Application Packet Capture: A better way to PCAP.

What is it?

AppPacCap is a packet capture framework designed to provide granular capture capabilities with a fully extensible front-end. The AppPacCap service provide a RESTful API that allows for control of the packet capture process as well as the visualization of the data. AppPacCap provides a powerful back-end functionality that can be leveraged to create useful and functional front-ends that meet specific needs.

How is it different than Wireshark?

There are a few key differences between AppPacCap and Wireshark. First, Wireshark only provides full system packet capture. There is no easy way to identify and filter the packets based on the application sending them. Microsoft's Network Monitor provides that level of capture but is discontinued while the follow-on replacement, Microsoft's Message Analayzer, has limitations that can lead to incorrect packet association. AppPacCap solves this issue and allows granular targeting of applications down to the thread so you only capture what you want.

The second difference is what can be done with the data after it is captured. All of the tools listed above have some extensibility but nothing to the level that AppPacCap provides. With data captured through those tools, generally a PCAP file is exported and then imported into some other tool to provide enrichment. With AppPacCap, enrichment can occur organically and then displayed in the format you desire thanks to the fully extensible front-end.

Why Use AppPacCap?

There are numerous use cases for AppPacCap. Like other packet capture tools, network debugging and malware analysis can be performed with AppPacCap but now with more precision by targeting the specific processes of interest. Better network forensics can be performed with process information associated with the captures. AppPacCap runs as a service and exposes a RESTful API which means that data can be queried remotely. This allows for every system running AppPacCap to act as a sensor that can report back to a central repository. This reduces the need for a network tap or SPAN port while providing more metadata about the captured data. Data visualization is also easy thanks to built-in enrichment capabilities and the ability to use powerful Javascript libraries for charts and graphs.

Video demo


  • Full packet capture at the system, process or thread level
  • Web server interface with RESTful API
  • Customizable enrichment capabilities
  • Complete front-end control


v1.2020.143.1840 (x64) - 22 May 2020.