Getting Started with ZPK Network Security Analyzer

ZPK is a network monitoring tool for Windows that watches your network traffic, flags anything unusual, and gives you a clear report. Everything runs locally — no cloud, no accounts, no data leaves your PC.

Requirements

Windows 10 or Windows 11
Run as Administrator (right-click terminal → "Run as administrator")
That's it. No Python, no installers, no dependencies.

Quick Start

Your download includes everything. Choose whichever option works for you:

Option A: Standalone EXE (recommended)

Fastest way to get started. No Python needed.

Unzip & Run

Extract the zip to a folder (e.g. C:\Tools\zpk\). Open a terminal as Administrator, navigate there, and run zpk.exe.

Windows SmartScreen: The EXE is not code-signed, so Windows may warn you on first run. Click "More info" then "Run anyway." This is normal for unsigned software. Some antivirus products may also flag it — this is a false positive caused by the PyInstaller packager. The full source code is included so you can verify it yourself, or use Option B/C instead.

Option B: Run from source (no EXE needed)

If your antivirus flags the EXE, or you prefer running Python directly:

Install Python 3.11+ from python.org
Open a terminal as Administrator in the src/ folder
Run setup.bat — this creates a virtual environment and installs all dependencies
Run zpk.bat — this launches ZPK

Or manually:

cd src
pip install -r requirements.txt
python -m zpk

Option C: Build your own EXE

If you want a standalone EXE that you built yourself:

Follow Option B to set up the environment
Run build.bat — this creates dist\zpk.exe

The Menu

However you launch ZPK, you get the same interactive menu:

ZPK v0.9.0 — Network Security Analyzer

1 Quick Scan (30s, all traffic, GeoIP)

2 Custom Scan (choose protocol, host, port, duration)

3 Import PCAP (analyze a .pcap/.pcapng file)

4 View Sessions (browse past captures)

5 View Map (open HTML map in browser)

6 Export Session (PDF, JSON, CSV, Markdown, TXT)

7 History (trend analysis across sessions)

8 Setup & Tools (Npcap, GeoIP, interfaces)

9 AI Analyze (local Ollama, no cloud)

c Config (edit settings, alerts, thresholds)

0 Exit

First Run Setup

Before your first scan, you need two things:

Install Npcap (required)

Npcap is the driver that lets ZPK see network traffic. Without it, ZPK cannot capture packets.

Run zpk.exe and choose option 8 (Setup & Tools).
Choose Check/Install Npcap.
Follow the installer prompts. Make sure "WinPcap API-compatible mode" is checked.
Close and reopen your terminal after installation.

Or download Npcap yourself from npcap.com.

Download GeoIP Database (recommended)

The GeoIP database tells ZPK where external IPs are located (country, city, organization). It powers the world map and adds geographic context.

Run zpk.exe and choose option 8 (Setup & Tools).
Choose Update GeoIP & ASN databases.
ZPK downloads two small files automatically.

Optional but recommended. Without GeoIP, scans still work — you just won't see location data.

Running Your First Scan

Choose option 1 (Quick Scan) from the menu.
ZPK captures traffic for 30 seconds.
When done, you see a summary: connections, protocols, top destinations, and any findings.
Results are saved automatically to a timestamped folder.

What does a normal scan look like?

Connections to your router (e.g. 192.168.1.1)
DNS queries to your DNS server
HTTPS connections to websites and cloud services
A few INFO findings (normal observations)
A green "All clear" verdict

Understanding Results

ZPK uses four severity levels:

INFO — Lowest

Normal activity logged for awareness. First connection to a new server, uncommon port, long-lived session. Action: Nothing needed.

WATCH

Unusual but probably fine. Traffic bursts, DNS failures, cleartext data, packet congestion. Action: Glance at it. If you recognize the activity, it's fine.

SUSPICIOUS

Could be a problem. Large outbound transfers, one host contacting many destinations, regular timed connections (beaconing). Action: Investigate. Check the process name and destination.

CRITICAL — Highest

Likely malicious or a serious misconfiguration. SYN floods, port scans across 100+ ports, rogue DHCP servers. Action: Investigate immediately.

The Verdict

Green — "All clear": No issues found.
Cyan — "Minor items": Only INFO/WATCH findings.
Yellow — "SUSPICIOUS ACTIVITY": Warrants a closer look.
Red — "CRITICAL ISSUES": Immediate investigation needed.

Viewing Past Sessions

Every scan is saved automatically. To review:

Choose option 4 (View Sessions) from the menu.
Pick a session from the list.
Choose: Summary, HTML Map, Export, or Delete.

zpk.exe sessions

Exporting Reports

Choose option 6 (Export Session) from the menu.
Pick a session and format:

Format	Best for
PDF	Client deliverables, printing, emailing
Markdown	Readable text with tables
JSON	Programmatic processing, integrations
CSV	Spreadsheets (Excel, Google Sheets)
TXT	Pasting into emails or tickets

HTML Map

Choose option 5 (View Map) from the menu.
Pick a session. An interactive map opens in your browser.

Green dot — Your location
Cyan markers — 1-2 connections
Yellow/orange — 3-9 connections
Red — 10+ connections

Hover over any marker to see city, country, organization, and connection count.

AI Analysis (Optional)

ZPK can use a local AI model to assess your scan and give plain-English results. Everything runs on your machine — no cloud, no API keys.

What you need

Ollama — free tool that runs AI models locally (~200 MB installer)
A GPU with enough VRAM, or system RAM for CPU mode (slower)

Recommended models

Your hardware	Model	Download
GPU 8-12 GB VRAM (RTX 3060/4060/4070)	`qwen3:8b`	~5 GB
GPU 6 GB or less	`qwen3:4b`	~2.5 GB
No GPU, 16 GB+ RAM	`qwen3:4b`	~2.5 GB
No GPU, 8 GB RAM	`gemma3:1b`	~1 GB

Setup

Install Ollama from ollama.com.
Open a terminal and download a model:
```
ollama pull qwen3:8b
```
Done. ZPK connects to Ollama automatically.

Running analysis

Choose option 9 from the menu, or run:

zpk.exe analyze

The AI returns a color-coded assessment: risk level, concerns, normal traffic, actions to take, and a one-line summary.

Alerts Setup (Optional)

Get notified via Slack or email when ZPK finds something suspicious. Alerts fire automatically after each scan.

Config file

Create a config file by running:

zpk.exe config

This creates config.toml at C:\Users\YourName\.zpk\.

Slack alerts

Go to api.slack.com/apps and create a new app.
Enable Incoming Webhooks and add one to your channel.
Copy the webhook URL and add to your config:

[alerts]
slack_webhook = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL-HERE"

Gmail alerts

Enable App Passwords in your Google account (requires 2FA).
Create an app password for "ZPK."
Add to your config:

[alerts]
email_to = "you@gmail.com"
email_from = "you@gmail.com"
smtp_host = "smtp.gmail.com"
smtp_port = 587
smtp_user = "you@gmail.com"
smtp_pass = "your-app-password-here"

Configuration

ZPK works with sensible defaults. To customize:

zpk.exe config          # create default config
zpk.exe config --edit   # open in Notepad

Common customizations

Allowlist trusted hosts:

[allowlist]
hosts = ["192.168.1.1", "192.168.1.254"]
ports = [53, 80, 443, 8080]

Adjust sensitivity:

[thresholds]
dns_failure_count = 10
high_fanout_hosts = 50
large_egress_bytes = 10000000

Set your map location:

[location]
lat = 40.7128
lon = -74.0060
city = "New York"

Command Reference

Run zpk.exe with no arguments for the interactive menu, or use commands directly:

Command	Description
`run`	Capture and analyze network traffic
`live`	Capture with per-packet output
`sessions`	Browse saved sessions
`summary`	Show report from a saved session
`export`	Export to PDF, JSON, CSV, Markdown, TXT
`import`	Analyze a .pcap file
`map`	World map of connections (`--html` for browser)
`analyze`	AI security assessment via Ollama
`history`	Trends across sessions
`diff`	Compare two sessions
`baseline`	Save or compare traffic baseline
`schedule`	Periodic captures via Task Scheduler (`--list` to show active tasks)
`explain`	Show all risk tags
`setup`	Install Npcap
`interfaces`	List network interfaces
`config`	View/edit configuration
`geoip-update`	Download GeoIP databases
`cleanup`	Remove temp files
`uninstall`	Remove Npcap and ZPK data
`geoip-remove`	Remove cached GeoIP/ASN databases
`quickstart`	Interactive guided first-run wizard

Useful examples

The --duration flag accepts human-friendly formats: bare number (seconds), 30s, 10m, 1h.

zpk.exe run --duration 1m --geoip               # 1 minute scan with GeoIP
zpk.exe run --preset suspicious --duration 2m   # Sensitive mode
zpk.exe run --dns-only --duration 60s            # DNS traffic only
zpk.exe run --host 192.168.1.100 --duration 60   # Watch specific host
zpk.exe run --external-only --geoip -d 1m        # External connections only

Troubleshooting

"Npcap not detected"

Install Npcap via menu option 8, or download from npcap.com.
Check "WinPcap API-compatible mode" during install.
Restart your terminal after installation.
Make sure you're running as Administrator.

No packets captured (0 packets)

Run terminal as Administrator.
Close other capture tools (Wireshark) that may lock the interface.
Try: zpk.exe interfaces then zpk.exe run --interface "Ethernet"

GeoIP download fails

DNS-level ad blockers (Pi-hole, AdGuard) may block the download. Temporarily disable and retry.
Scans work fine without GeoIP — you just won't see maps or location data.

SmartScreen blocks zpk.exe

Click "More info" then "Run anyway." This only happens once. The EXE is not code-signed, which triggers the warning. This is normal for independent software.

Antivirus / VirusTotal false positives

Some antivirus products may flag zpk.exe as suspicious. This is a false positive caused by PyInstaller (the tool used to package ZPK into a standalone EXE). PyInstaller's bootloader is shared by many legitimate applications, but some AI-based scanners flag it generically. ZPK is open-source — the complete source code is included in your download so you can verify it yourself.

AI says "Ollama not found"

Install Ollama from ollama.com.
Check the system tray for the Ollama icon.
Restart your terminal after installing.

Firewall or antivirus blocks zpk.exe

Some antivirus programs flag ZPK because it captures network traffic (the same thing Wireshark does). This is a false positive.

Add zpk.exe to your antivirus exclusion list.
In Windows Security: Settings → Virus & threat protection → Exclusions → Add the folder containing zpk.exe.
If Windows Firewall blocks outbound connections for GeoIP downloads or Ollama, add zpk.exe as an allowed app.

Scans look wrong on a VPN

When connected to a VPN, ZPK may show unexpected results:

All traffic goes to one IP — this is your VPN server. All your traffic is tunneled through it, so ZPK only sees the tunnel endpoint. This is normal VPN behavior.
GeoIP shows the wrong country — you're seeing the VPN server's location, not the actual destination.
0 packets captured — ZPK may be listening on the wrong interface. Run zpk.exe interfaces and select your VPN adapter manually: zpk.exe run --interface "YourVPNAdapter"

To see real traffic destinations, disconnect the VPN before scanning, or capture on the VPN adapter specifically.

Too many false positives

Add trusted hosts to your allowlist: zpk.exe config --edit
Use the --preset health flag for balanced thresholds.
Use AI Analysis (option 9) — it separates real threats from noise and explains what's normal.

Common False Positives

On a typical home or office network, ZPK will flag things that look suspicious but are perfectly normal. Here's what to expect:

Gratuitous ARP

Phones, smart TVs, IoT devices, and printers regularly announce themselves on the network with ARP broadcasts. This looks like ARP spoofing to automated rules, but it's standard device behavior. Normal unless you see it from an IP you don't recognize.

DNS Failures

Reverse DNS lookups for local IPs (like 1.0.168.192.in-addr.arpa) often fail because your DNS server doesn't have PTR records for them. This is expected. Investigate only if you see many failures for external domains.

High Fanout (many destinations)

A Windows PC browsing the web normally contacts 30-50+ unique IPs in a few minutes — Google, CDNs, Microsoft, ad networks. This triggers the "high fanout" rule but is normal browsing. Investigate only if the source IP is a server or IoT device that shouldn't be reaching out broadly.

mDNS, LLMNR, SSDP, NetBIOS

Ports 5353, 5355, 1900, and 137 are standard Windows/Apple network discovery protocols. ZPK may flag them as "uncommon ports" but they are present on every home and office network. Normal.

Beacon-like Patterns

Some legitimate apps send regular keep-alive pings — Slack, Teams, VPNs, cloud sync. These can look like command-and-control beaconing. Check the process name — if it's slack.exe, teams.exe, or onedrive.exe, it's fine.

Plaintext HTTP to Google/CDNs

Connectivity checks (like http://connectivitycheck.gstatic.com) intentionally use HTTP to verify internet access. These trigger the "plaintext" rule but are harmless redirects. Normal.

DNS Tunneling Alerts for Telemetry

Long subdomain names from services like Datadog, HubSpot, or analytics platforms have high entropy that looks like DNS tunneling. If your DNS blocker (Pi-hole, AdGuard) is blocking them, you'll see the query but no successful connection. Normal if you recognize the service name.

Tip: When in doubt, run AI Analysis (option 9). It knows these patterns and will tell you what's normal vs. what needs attention.

Importing PCAP Files

ZPK can analyze packet captures from Wireshark, tcpdump, or any tool that exports .pcap or .pcapng files.

Choose option 3 (Import PCAP) from the menu.
Enter the path to your .pcap or .pcapng file.
ZPK runs all 23 detection rules and GeoIP lookups on the imported data.
Results are saved as a new session, just like a live capture.

From the command line:

zpk.exe import "C:\Captures\suspicious_traffic.pcap"
zpk.exe import "C:\Captures\suspicious_traffic.pcap" --geoip

Note: Process correlation is only available for live captures. Imported PCAPs won't show which application made each connection, since that information isn't stored in the capture file.

Scheduled Scans

ZPK can set up recurring captures using Windows Task Scheduler. Scans run in the background and save results automatically.

Setting up a scheduled scan

Open a terminal as Administrator.
Run:

zpk.exe schedule --every 1h --duration 30s --geoip

This creates a Windows Task Scheduler job that runs a 30-second capture every hour with GeoIP enabled.

Common schedules

zpk.exe schedule --every 1h --duration 30s --geoip    # Every hour
zpk.exe schedule --every 6h --duration 1m --geoip     # Every 6 hours
zpk.exe schedule --every 24h --duration 2m --geoip    # Once a day

Managing scheduled scans

zpk.exe schedule --list      # Show active scheduled tasks
zpk.exe schedule --remove    # Remove the scheduled task

Note: Scheduled scans require the terminal to run as Administrator. The Task Scheduler job is created with elevated privileges automatically.

Baselines & Diff

Baselines let you save a snapshot of "normal" traffic, then compare future scans against it to spot changes.

Creating a baseline

Run a scan during normal activity (no downloads, no unusual work).
Save it as your baseline:

zpk.exe baseline --save zpk_session_20260328_140530/session.json

Comparing against a baseline

zpk.exe baseline --compare zpk_session_20260401_090000/session.json

ZPK highlights new hosts, new ports, traffic volume changes, and new findings that weren't in the baseline.

Comparing two sessions directly

zpk.exe diff zpk_session_20260328_140530/session.json zpk_session_20260401_090000/session.json

Shows a side-by-side comparison: new connections, removed connections, changes in traffic volume, and new or resolved findings.

Choosing a Network Interface

Most PCs have multiple network interfaces (Wi-Fi, Ethernet, VPN adapters, loopback). ZPK picks one automatically, but you may need to choose manually.

List your interfaces

zpk.exe interfaces

This shows all available interfaces with their names, IPs, and status.

Pick a specific interface

zpk.exe run --interface "Wi-Fi" --duration 30s
zpk.exe run --interface "Ethernet" --duration 30s

Which interface should I use?

Situation	Interface
Desktop PC with cable	`Ethernet`
Laptop on Wi-Fi	`Wi-Fi`
Connected to VPN	The VPN adapter name (varies by provider)
Want all traffic	Let ZPK auto-detect (default)

Tip: If you get 0 packets, you're probably capturing on the wrong interface. Run zpk.exe interfaces and try each active one.

File Locations & Data Storage

ZPK stores everything locally. No cloud, no accounts. Here's where files go:

What	Location
ZPK executable	Wherever you put it (e.g. `C:\Tools\zpk.exe`)
Capture sessions	Same folder as `zpk.exe`, in timestamped folders (e.g. `zpk_session_20260328_140530/`)
Config file	`C:\Users\YourName\.zpk\config.toml`
GeoIP databases	`C:\Users\YourName\.zpk\`
HTML maps	Inside each session folder
PDF/CSV/JSON exports	Inside each session folder

Changing the output directory

To keep all sessions in one place regardless of where you run ZPK from:

[capture]
output_dir = "C:\\ZPK_Sessions"

Cleaning up

zpk.exe cleanup              # Remove temp files and caches
zpk.exe uninstall            # Remove Npcap and all ZPK data

Updating ZPK

To update ZPK:

Download the new zpk.exe from Lemon Squeezy (check your order email for the download link).
Replace the old zpk.exe with the new one. Overwrite the file.
Done.

Your data is safe. Sessions, config, GeoIP databases, and exports are stored separately and are not affected by replacing the EXE. Nothing is lost when you update.

Filtering & Targeting

ZPK supports built-in flags and raw BPF (Berkeley Packet Filter) expressions for precise traffic targeting.

Protocol filters

zpk.exe run --tcp --duration 60                    # TCP only
zpk.exe run --udp --duration 60                    # UDP only
zpk.exe run --dns-only --duration 60               # DNS traffic (port 53)
zpk.exe run --filter "icmp" --duration 60          # ICMP only
zpk.exe run --filter "arp" --duration 60           # ARP only

Host filters

# All traffic to/from a specific IP
zpk.exe run --host 192.168.1.100 --duration 60

# Bidirectional between two hosts (BPF)
zpk.exe run --filter "host 192.168.1.10 and host 192.168.1.100" --duration 60

# Entire subnet
zpk.exe run --filter "net 192.168.1.0/24" --duration 60

Port filters

zpk.exe run --port 443 --duration 60               # Single port
zpk.exe run --filter "port 80 or port 443" -d 60   # Multiple ports
zpk.exe run --filter "portrange 8000-9000" -d 60    # Port range
zpk.exe run --filter "dst port 22" --duration 60    # Destination port only

Combined filters

# TCP to a specific host on HTTPS
zpk.exe run --filter "dst host 8.8.8.8 and tcp port 443" --duration 60

# Monitor a server for SSH and RDP
zpk.exe run --filter "host 192.168.1.100 and (port 22 or port 3389)" --duration 120

# DNS queries to a specific DNS server
zpk.exe run --filter "host 8.8.8.8 and udp port 53" --duration 60

Common scenarios

Scenario	Command
Monitor all traffic	`zpk.exe run --duration 60 --geoip`
External connections only	`zpk.exe run --external-only --duration 60 --geoip`
Debug DNS issues	`zpk.exe run --dns-only --duration 60`
Monitor a specific server	`zpk.exe run --host 192.168.1.100 --duration 120`
Check for plaintext traffic	`zpk.exe run --filter "port 80 or port 21 or port 23" -d 60`
Sensitive mode	`zpk.exe run --preset suspicious --duration 120 --geoip`
Quick health check	`zpk.exe run --preset health --duration 30`

The --filter flag accepts standard BPF syntax (same as Wireshark/tcpdump capture filters). See the BPF reference for the full syntax.

Presets

Presets are predefined configurations for common scenarios. Use with zpk.exe run --preset <name>.

Preset	Description
`health`	Basic health check — all traffic, balanced thresholds
`dns`	DNS troubleshooting — filters to port 53
`outbound`	Outbound audit — external destinations only
`noisy`	Noisy host detection — find high-volume talkers
`suspicious`	Suspicious traffic watch — lower alert thresholds

Risk Tags

Each finding is tagged with a risk identifier. Use zpk.exe explain to see all tags with full descriptions.

Tag	Description
`uncommon_port`	Traffic on a non-standard or suspicious port
`dns_failure`	High volume of DNS resolution failures (NXDOMAIN)
`high_fanout`	Single host contacting many unique destinations
`beacon_pattern`	Regular-interval outbound connections (C2 pattern)
`plaintext`	Sensitive protocol over unencrypted channel
`large_egress`	Unusually large outbound data transfer
`new_external`	First connection to an external host in this session
`burst`	Sudden spike in packets per second
`long_session`	TCP session held open for an extended duration
`chatty_session`	Session with abnormally high packet count
`connection_reset`	TCP RST indicating refused or dropped connections
`dns_tunnel`	High-entropy DNS queries (possible DNS tunneling)
`arp_gratuitous`	Gratuitous ARP (possible ARP spoofing)
`syn_flood`	TCP SYN storm without handshake completion (DDoS)
`port_scan`	Single source probing 100+ unique ports
`dhcp_rogue`	Multiple DHCP servers on network (rogue server)
`cleartext_creds`	Credentials on cleartext services (FTP/Telnet/POP3)
`handshake_fail`	TCP SYN sent but no SYN-ACK received (host down?)
`lateral_movement`	Internal SMB/RDP/WinRM/SSH between local hosts
`connection_timeout`	Stalled connection with very few packets over time
`packet_loss`	3+ duplicate TCP ACKs (fast retransmit triggered)
`zero_window`	TCP receiver cannot accept data (overloaded)

Full Config Reference

All settings available in config.toml. CLI flags always take highest priority.

Section	Key	Default	Description
`[capture]`	`external_only`	`false`	Only analyze external traffic
`[capture]`	`output_dir`	`"."`	Output directory for exports
`[capture]`	`dns_resolve`	`true`	Reverse-DNS resolution
`[capture]`	`redact_sensitive`	`false`	Redact IPs in terminal output
`[capture]`	`utc_timestamps`	`false`	Use UTC instead of local time
`[thresholds]`	`dns_failure_count`	`10`	DNS failures before flagging
`[thresholds]`	`high_fanout_hosts`	`50`	Unique destinations to flag fanout
`[thresholds]`	`beacon_interval_tolerance`	`0.20`	Beacon interval std dev tolerance
`[thresholds]`	`large_egress_bytes`	`10000000`	Bytes to flag as large egress
`[thresholds]`	`burst_packets_per_sec`	`1000`	Packets/sec to flag as burst
`[thresholds]`	`long_session_seconds`	`3600`	Duration to flag as long-lived
`[thresholds]`	`chatty_session_packets`	`10000`	Packets to flag as chatty
`[allowlist]`	`hosts`	`[]`	IPs/hostnames to never flag
`[allowlist]`	`ports`	`[]`	Ports to never flag
`[allowlist]`	`ignored_cidrs`	`[]`	Extra CIDRs to ignore
`[location]`	`lat`	auto	Home marker latitude
`[location]`	`lon`	auto	Home marker longitude
`[location]`	`city`	auto	Home marker city name

Privacy & Safety

ZPK is designed with privacy as a default:

No payload capture. Only metadata (IPs, ports, sizes, timestamps) is recorded. No passwords, no file data, no message bodies.
No raw packets retained. Raw packet bytes are not stored in memory or on disk by default.
No data leaves your machine. No telemetry, no cloud, no phone-home. Fully offline after initial GeoIP/Ollama downloads.
Allowlists supported. Configure trusted hosts, ports, and CIDRs to exclude from analysis.
Redaction mode. Use --redact to mask IP addresses in terminal output when screen-sharing or recording.

Session Folder Contents

Each capture creates a timestamped folder containing:

File	Contents
`session.json`	Full session data (re-importable)
`report.pdf`	Formatted PDF report for printing or emailing
`connections.csv`	Connections with geo, org, process info
`findings.csv`	Findings with destination geo/org
`dns.csv`	DNS queries with answer geo/org
`findings.json`	Findings only (for SIEM import)
`report.md`	Human-readable Markdown report
`report.txt`	Plain-text report
`capture.pcap`	Truncated packet headers, 96 bytes/pkt (only with `--save-pcap`)

Exit Codes

Useful for scripting and automation:

Code	Meaning
`0`	Clean — no SUSPICIOUS or CRITICAL findings
`1`	SUSPICIOUS findings detected
`2`	CRITICAL findings detected

Example: run ZPK in a script and alert on non-zero exit:

zpk.exe run --duration 30s --geoip
if %ERRORLEVEL% GEQ 1 echo "Issues detected!"

FAQ

Is there a license key or activation?

No. There is no license key, no activation, no online check. Download the EXE, run it, done.

Does ZPK need an internet connection?

No. ZPK runs entirely offline. Internet is only needed for two optional one-time downloads: the GeoIP database and an Ollama AI model. After that, everything works offline.

Does ZPK send any data to the cloud?

No. Nothing leaves your machine. No telemetry, no analytics, no phoning home. All processing is local.

Can I install ZPK on multiple computers?

Yes. There are no activation limits. Copy zpk.exe to as many machines as you need.

Is there customer support?

No. ZPK is sold as-is with no direct support and no refunds. This documentation is your self-service resource. For common issues, see Troubleshooting and Common False Positives.

How do I get updates?

Check your Lemon Squeezy order email for the download link. Download the new zpk.exe and replace the old one. Your sessions and config are not affected. See Updating ZPK.

Is ZPK open source?

ZPK is licensed under GPL-2.0. The complete source code is included in your download.

Can I use ZPK at work / on a corporate network?

You are responsible for getting authorization from your network administrator before capturing traffic on any network you don't own. See the license for the full network monitoring disclaimer.

What's the difference between Quick Scan and Custom Scan?

Quick Scan captures all traffic for 30 seconds with default settings. Custom Scan lets you choose the duration, protocol filter, specific host, port, and interface.

Why does my scan show connections to IPs I don't recognize?

Your PC constantly talks to CDNs, DNS servers, Microsoft telemetry, software update servers, and ad networks in the background. This is normal. Use the GeoIP data and process name to identify what's making each connection. See Common False Positives for typical examples.

Can I use ZPK with Wireshark?

Yes. You can import Wireshark .pcap or .pcapng captures into ZPK for analysis. See Importing PCAP Files. Both tools use Npcap, but don't run them at the same time — they may conflict over the network interface.