Every packet.
Every byte.
Never leaves your Mac.
pcapLume is an offline PCAP forensics engine for macOS — packet diagnostics, Layer-2 hardware fingerprinting, and malware sandboxing that runs entirely inside a local evidence vault. No cloud. No uploads. No exceptions.
Three instruments.
One sealed evidence vault.
Every capability operates against local databases and compiled rules — the engine is fully functional with the network cable unplugged.
Offline Packet Forensic Reassembly
Carves and reassembles payload streams — JPEGs, PDFs, ZIPs, EXEs — dynamically from unencrypted TCP/HTTP flows, inside a local secure sandbox. Preview everything in-app before export.
OUI Hardware & IoT Fingerprinting
Maps Layer-2 MAC addresses to hardware vendors and device models using offline OUI prefix lists and academic telemetry catalogs. Know exactly what hardware lived on the wire.
AOT YARA Payload Scanner
Audits payload streams Ahead-of-Time with compiled custom signature rules — surfacing Metasploit loaders, C2 beaconing tunnels, and robotic timing anomalies before you scroll a single frame.
A glassmorphic workbench for hostile traffic.
Real screens from the engine analyzing a 277 MB Windows 7 malware capture — 688,783 events flagged, 94 files carved, one trojan caught.
The numbers from a single session.
Built for the chain of custody.
Court-grade rigor in every layer — from ingestion checksums to asynchronous dossier exports.
⬡Evidence File Integrity Profile
Computes and records MD5, SHA-1, and SHA-256 checksums the instant a PCAP is ingested — sealing the chain of custody before the first frame is decoded.
∿Behavioral Timing Anomaly Engine
Detects robotic C2 beacon signatures — timing variance under 5% across 15+ consecutive packets — alongside Shannon entropy anomalies in payload streams.
⧉In-App Media & Payload Previewer
Integrated previews for recovered images, code segments, and multi-page PDFs — rendered through sandboxed view representables, never an external app.
⎙Premium Asynchronous PDF Exports
Generates multi-page threat dossiers, chain-of-custody certificates, and incident triage checklists asynchronously — the AppKit UI thread stays fluid while reports build in the background.
◐Universal Dynamic Theme Engine
Every glassmorphic dashboard, chart, and ambient lighting card transitions seamlessly across Native, System, Light, and Dark modes.
Your evidence is none of our business.
Flip Absolute Zero Telemetry in Settings and pcapLume structurally blocks every outbound lookup, falling back to local-only databases. Payload data is never transmitted — in any mode. Try the switch.
When telemetry is enabled, only the optional enrichment endpoints on the right become queryable — hash and IP lookups only, never captured payloads.
Fund independent forensic engineering.
No seat audits, no usage meters, no data harvested to subsidize the price.
Lifetime License
A permanent license for generous early backers funding our independent forensic engineering.
- Every current and future Pro capability, forever
- All YARA rule packs and offline intel catalogs
- Priority access to new engine builds
- Founding-partner credit in the engine
Premium Subscription
Full access to pcapLume Pro — renewed annually, cancel anytime.
- Complete forensic engine and sandbox
- Asynchronous dossier & certificate exports
- Offline OUI, malware, and threat catalogs
- All updates while subscribed
The wire never lies.
Neither does your sandbox.
pcapLume ships for macOS 14+ in June 2026.