Feed it a pcap of a protocol it has never seen. It will figure out whether the stream is length-prefixed, delimited, or fixed-frame. It will identify which byte positions are constant, which vary, which repeat in opcode-like patterns, and which carry length information. If the traffic is beaconing, it will calculate the timing regularity and tell you how consistent the callback interval is. Then it will generate you a Wireshark Lua dissector for the protocol it just reverse engineered.
PCAPR is a protocol reverse engineering tool. No signatures, no database to query, no knowledge of the protocol in advance. It reads the byte stream and infers structure by looking for patterns that all protocols share: fixed headers, length prefixes, opcode fields that appear in consistent positions, session state that can be modeled as a state machine. Feed it DNS and it recognizes DNS. Feed it something proprietary and it figures out the framing on its own.
The beaconing detection doesn’t use a signature. It uses math. Regular C2 traffic is measurably more regular than human-generated traffic.
The security detection layer sits on top of the structural analysis. Beaconing is detected via coefficient of variation of inter-message gaps — regular C2 callbacks have a CV below 0.3, meaning the interval between contacts is too consistent to be human behavior. The number comes from the pcap, not a ruleset. DNS tunneling is scored by subdomain entropy and label length distribution: data exfiltration via DNS produces long, high-entropy subdomains that stand out against legitimate queries. TLS fingerprinting extracts JA3 hashes from ClientHello fields and matches against known-bad fingerprints — Cobalt Strike default, Metasploit, common RAT families. XOR key recovery uses index-of-coincidence estimation, keys 1–16 bytes. ECB detection finds AES and 3DES block repetition, the cryptographic mistake that keeps appearing in malware that implements its own crypto.
The output goes wherever you need it. The same analysis produces a terminal report, a self-contained HTML file, machine-readable JSON, a Wireshark Lua dissector, a Kaitai Struct definition, Snort/Suricata detection rules, a Scapy layer subclass, and boofuzz/AFL dictionaries for fuzzing follow-up. You run the analysis once and choose which outputs you want.
PCAPR is the protocol layer in a broader detection stack. When the anomaly scorer identifies a suspicious flow, PCAPR runs deep analysis on the relevant pcap slice and produces a structured report for the SIEM. It doesn’t run on every flow — that would be expensive. It runs when something is already suspicious enough to warrant the investigation.