Supported formats

Beacon works with whatever you're already capturing. No new agent to install, no export pipeline to build. This page explains each file type in plain English so you know which one you actually have.

PCAP and PCAPNG (raw packet captures)

A PCAP(“packet capture”) is a complete recording of everything that crossed a network link during the recording window, byte-for-byte and packet-for-packet. It's what Wireshark, tcpdump, and most firewalls, IDS boxes, and network TAPs write when you press record.

PCAPNG is the newer version of the same format. Beacon handles both, you don't need to convert.

When you upload a PCAP, Beacon reads it packet by packet and pulls out:

• Source and destination IPs, port numbers, byte totals, and exact timestamps for every connection.
• JA3 and JA4 fingerprints on any encrypted (HTTPS/TLS) traffic: a signature of the software making the connection. Explained on the Fingerprinting page.
• JA4H fingerprints on plain HTTP traffic.
• JA4X fingerprints plus a self-signed certificate check on any TLS certificates seen.
• DNS queries (what websites got looked up) and their responses.

Beacon does not try to decrypt anything. The contents of encrypted traffic stay encrypted. Beacon only looks at the outside behavior of connections.

Zeek logs

Zeek (formerly “Bro”) is a free, open-source network-monitoring tool many security teams run on their network. It watches traffic and writes summary log files to disk. If your security team runs Zeek, uploading its logs is the fastest way to get Beacon results because Zeek has already done the parsing.

Beacon accepts these Zeek log files:

• conn.log: one row per connection (source, destination, duration, bytes). Required if you're uploading more than one Zeek log at a time.
• ssl.log: one row per encrypted (TLS) handshake. Includes JA3/JA4 fingerprints if your Zeek build produces them.
• http.log: one row per HTTP request/response, including the User-Agent string.
• dns.log: one row per DNS query and response.
• x509.log: one row per TLS certificate seen.

Both TSV (tab-separated values, the Zeek default) and JSON are fine. You can upload one file at a time, or zip multiple logs together. If they share Zeek's internal connection IDs, Beacon will stitch them together automatically so a single pair gets enriched with everything Zeek observed about it.

Suricata (eve.json)

Suricata is another free, open-source network-monitoring tool. It writes a single JSON file called eve.json that contains every event it saw. Beacon accepts Suricata's default output and extracts the flow, tls, http, dns, and alert record types.

If you run Suricata with a custom output plugin that emits different record types, email support@stryxllabs.com with a sample and we'll look at adding support.

NDJSON (your own JSON export)

NDJSON is “newline-delimited JSON”: one JSON object per line, with each object describing one network connection. Most modern SIEMs, EDRs, and firewalls can export to this format.

Beacon looks for common column names automatically: src_ip, dst_ip, dest_ip, timestamp, bytes, and the usual variants. If it can't match your column names, you'll see a mapping screen. See Field mapping for how to use it.

CSV (spreadsheet-style export)

Standard comma-separated values with a header row as the first line. Column names are case-insensitive, and Beacon tries a large library of common aliases before asking you to map them manually.

If you're exporting from Excel, save as CSV UTF-8, not Windows-1252. Special characters in hostnames otherwise come through as garbled text.

File size and upload limits

There is no per-file size cap. Each plan limits the number of uploads per day, not the size:

• Recon (free): 2 uploads per day.
• Hunter: 10 uploads per day.
• Operator and Partner: unlimited.

See pricing for the full breakdown. If your file is massive (hundreds of GB), email support@stryxllabs.com before uploading. We can pre-stage it for you.