Strixl LabsStrixl.Labs
Get started
Docs/Supported formats

Supported formats

Strixl Labs accepts what your team already captures. No collector to install, no new export pipeline. This page covers each format, what gets extracted, and how multiple files get correlated.

PCAP and PCAPNG

Raw packet captures from tcpdump, Wireshark, or any tool that writes libpcap. We stream the file, reconstruct flows, and extract TLS ClientHellos and X.509 certificates as we pass them.

What you get from a PCAP that you'd otherwise have to run Zeek for:

  • Source and destination IPs, ports, byte counts, timing
  • JA3 and JA4 fingerprints on TLS traffic
  • JA4H fingerprints on plaintext HTTP
  • JA4X and self-signed detection on certificates
  • DNS query names and response codes

Encrypted payloads stay encrypted. We don't attempt decryption and we don't need keys.

Zeek

Zeek logs are the fastest path to a scored result, because Zeek has already done the heavy lifting. We accept five log types:

  • conn.log: connection records (required as the anchor when uploading multiple logs together)
  • ssl.log: TLS handshakes, with JA3/JA4 if produced by your Zeek build
  • http.log: HTTP transactions, including User-Agent and JA4H
  • dns.log: DNS queries and responses
  • x509.log: certificates seen on the wire

Both TSV and JSON are fine. Upload one at a time, or zip a bundle; if multiple files share Zeek UIDs, we correlate automatically so SSL fingerprints and HTTP user-agents end up attached to the same pair.

Suricata

eve.json exports with flow, tls, http, dns, and alertrecords are parsed into the same pair-centric view. Works on Suricata's default output config. If you have a custom output plugin that emits different record types, tell us and we'll look at adding support.

NDJSON

Line-delimited JSON, one event per line. Auto-detection looks for common field names (src_ip, dest_ip, dst_ip, timestamp, bytes, and their common variants). If the auto-pass fails, you'll be shown a mapping modal; see Field mapping.

CSV

Standard comma-separated with a header row. Field names are case-insensitive and we try a library of common aliases before prompting you to map manually.

File size and upload limits

Each plan has a daily upload count, not a per-file size cap. On Recon you get 2 uploads/day; Hunter gets 10/day; Operator and Partner are unlimited. See pricing for the full breakdown, or Field mapping for what to do when auto-detection fails.

← Previous

Quickstart

Next →

Field mapping