IceSniff is an open-source packet analysis project focused on a modern UI, integrated AI panel, a scriptable CLI, and a shared Rust analysis engine.

The repository currently contains:

• a Rust CLI in apps/cli
• a native SwiftUI macOS app in apps/macos
• a local web app in apps/live

IceSniff is released under the MIT License. See LICENSE.

Installation

CLI one-line installers

• macOS / Linux: curl -fsSL https://raw.githubusercontent.com/MasterYoav/IceSniff/main/install.sh | sh

  You can also download our macos native app from Releases

• Windows PowerShell: irm https://raw.githubusercontent.com/MasterYoav/IceSniff/main/install.ps1 | iex

After install:

• icesniff opens the terminal launcher menu with Live, CLI, and uninstall options
• icesniff-cli opens the full-screen TUI directly

The installer adds the launchers to the user PATH, so they can be run from a new terminal window without changing directories.

What Works Today

CLI

The CLI can:

• install through one-line platform installers with icesniff and icesniff-cli launchers
• open and inspect .pcap and .pcapng captures
• list packets and inspect packet details
• calculate capture stats and conversation summaries
• analyze streams and transactions
• save filtered captures to a new PCAP file
• emit text or stable --json output
• run a full-screen terminal UI with sections, packet list/detail panes, filters, live capture controls, and save/open flows
• run a launcher menu that can start the TUI, start the local web app, or uninstall the CLI bundle
• perform live capture through the bundled runtime and platform capture helpers

Current protocol coverage includes:

• Ethernet, ARP, IPv4, TCP, UDP, ICMP
• DNS
• HTTP/1.1
• TLS handshake metadata and stream/transaction summaries

macOS App

The native macOS app currently supports:

• opening existing capture files
• starting and stopping live capture
• packet, stats, conversations, streams, and transactions views
• packet detail inspection driven by the shared Rust backend
• local UI preferences for theme and font
• optional Google and GitHub sign-in through Supabase
• a packet-aware AI sidebar with offline mode, API-backed providers, and local Codex / Claude Code routes

Live Web App

The local web app currently supports:

• a browser-first packet/live-capture shell with a launcher-aligned layout, overlay section rail, and toggleable AI side panel
• opening local capture files through browser upload into a local temp workspace
• starting and stopping live capture through the Rust capture helper with an in-app toggle control
• saving the current capture from the packets view
• packet, stats, conversations, streams, and transactions views
• browser-local UI preferences for modern themes, fonts, and type scale
• a redesigned packets view with custom filter/input controls, interface picker, save toggle, and double-click packet preview
• analysis driven by the same icesniff-cli + tshark engine used by the macOS app

What Is Not Done Yet

IceSniff is still early-stage software. Important gaps include:

• no Windows app yet
• no Linux desktop app yet
• protocol coverage is still limited compared with mature analyzers
• live capture depends on external system capture tooling and platform permissions
• cloud-backed profile sync is disabled in the public macOS build
• contributor-facing packaging and release workflows are still evolving

AI Security

For the current macOS app:

• API keys are stored in macOS Keychain, not app preferences
• saved keys are not shown back in plain text after storage
• hosted AI requests use an ephemeral networking session with caching disabled
• Google AI credentials are sent in a request header instead of a URL query string
• provider and local-runtime failures are sanitized before they appear in the UI

Important limit:

• if a user chooses a hosted provider and sends a prompt, the selected packet context for that request is sent to that provider

Getting Started

CLI

cd apps/cli
cargo run -p icesniff-cli -- help

Useful commands:

cargo run -p icesniff-cli -- inspect path/to/capture.pcap
cargo run -p icesniff-cli -- list path/to/capture.pcap
cargo run -p icesniff-cli -- stats path/to/capture.pcap
cargo run -p icesniff-cli -- conversations path/to/capture.pcap
cargo run -p icesniff-cli -- streams path/to/capture.pcap
cargo run -p icesniff-cli -- transactions path/to/capture.pcap

macOS App

cd apps/macos
./scripts/sync-bundled-cli.sh
swift run IceSniffMac

Live Web App

cd apps/live
node server.mjs

Then open http://127.0.0.1:4318.

Repository Guide

• CONTRIBUTING.md for contribution rules and local workflows
• docs/architecture/overview.md for architecture notes
• docs/feature-parity-matrix.md for cross-surface tracking
• docs/cli/install.md for CLI bundle and installer commands
• docs/repo-map.md for repository structure
• apps/macos/README.md for macOS-specific setup
• apps/live/README.md for the local web app

Contributing

If you want to help, areas with clear value right now include:

• protocol support and parser hardening
• live capture reliability across platforms
• filtering and analysis UX
• tests, fixtures, and regression coverage
• packaging and release automation
• future Windows app work