Kestrel Sight
support & FAQ.

Three ways. One — tap Open on the welcome screen and pick from Files, iCloud Drive, or any file provider. Two — share a PCAP from Mail, Messages, or any app that accepts Files, and pick Kestrel from the share sheet. Three — AirDrop a file from your Mac straight to Kestrel.

PCAP (libpcap, magic 0xA1B2C3D4, native and byte-swapped) and PCAPNG (section-header-block format). These are the outputs of Wireshark, tcpdump, tshark, and every other standard capture tool.

Two strategies based on size. Under 1 GB loads fully for complete analysis with automatic TCP stream reassembly. At or above 1 GB, Kestrel streams from disk — packet headers are parsed up front and payload is read on demand. TCP reassembly disables automatically above 1 GB to protect device memory; packets, flows, hosts, DNS, and timeline remain fully functional.

No. iOS does not expose the equivalent of Berkeley Packet Filter to third-party apps — this is an Apple platform restriction, not a Kestrel limitation. Kestrel analyzes capture files generated elsewhere. Live capture on the Mac is what Kestrel Talon is for.

Free text (matches IP, port, protocol, info, flags). CIDR (192.168.1.0/24). Protocol name (TCP, DNS). Port number (443 or :8080). Directional IP (src=10.0.0.1, dst=8.8.8.8). Raw payload search (raw=password). Space-separated terms are AND-combined.

Segments are ordered by TCP sequence number. Overlapping ranges caused by retransmissions are deduplicated. Payloads concatenate into continuous byte streams. HTTP transactions — method lines, status lines, chunked-transfer encoding — are identified automatically.

The Pro credential scanner (in development) will find exposed secrets across common protocols. Masking will be the responsible default — findings will be reported as salted SHA-256 fingerprints so raw credential values never touch disk, and any preview display in the UI will mask interior characters until tapped to reveal. Kestrel Sight and Lite do not include a credential scanner.

Lite caps display at the first 50,000 packets per file. Sight removes that cap and adds analyst bookmarks, raw-payload search, enhanced IPv6 display, and refined PDF reports. Everything else — dashboard, packets, flows, hosts, DNS, streams, timeline, and audit log with SHA-256 evidence hashing — is identical. Anomaly detection, sensitive-data scanning, and file carving are Pro features (in development). Upgrade to Sight from in-app.

No. Every byte is processed on-device. Kestrel makes no outbound connections, sends no analytics, and contacts no external services. Read the full privacy policy for specifics.

Files you open stay where you opened them — Kestrel reads from your file providers (Files, iCloud Drive, etc.) without copying. Session state (filters, marked packets, notes) lives in the app’s sandboxed container and is removed if you delete the app.

No. No sign-in, no cloud sync, no identity. The in-app upgrade to Sight goes through the App Store and is tied to your Apple ID, not to any Tracivex account.

Make sure the file is actually a PCAP or PCAPNG — some apps export capture metadata in JSON or CSV that shares nothing with the binary format. Open the file in Wireshark on another machine to confirm. If it opens there but not in Kestrel, send me the file details (size, source tool) by email.

Files over a gigabyte parse headers only; payload reads are on-demand. TCP reassembly disables automatically above 1 GB. The filter debounces at 300 ms — give it a moment after typing. If something is genuinely hung, force-quit and reopen. Tell me what happened.

Go to Settings · Restore Purchases. Make sure you’re signed in with the Apple ID that made the purchase. If it still doesn’t restore, send me your purchase receipt and I’ll help directly.

Email me with device model, iOS version, app version (Settings · About), and what you were doing when the bug happened. A reproduction case — even “I tapped X then Y and saw Z” — is worth ten vague descriptions. Please don’t attach PCAP files without asking first; they often contain sensitive data.