Upload PCAP
Drop .pcap, .pcapng files or WARP diagnostic zips. Multiple files supported.
Timeline Overview
Total Packets
WARP Traffic
Cloudflare IPs
Issues Found
Zero Trust Health Check
๐ Expert Information (Wireshark-style analysis)
| Severity | Summary | Group | Protocol | Count | % |
|---|---|---|---|---|---|
| Waiting for PCAP upload... | |||||
Top Issues by Frequency
Recommendations
Protocol Distribution
Packet Size Distribution
Traffic Over Time (packets)
Bandwidth Over Time
Top Talkers (by packets)
Error Types Breakdown
TCP/DNS Latency
Capture Summary
Load Analysis Results
Upload JSON outputs from the Python analysis modules, or analyze from loaded PCAP.
WARP Diagnostic Report
๐ Connectivity & Handshake
What this checks:
Looks for WARP tunnel traffic on ports 2408 (primary), 500, or 4500 (fallback). Measures how quickly the tunnel establishes by tracking WireGuard handshakes.
โ Good results look like:
Status shows "Connected" on port 2408, handshake RTT under 100ms, zero unanswered handshakes, and regular keepalives.
โ ๏ธ Warning signs:
"Fallback" status means primary port is blocked. "Partial" means only some Cloudflare traffic detected. High unanswered count suggests network issues.
๐ก Interference Radar
What this checks:
Detects if something is blocking or intercepting your WARP connection: firewalls silently dropping packets, corporate proxies inspecting TLS traffic, captive portals hijacking DNS, or deep packet inspection targeting WireGuard.
โ Good results look like:
"No interference detected" - your network path to Cloudflare is clean.
โ ๏ธ Warning signs:
Silent drops = firewall blocking. ICMP rejects = explicit block rule. TLS MITM = corporate proxy decrypting traffic (breaks certificate pinning). Captive portal = need to authenticate to network first.
๐ Path MTU & Fragmentation
What this checks:
Checks if packets are too large for your network path. MSS (Maximum Segment Size) tells TCP how big packets can be. WARP needs packets โค1380 bytes to fit inside the tunnel without fragmentation.
โ Good results look like:
Zero MSS violations, zero fragmentation events. All connections negotiating safe packet sizes.
โ ๏ธ Warning signs:
MSS >1380 can cause packet loss or slowdowns. "ICMP Frag Needed" messages mean packets are being dropped for being too large. High fragment count indicates inefficient network path.
๐ DNS / DoH Performance
What this checks:
Measures how fast DNS lookups are completing. WARP uses DNS-over-HTTPS (DoH) to Cloudflare's 1.1.1.1 resolver. Slow DNS = slow page loads and app connections.
โ Good results look like:
Average latency under 50ms, zero "slow" queries (>200ms). Fast DNS means snappy browsing.
โ ๏ธ Warning signs:
High average latency suggests network congestion or distant servers. Many slow queries indicate possible throttling or packet loss on the DNS path.
๐ซ Policy Drops & RST Forensics
What this checks:
Analyzes TCP RST (reset) packets to determine if connections are being forcibly terminated. RSTs can come from the real server OR be injected by firewalls/ISPs to block traffic.
โ Good results look like:
Low RST count, all classified as "normal" (legitimate server responses). Zero gateway redirects.
โ ๏ธ Warning signs:
"likely_injection" = a device in the middle is killing your connections (TTL or window size doesn't match the server). Gateway redirects = Cloudflare Gateway is blocking based on policy rules.
๐ TCP Dynamics
What this checks:
Measures TCP connection health: retransmissions (packets that had to be sent again), duplicate acknowledgments, and window sizing issues that affect throughput.
โ Good results look like:
Low retransmission count (<1% of packets), zero "zero window" events, healthy window sizes. This means smooth data flow.
โ ๏ธ Warning signs:
High retransmissions = packet loss (bad WiFi, congestion, or blocking). Zero window = receiver can't keep up. Window clamp at 65535 = possible middlebox interference limiting throughput.
๐ IPv6 Happy Eyeballs Race Chart
What this checks:
Detects IPv6 connectivity issues. "Happy Eyeballs" is when your device tries IPv6 first, waits ~300ms when it fails, then falls back to IPv4. This hidden delay makes everything feel slow.
โ Good results look like:
Zero Happy Eyeballs fallbacks (IPv6 works!), balanced NDP solicitations/advertisements, no PMTUD blackholes.
โ ๏ธ Warning signs:
Fallback events = IPv6 is broken, adding 200-300ms latency to every new connection. High NDP solicitations with zero advertisements = can't reach your IPv6 gateway. PMTUD blackholes = large IPv6 packets silently dropped.