PacketQL is an open-source packet investigation platform that turns PCAP files into SQL-queryable security data.
Status: Public Beta
Recommended deployment: single Docker container
- Upload
.pcapand.pcapngfiles from a browser - Parse traffic with Zeek in the background
- Normalize logs into structured protocol tables like
conn,dns,http,ssl, and more - Store data in Parquet and query it with DuckDB
- Investigate with a SOC-focused UI for dashboarding, log search, and SQL
Use the Docker image.
docker pull- mount a host directory to
/data - open the UI and upload a PCAP
PacketQL bundles the full pipeline in one container, so you do not need to set up Zeek, Kafka, plugins, the API, or the frontend separately.
Pipeline:
PCAP -> Zeek -> Kafka -> Go pipeline -> Parquet -> DuckDB -> API/UI
More detail: docs/ARCHITECTURE.md
Upload .pcap and .pcapng files, then move directly into investigation workflows.
Search normalized protocol data and pivot through investigation results.
Run SQL against structured protocol tables and inspect results in the same workflow.
docker pull jobish/packetql:beta
mkdir -p /opt/packetql-data
docker run -d \
--name packetql \
-p 3000:3000 \
-v /opt/packetql-data:/data \
-e APP_MODE=demo \
jobish/packetql:betaOpen: http://localhost:3000
If port 3000 is already used:
docker run -d \
--name packetql \
-p 8088:3000 \
-v /opt/packetql-data:/data \
-e APP_MODE=demo \
jobish/packetql:betaOpen: http://localhost:8088
Use this only if you are building the Docker image yourself.
git clone https://github.com/flowtracex/PacketQL.git
cd PacketQL
./docker/build-image.sh
docker run -d \
--name packetql \
-p 3000:3000 \
-v /opt/packetql-data:/data \
packetql:single-optimizedImportant:
- Building the image locally currently expects a working Zeek runtime on the build host
- End users who pull from Docker Hub do not need that local Zeek setup
More details: docker/README.md
- Zeek runtime
- Kafka in KRaft mode
- Go normalization and enrichment pipeline
- Parquet output
- DuckDB-backed querying
- Django API served by Gunicorn
- React frontend served by nginx
Mount a host directory to /data.
This external volume stores runtime state such as:
- uploaded PCAPs
- parquet outputs
- source metadata
- Kafka data used by the bundled container
This keeps your investigation data outside the container image.
- Supported:
.pcap,.pcapng - Recommended for smooth analyst workflow: below 50 MB
- Larger PCAPs can work, but tuning and throughput optimization are still improving during beta
Manual service-by-service deployment is possible, but it is not the recommended first-time setup.
If you deploy manually, you are responsible for configuring and operating:
- Zeek
- Kafka
- plugin/runtime wiring
- API service
- frontend service
- runtime paths and persistence
For GitHub visitors, we recommend documenting manual deployment as an advanced path for contributors, not the default install method.
ndr-frontend/gui- React analyst UIndr-api/flowtracex_api- Django API and PCAP ingest endpointsndr-enrich- Go pipeline for normalization, enrichment, and Parquet writingndr-config- schemas, datasets, and configurationdocker- single-container Docker build and runtime assetsdocs- launch notes and architecture
Recommended wording for GitHub and Docker Hub:
Public BetaSingle-container SOC PCAP investigation platformFast setup for labs, demos, and internal evaluation
Suggested short tagline:
Turn PCAP files into SQL-ready security investigations in minutes
Avoid claiming:
production readyinternet hardenedlarge-scale throughput optimized
until you complete full release hardening and soak testing.
- Best experience today is the bundled Docker deployment
- Recommended PCAP size is below
50 MB - Production hardening is still evolving
- Large-PCAP throughput tuning is still being improved
PRs and issues are welcome.
If you want to contribute to the internals, the manual stack and source layout are documented in the subproject READMEs.
PacketQL is provided as-is for defensive security operations, research, and education.