Systems, methods, and related technologies for determining fields of an unknown protocol are described. Network traffic capture is grouped into one or more clusters of packets based on similarity. Each of the one or more clusters are parsed to identify one or more fields of an unknown protocol. The network traffic capture is modified, including annotating the identified one or more fields of the unknown protocol. A protocol parser is generated without user input, including parsing each of the annotated one or more fields of the unknown protocol to generate a description of the unknown protocol comprising identified one or more fields of the unknown protocol and an order of the identified one or more fields of the unknown protocol, and compiling the description into the protocol parser.