StryxlLabsStryxlLabs
Get started
Docs/Quickstart

Quickstart

From signing up to finding your first suspicious connection, in about ten minutes. No prior security-tool experience required. This page explains every term as it comes up.

What Beacon does, in one sentence: you give it a recording of your network traffic, and it tells you which computers are talking to the internet in a pattern that looks like malware phoning home to its operator.

What you need before you start

  • An email address (you'll verify it after signup).
  • A web browser. That's it on the user side.
  • A network capture file. This is a recording of traffic going across your network. If you don't have one, skip to the “I don't have a capture” section below for step-by-step instructions on recording your own with Wireshark, tcpdump, or Zeek.

1. Create a free account

Go to app.stryxllabs.com/register and make a free Recon account. No credit card. You'll be asked to verify your email before your first upload.

Recon is the free tier. It gives you two uploads per day and keeps your results for forty-eight hours, which is enough to walk through this guide with a real capture of your own network.

2. Upload a capture

After logging in, you'll land on the Uploads page. Drag and drop your file onto the upload area, or click “Choose file” to pick it from your computer. Any of these work:

  • PCAP / PCAPNG: the raw-packet format written by tcpdump, Wireshark, and most network-recording appliances. If you have a .pcap or .pcapng file, that's this.
  • Zeek logs: summaries written by Zeek (an open-source tool many SOC teams run). Beacon accepts conn.log, ssl.log, http.log, dns.log, and x509.log, as TSV or JSON, one at a time or zipped together.
  • Suricata eve.json: the JSON output from Suricata (another open-source network-monitoring tool). Its default config produces exactly what Beacon needs.
  • Your own NDJSON or CSV: if your firewall, EDR, or SIEM can export connection records with IP, port, timestamp, and byte counts, that works too. Beacon tries to auto-detect column names; if it can't, it'll ask you to map them.

Don't worry if this list felt dense. For most users a .pcap from Wireshark is the whole story. See Supported formats for the full breakdown.

I don't have a capture. How do I make one?

You record traffic from your own network. Beacon analyzes the recording after the fact; it's not watching live. Pick one of the three tools below based on what kind of computer you're on and how much setup you want to do.

Record for at least 30 minutes, ideally a few hours, on a machine that's doing normal work. The longer the capture, the more chances Beacon has to spot periodic check-ins.

Option A: Wireshark (easiest, Windows / macOS / Linux)

Wireshark is a free, widely-used network analyzer with a graphical interface. Best choice if you're on a laptop or desktop and want a point-and-click experience.

  1. Download and install from wireshark.org/download.html. On Windows the installer also sets up Npcap (the packet-capture driver). Accept the defaults when prompted.
  2. Launch Wireshark. You'll see a list of network interfaces. Pick your active one (usually named Wi-Fi on a laptop or Ethernet on a wired desktop, the one with a live traffic graph next to it).
  3. Double-click that interface. Recording starts immediately. Use your computer normally for 30+ minutes.
  4. Click the red square (Stop capturing) in the toolbar when you're done.
  5. File → Save As → choose Wireshark/... - pcapng as the format → save somewhere you'll find it.
  6. Upload that .pcapng file to Beacon.

Full Wireshark user guide: wireshark.org/docs/wsug_html_chunked.

Option B: tcpdump (command line, macOS / Linux)

tcpdump is the classic command-line capture tool. Already installed on most macOS and Linux systems. Lightweight, scriptable, works over SSH.

  1. Open a terminal. Check it's installed: tcpdump --version. If not, install it. On Debian/Ubuntu: sudo apt install tcpdump. On macOS it ships with the OS.
  2. Find your active network interface: ifconfig (macOS) or ip link (Linux). Common names are en0, eth0, wlan0.
  3. Start recording. Replace en0 with your interface name and ~/capture.pcap with where you want the file saved:
    sudo tcpdump -i en0 -s 0 -w ~/capture.pcap
    (-i picks the interface, -s 0 captures full packets, -w writes to a file.)
  4. Use the machine normally for 30+ minutes. Stop with Ctrl+C.
  5. Upload ~/capture.pcap to Beacon.

tcpdump manual: tcpdump.org/manpages/tcpdump.1.html.

Option C: Zeek (for teams monitoring a whole network)

Zeek (formerly “Bro”) is a free, open-source network-monitoring platform. Instead of raw packets, it writes summary log files that are far smaller and already parsed. If you run a network span port, mirror port, or a TAP into a dedicated sensor box, Zeek is the right tool. Not recommended for a single laptop; use Wireshark or tcpdump for that.

  1. Install on a Linux server that can see the traffic you want to monitor. Docs: docs.zeek.org/en/current/install.html.
  2. Configure the interface Zeek should listen on. Quickstart guide: docs.zeek.org/en/current/quickstart.html.
  3. Start Zeek. After it's run for a while, collect the log files it writes. You want conn.log, ssl.log, http.log, dns.log, and x509.log from the current log directory.
  4. Zip them together and upload the zip to Beacon. See Supported formats for the details on what Beacon does with each log.

On permissions and privacy: capturing network traffic on a machine you don't own (a work laptop, a shared network) may require authorization from whoever manages it. Check with IT or your security team before recording on corporate networks. Don't upload captures that contain sensitive data you're not authorized to share.

3. Wait for scoring

A progress bar appears while Beacon parses the file and looks at every conversation between two IP addresses. Most uploads finish in under a minute. You don't have to stay on the page; the results will be waiting when you come back.

4. Read the detections

When scoring finishes, the Detections page shows every flagged pair (a source IP talking to a destination IP), sorted with the most suspicious at the top. Click any row and a panel opens on the side with the full story:

  • Source and destination, with a score from 0 to 100 and a severity label (Info, Low, Medium, High, or Severe).
  • TLS and HTTP fingerprints (JA3, JA4). Think of these as a unique signature of whatever software is making the connection. Malware often has distinctive ones. Explained on the Fingerprinting page.
  • Destination info: who owns the IP, what country it's in, and reverse DNS (the hostname that IP resolves back to, if any).
  • Timing pattern: how often the connection happens, and how consistent the timing is. A computer calling home every 60 seconds on the dot is a major red flag.
  • Threat intel: whether any public security databases have flagged this IP before.
  • Explain why: a plain-English breakdown of exactly which signals pushed the score up.
  • How to Investigate This Pair: a step-by-step walkthrough telling you exactly what commands to run on the source computer to figure out which program is responsible. No prior experience needed.

5. Confirm or dismiss

At the bottom of the investigation panel you'll see two buttons:

  • Confirm malicious: mark this as a real threat. Locks the record and feeds your workspace's history.
  • Mark benign: dismiss this one. Beacon remembers the pattern and won't flag the same kind of traffic again in your workspace. See False-positive learning.

That's the whole loop: upload, score, investigate, verdict. Everything else in the docs is either a deeper look at one of those steps or a specialized workflow like exports.

Where to go next

  • If your network logs come from a vendor with unusual column names and Beacon asked you to map them: Field mapping.
  • To understand how the score is actually built: Behavioral scoring.
  • To learn how to read the Investigation panel properly: Investigation panel.

Next →

Supported formats