30% + Performance 25% + Roaming 25% + Configuration 20%. Grade A–F. Click any anomaly to jump to its frame. Same score used in PDF report.
📊 RF & Device Analysis (Layer Check)
25 analysis tabs. Red badges on tabs show issue counts. Key tabs:
• F37 RSSI vs MCS — interference vs coverage diagnosis
• F42 Deauth Flood + IEEE Table 9-49 reason codes
• F43 802.11w PMF status (RSN Caps bits 6+7)
• F46 Sticky client detector (<−75 dBm, no roam)
• F62 Rogue AP / evil twin (same SSID, different OUI)
• F63 Packet loss via sequence number gaps
• F129 Non-Wi-Fi interference (BT/DECT/microwave pattern)
• F138 802.11k/v/r composite roaming grade A–F
• F147 Wi-Fi 6/6E readiness score
• F148 Voice/Video QoE MOS score (ITU-T G.107 approx.)
• F149 Quick-Win Fix Advisor — priority-ordered fixes
🆖 Symptom-First Mode (F23)
No PCAP needed. Describe your problem in plain English. AI diagnoses root cause and generates OS-specific fix commands. Offline fallback using built-in decision trees covers 95% of common issues.
↓ PDF Report
Professional multi-session HTML report: health score + component breakdown, anomaly findings with CVE hyperlinks, RSSI sparkline, join timing (EAPOL ms + DHCP ms), security posture badge, top 3 priority actions, vendor CLI commands (Cisco 9800 / Aruba / Meraki / Ruckus). Formatted for client delivery.
💾 Diagnostic Tools (toolbar chips)
• Scan Analysis — paste netsh / airport / iwconfig output for instant diagnosis
• ▼ Export Frames — annotated TXT + CSV with anomaly notes per frame
• ⇄ Compare Flows — side-by-side diff of any two loaded scenarios
• 📋 AP Inventory — CSV of all BSSIDs: vendor, channel, security, PMF, RSSI
• ⏳ Quick Wins — highest-impact fixes sorted by effort
🔎 Anomaly Banners
• Click ? on any anomaly for a plain-English “What is this?” glossary
• Click ⌇ Wireshark to copy the exact display filter for that anomaly
• CVE badges link directly to NVD for each vulnerability
• Toggle Plain / Technical / Security view per anomaly
⌨ Keyboard Shortcuts
J / ↓ Next frame |
K / ↑ Previous frame |
R Next anomaly frame |
? Show all shortcuts
🛠 Coverage — 54 Features, 42/42 Standards
Full L1→L2→L3→Auth→Roam→QoE stack. IEEE 802.11-2020 spec-grounded throughout. CVEs verified: KRACK (CVE-2017-13077/78/88), Dragonblood (CVE-2019-9494/96), TunnelVision (CVE-2024-3661), deauth injection (CVE-2022-47522), TKIP (CVE-2008-2476).
WPA2-Personal
14-frame textbook join: Probe Request/Response, Open System Authentication (2 frames), Association Request/Response, EAPOL 4-Way Handshake (Key 1–4/4), DHCP Discover/Offer/Request/ACK. Includes intentional anomalies: PMKID exposure in Key 1/4 and RSN IE mismatch.
WPA2-Enterprise
18-frame EAP-PEAP flow with RADIUS. Adds EAP Identity Request/Response, EAP-TLS tunnel setup, and RADIUS Access-Challenge/Accept frames. Use the EAP Guide tab to walk through the TLS handshake step by step.
802.11r FT (Fast Transition)
12-frame Fast Transition roam. Authentication frames carry FTIE with R0KH-ID, R1KH-ID, ANonce, SNonce. Key exchange happens in Auth frames — not in EAPOL. Roam time: ~18ms. Use State Machine tab to see the FT-specific flow.
OKC Roam (Cisco)
10-frame Opportunistic Key Caching roam. PMK cached at the WLC — only the 4-Way Handshake is required. PMKID reuse detected across association events confirms OKC. Roam time: ~130ms. Common in Cisco WLC deployments.
WPA3-Personal (SAE)
12-frame SAE Dragonfly join. Authentication Algorithm = 3 (SAE). Commit and Confirm frames replace the open-system formality. No PMKID in Key 1/4 — eliminates offline dictionary attack. GCMP-256 encryption. PMF mandatory (MFPR=1). Roam time: ~52ms.
Wi-Fi 7 MLO (Multi-Link Operation)
10-frame 802.11be Multi-Link Operation join. Multi-Link Element in Probe and Association frames advertising simultaneous 2.4 + 5 + 6 GHz operation. EHT Capabilities IE decoded. Single 4-Way Handshake secures all three links simultaneously. Theoretical aggregate: 46 Gbps. Roam time: ~14ms.
🔴 KRACK — CVE-2017-13077
Key Reinstallation Attack. Detected by finding duplicate EAPOL replay counter values in repeated Key 3/4 frames. In a healthy capture, the replay counter strictly increases. Two Key 3/4 frames with identical counters is a definitive KRACK indicator. Vendor fix: enforce replay counter validation at controller level.
🔴 PMKID Exposure (2018)
Published by Jens Steube. The PMKID is derived from PMK + AP MAC + client MAC and is present in EAPOL Key 1/4. An attacker can extract it without completing the full handshake and use it for offline dictionary attacks. Risk is proportional to password strength — change any dictionary-word passphrase immediately.
🟡 RSN IE Mismatch
Occurs when security parameters in the AP's Beacon differ from those in the client's Association Request. Causes silent association failure with Status Code 23 (Invalid RSNIE) or 24 (Cipher suite rejected). The tool compares RSN IEs across all relevant frames and identifies the specific field mismatch.
🟡 TKIP Downgrade
TKIP was deprecated due to known cryptographic weaknesses. A downgrade attack manipulates key negotiation to force TKIP even when CCMP is available. Vendor fix: disable TKIP entirely, accept only CCMP-128 or GCMP-256. Check RSN IE pairwise cipher suite field.
🟢 WPA3 Dragonblood — CVE-2019-9494
Timing and cache-based side-channel vulnerabilities in WPA3-Personal SAE commit phase. The tool checks SAE commit frame parameters for indicators consistent with unpatched implementations. Mitigation: apply vendor firmware patches that implement anti-clogging tokens and equal time operations.
🔢 PMF — Protected Management Frames
802.11w encrypts management frames (deauth, disassoc, action) to prevent forgery attacks. Checked via MFPC (capable) and MFPR (required) bits in the RSN IE. WPA3 mandates PMF (MFPR=1). Without PMF, an attacker can forcibly disconnect any client with a spoofed Deauthentication frame.
Where to Get Test PCAPs
Use the synthetic scenarios to explore without uploading. For real-world testing, these public sources provide 802.11 captures:
3Capture your own network in monitor mode using Wireshark
Capture Tips for Best Results
✅ Capture on the same channel as your AP — set Wireshark to fixed channel
✅ Include the full join sequence from Probe Request to DHCP ACK
✅ For roaming analysis, capture on the roaming channel as the client moves
✅ Use a dual-band adapter to capture 2.4 and 5 GHz simultaneously
⚠ Captures over 50MB will be rejected — trim with editcap or tcpdump -r in.pcap -w out.pcap
Supported File Formats
.pcap | .pcapng | .cap | Maximum 50MB per upload
CAPWAP-encapsulated Cisco WLC captures are automatically unwrapped.