Skip to main content

How to use AI real-time packet analysis

Architecture Overview

AI real-time packet analysis is powered by the GNS3 AI Assistant. The LLM constructs tshark parameters autonomously — the framework does not hardcode protocols, only performs safety validation.

How to Use

  1. In the project topology page, right-click the link you want to capture and select "Start capture" to begin packet capture. You can also select "Start Web Wireshark" to view live capture data directly in your browser.
  2. Open the AI Assistant window and describe your analysis requirement, for example: "Analyze OSPF protocol between r2 and r3".
  3. Wait for the AI Assistant to analyze and return the results.
AI packet analysis usage example

Core Flow

Core Flow

Tool Overview

ToolSource FilePurposeAvailable Modes
PacketAnalysisToolpacket_analysis_tool.pyDownload live PCAP + tshark analysisteaching / lab_automation
PacketAnalysisSkillsToolregistry.py (skills module)Query protocol-level analysis knowledge (fields, filters)teaching / lab_automation

Agent Workflow (LangGraph)

Agent Workflow

Server Capture API

EndpointFunction
POST /v3/projects/{pid}/links/{lid}/capture/startStart packet capture on a link
POST /v3/projects/{pid}/links/{lid}/capture/stopStop packet capture
GET /v3/projects/{pid}/links/{lid}/capture/fileDownload PCAP file (available even while capture is active)
GET /v3/projects/{pid}/links/{lid}/capture/streamStream PCAP data
WS /v3/projects/{pid}/links/{lid}/capture/web-wiresharkWeb Wireshark WebSocket proxy

Key Design Points

  1. LLM-driven Analysis — The LLM constructs tshark parameters itself; the framework does not hardcode protocol logic, only performs safety validation
  2. Live PCAP — Captures can be downloaded and analyzed while running, no need to stop capturing
  3. Dual Knowledge Sources — External repository provides protocol-specific knowledge; local tshark field registry provides exact field names
  4. Safety First — Pre-validation of tshark field names prevents execution failures from invalid fields

Feature Contributor

AI Real-time Packet Analysis feature was developed and contributed by YueGuobin.

License

This document is licensed under CC BY-SA 4.0. Author: YueGuobin