AppPacCap
Application Packet Capture: A better way to PCAP.
Data Objects
AppPacCap provides a RESTful API that allows for control of the packet capture process as well as the visualization of the data.
This powerful back-end functionailty can be used to create useful and functional front-ends that meet specific needs. Here you can explore the data objects returned by AppPacCap.
RESPONSE Object
All data is returned as a JSON object. Every request is wrapped in a RESPONSE object. RESPONSE is defined below:
ErrorCode (int)
DataType (int)
ReturnValue (string)
The ErrorCode field is used to indicate success or failure. ErrorCode of zero (0) indicates success while anything greater than zero is an error. Anything less than zero is invalid. Here are some common error code values:
ERROR_SERVE_SUCCESS = 0
ERROR_SERVE_GENERIC_ERROR = 1
ERROR_SERVE_NO_TOKEN = 2
ERROR_SERVE_NO_PAGE = 3
ERROR_SERVE_MALFORMED_REQUEST = 4
ERROR_SERVE_SESSION_TIMEOUT = 5
ERROR_SERVE_INVALID_PERMISSIONS = 8
ERROR_SERVE_INVALID_CREDENTIALS = 9
ERROR_SERVE_INVALID_LICENSE = 12
DataType indicates what the ReturnValue represents. Possible options are:
DATA_TYPE_STRING = 1
DATA_TYPE_INT = 2
DATA_TYPE_JSON = 3
DATA_TYPE_HEX = 4
All objects start with a Version field. This will be updated if the object structure changes. Please ensure you check this field when processing the object.
APPPACCAP Object
The APPPACCAP object povides information on the current AppPacCap installation. This information can be used to tailor the interface based on the returned values. APPPACCAP is defined below:
Version (int)
AppPacCap (string)
Licensed (int)
LicenseType (string)
MachineName (string)
OS (string)
MapData (int)
Threat (int)
Updated (int)
- Version
Indicates structure version. - AppPacCap
Provides the current AppPacCap installation version. - Licensed
Indicates if AppPacCap is licensed. 1 if true, 0 if false. - LicenseType
A string representation of the current license. - MachineName
The computer name. - OS
The OS version. - MapData
Indicates if GeoLite2 map data is available. 1 if true, 0 if false. - Threat
Indicates if threat intel URLs have been provided. 1 if true, 0 if false. - Updated
Indicates if AppPacCap was updated the last time it ran. 1 if true, 0 if false.
ACTION Object
The ACTION object is used to represent user defined actions that can be triggered by certain events. ACTION is defined below:
Version (int)
Id (int)
Name (string)
ActionType (int)
Triggers (listOf int)
ModuleName (string)
Path (string)
ImgSrc (string)
Parameters (string)
Flags (int)
- Version
Indicates structure version. - Id
Action id value used to reference this action where an id value is required. - Name
Action name useful for display purposes. - ActionType
Defines what action should occur. - Triggers
List of associated trigger ids. Count will be zero if is a system wide action. - ModuleName
Executable file name (without path) if defined by the action. - Path
Full file path if defined by the action. - ImgSrc
Relative image source (i.e. /img/icons/...) to executable icon. - Parameters
Parameters to be passed if defined by the action. - Flags
Additional action specific flags.
CAPTURE Object
The CAPTURE object is used to define active capture sessions. CAPTURE is defined below:
Version (int)
CaptureId (int)
ProcessId (int)
Pid (int)
Tid (int)
Filter (string)
TotalPackets (int)
TotalBytes (int)
DTGStart (int)
DTGEnd (int)
IsSystem (int)
ModuleName (string)
Path (string)
ImgSrc (string)
Notes (string)
- Version
Indicates structure version. - CaptureId
Capture id value used to reference this capture where an id value is required. - Pid
System process id that is being captured. If system capture, this will be 4. - Tid
System thread id that is being captured. If all process threads are being captured, this will be 0. - Filter
The filter string used to filter captured packets. Blank if none provided. - TotalPackets
Total number of packets captured. - TotalBytes
Total bytes of all packets captured. - DTGStart
Start date in UTC filetime. - DTGEnd
End date in UTC filetime. If capture is still active, this will be 0. - IsSystem
1 if is a system wide capture, 0 otherwise. - ModuleName
Executable file name (without path) of the process being captured. If system capture, this will be 'System.' - Path
Full file path of process being captured. If system capture, this will be 'System.' - ImgSrc
Relative image source (i.e. /img/icons/...) to process icon. - Notes
User defined notes about the capture session.
CAPTUREMETA Object
CAPTUREMETA is used to define additional details about the active or closed capture sessions. CAPTUREMETA is defined below:
Version (int)
CaptureId (int)
ProcessId (int)
Pid (int)
Tid (int)
ModuleName (string)
Path (string)
ImgSrc (string)
ParentPid (int)
ParentModuleName (string)
ParentPath (string)
ParentImgSrc (string)
DTGFirst (int)
DTGLast (int)
LastConnectionId (int)
LastIpId (int)
LastPacketId (int)
LastProcessId (int)
TotalPackets (int)
TotalBytes (int)
TotalConnections (int)
- Version
Indicates structure version. - CaptureId
Capture id value used to reference this capture where an id value is required. - ProcessId
Process id value used to reference this process where an id value is required. - Pid
System process id that is being captured. If system capture, this will be 4. - Tid
System thread id that is being captured. If all threads in a process or is system capture, this will be 0. - ModuleName
Executable file name (without path) of the process being captured. If system capture, this will be 'System.' - Path
Full file path of process being captured. If system capture, this will be 'System.' - ImgSrc
Relative image source (i.e. /img/icons/...) to process icon. - ParentPid
System process id of the parent process. Only valid if capture was triggered by parent. - ParentModuleName
Executable file name (without path) of the parent process. Only valid if capture was triggered by parent. - ParentPath
Full file path of parent process. Only valid if capture was triggered by parent. - ParentImgSrc
Relative image source (i.e. /img/icons/...) to the parent process icon. Only valid if capture was triggered by parent. - DTGFirst
Date in UTC filetime of the first packet captured. - DTGLast
Date in UTC filetime of the last packet captured. - LastConnectionId
ID of the most recent connection. Can be used to query for latest updates. - LastIpId
ID of the most recent IP. Can be used to query for latest updates. - LastPacketId
ID of the most recent packet. Can be used to query for latest updates. - LastProcessId
ID of the most recent process. Can be used to query for latest updates. - TotalPackets
Total number of packets captured. - TotalBytes
Total bytes of all packets captured. - TotalConnections
Total number of connections recorded.
COMMAND Object
The COMMAND object is used to relay status information about pending commands. COMMAND is defined below:
Version (int)
Uid (string)
Command (string)
Status (int)
ErrorCode (int)
Output (string)
DtgAdd (int)
DtgUpdate (int)
- Version
Indicates structure version. - Uid
Command id string used for reference purposes. - Command
String based value of the requested command. - Status
Commands are not executed right away and are queued up. Status indicates where in the process the command is. - ErrorCode
Provides additional information on success or failure of command. - Output
Command specific output data. For example, could be a filename or process output. - DTGAdd
Date in UTC filetime of when the command was created. - DTGUpdate
Date in UTC filetime of when the command was last updated.
CONNECTION Object
The CONNECTION object provides details about the process that initiated a network connection. CONNECTION is defined below:
Version (int)
Id (int)
Pid (int)
Tid (int)
DTG (int)
SrcIp (string)
SrcPort (int)
DstIp (string)
DstPort (int)
- Version
Indicates structure version. - Pid
System process id. - Tid
System thread id. - DTG
Date in UTC filetime of when the connection was created. - SrcIp
The source IP. - SrcPort
The source port. - DstIp
The destination IP. - DstPort
The destination port.
EXPORTFILE Object
The EXPORTFILE object defines exported PCAP file metadata. EXPORTFILE is defined below:
Version (int)
FileName (string)
RelativePath (string)
- Version
Indicates structure version. - FileName
The full file path where the pcap is located on disk. - RelativePath
The relative path of the pcap file.
EXTRACTFILE Object
The EXTRACTFILE object defines extracted file metadata on disk. EXTRACTFILE is defined below:
Version (int)
FileId (int)
FileName (string)
RelativePath (string)
FileType (string)
Size (int)
- Version
Indicates structure version. - FileId
The file id of the file. - FileName
The full path where the file is located on disk. - RelativePath
The relative path of the file. - FileType
The extension of the file without the period (.). - Size
The size of the file on disk.
EXTRACTSTREAM Object
The EXTRACTSTREAM object defines extracted file stream metadata. EXTRACTSTREAM is defined below:
Version (int)
StreamId (int)
Protocol (int)
FileName (string)
- Version
Indicates structure version. - StreamId
The stream id of the capture session. - Protocol
Numerical value of the protocol. - FileName
The name of the file pulled from the packet.
IP Object
The IP object defines IP metadata. IP is defined below:
Version (int)
Id (int)
Ip (string)
Country (string)
City (string)
HostName (string)
Lat (decimal)
Lng (decimal)
Data (string)
DTG (int)
- Version
Indicates structure version. - Id
The id of the IP address. - Ip
The IP address. - Country
Geolocated country. - City
Geolocated city. - HostName
Resolved host name. - Lat
Geolocated latitude. - Lng
Geolocated longitude. - Data
Associated user-defined data. - DTG
Date in UTC filetime of when the IP was first captured.
NETADAPTER Object
NETADAPTER defines network adapters on the system. NETADAPTER is defined below:
Version (int)
Name (string)
Up (int)
MAC (string)
Ip4 (string)
Ip6 (string)
TapId (int)
- Version
Indicates structure version. - Name
Name of the network adapter. - Up
1 indicates the adapter is connected, 0 otherwise. - MAC
MAC address of the adapter. - Ip4
IPv4 address of the adapter. - Ip6
IPv6 address of the adapter. - TapId
The adapter id. 0 if not being captured. (Version 2)
PACKET Object
The PACKET object provides both metadata about the packet and the actual raw packet bytes. PACKET is defined below:
Version (int)
ConnectionId (int)
Id (int)
DTG (int)
Size (int)
SrcIp (string)
SrcPort (int)
DstIp (string)
DstPort (int)
L2t (int)
L2l (int)
L3t (int)
L3o (int)
L3l (int)
L4t (int)
L4o (int)
L4l (int)
L5o (int)
L5l (int)
HexBytes (string)
Notes (string)
- Version
Indicates structure version. - ConnectionId
Connection id this packet is associated with. - Id
Packet id that can be used to reference this packet. - DTG
Date in UTC filetime of when the packet was captured. - Size
The number of bytes of the captured packet. - SrcIp
The source IP. - SrcPort
The source port. - DstIp
The destination IP. - DstPort
The destination port. - L2t
Layer 2 header type. - L2l
Layer 2 header length. - L3t
Layer 3 header type. - L3o
Layer 3 header offset. - L3l
Layer 3 header length. - L4t
Layer 4 header type. - L4o
Layer 4 header offset. - L4l
Layer 4 header length. - L5o
Layer 5 header offset. - L5l
Layer 5 header length. - HexBytes
The captured packet in hex format. - Notes
User defined notes about the packet.
PACKETSTREAM Object
The PACKETSTREAM object is used to return a large number of PACKET and PROCCON objects during a query. PACKETSTREAM is defined below:
Version (int)
CaptureId (int)
LastConnectionId (int)
LastIpId (int)
LastPacketId (int)
LastProcessId (int)
Count (int)
Returned (int)
Total (int)
Packets (listOf PACKET)
ProcessConnections (dictionaryOf (int, PROCCON))
- Version
Indicates structure version. - CaptureId
Capture id these packets are associated with. - LastConnectionId
ID of the most recent connection. Can be used to query for latest updates. - LastIpId
ID of the most recent IP. Can be used to query for latest updates. - LastPacketId
ID of the most recent packet. Can be used to query for latest updates. - LastProcessId
ID of the most recent process. Can be used to query for latest updates. - Count
The number of packets in the list. - Returned
The number of packets before the first one in the list. - Total
The total number of captured packets. - Packets
A list of individual PACKET objects. - ProcessConnections
A dictionary with a key/value pair of {ConnectionId/PROCCON}.
PROCCONN Object
The PROCCONN object provides details about a specific connection. PROCCONN is defined below:
Version (int)
Pid (int)
Tid (int)
Path (string)
ModuleName (string)
ImgSrc (string)
- Version
Indicates structure version. - Pid
System process id. - Tid
System thread id. - ModuleName
Executable file name (without path) of the process. - Path
Full file path of process. - ImgSrc
Relative image source (i.e. /img/icons/...) to process icon.
PROCESS Object
The PROCESS object provides details about a running or closed process. PROCESS is defined below:
Version (int)
Id (int)
Pid (int)
Threads (listOf int)
ModuleName (string)
Path (string)
ImgSrc (string)
DTGStart (int)
DTGEnd (int)
Captures (int)
- Version
Indicates structure version. - Pid
System process id. - Threads
A list of all process threads that have associated network activity. - ModuleName
Executable file name (without path) of the process. - Path
Full file path of process. - ImgSrc
Relative image source (i.e. /img/icons/...) to process icon. - DTGStart
Date in UTC filetime of when the process was created. - DTGEnd
Date in UTC filetime of when the process closed. This will be 0 if the process is still running. - Captures
The number of completed captures asosciated with this process.
SEARCHMETA Object
The SEARCHMETA object describes a search query and status. SEARCHMETA is defined below:
Version (int)
Id (int)
Query (string)
FoundCount (int)
Status (int)
ErrorCode (int)
- Version
Indicates structure version. - Id
The search id. - Query
The submitted query. - FoundCount
The total items found. - Status
The status of the search operation. - ErrorCode
The error code of the search operation.
SEARCHLIST Object
The SEARCHLIST object is returned when a search is performed. SEARCHLIST is defined below:
Version (int)
SearchId (int)
Returned (int)
LastId (int)
Total (int)
Status (int)
Results (dictionaryOf (int, listOf PACKET))
- Version
Indicates structure version. - SearchId
The search id that can be used to reference this search later. - Returned
The number of PACKET objects returned. - LastId
The id of the last item returned. - Status
The status of the search operation. - Results
A dictionary with the key as the capture id with a list of PACKET objects.
SEARCHSYNTAX Object
The SEARCHSYNTAX object is returned when a search filter validation check is performed. SEARCHSYNTAX is defined below:
Version (int)
ErrorCode (int)
Filter (int)
- Version
Indicates structure version. - ErrorCode
Indicates if the supplied filter is syntaxfully correct. - Filter
The processed filter output. Will be blank on error.
STATSCAPTUREQUERY Object
The STATSCAPTUREQUERY object is a ligher version of the CAPTUREMETA object. STATSCAPTUREQUERY provides packet counts of a specific capture session. STATSCAPTUREQUERY is defined below:
Version (int)
TotalPackets (int)
TotalBytes (int)
TotalConnections (int)
TotalProcesses (int)
TotalIps (int)
Ip4 (int)
Ip6 (int)
TCP (int)
UDP (int)
ICMP (int)
- Version
Indicates structure version. - TotalPackets
Total number of packets captured during a specific capture session. - TotalBytes
Total number of bytes captured during a specific capture session. - TotalConnections
Total number of connections recorded during a specific capture session. - TotalProcesses
Total number of processes captured during the session. - TotalIps
Total number of unique IPs captured during the session. - Ip4
Total number of IPv4 packets. - Ip6
Total number of IPv6 packets. - TCP
Total number of TCP packets. - UDP
Total number of UDP packets. - ICMP
Total number of ICMP packets.
STATSQUERY Object
The STATSQUERY object provides system wide values. STATSQUERY is defined below:
Version (int)
Processes (int)
Captures (int)
LastCaptureId (int)
ActiveVersion (int)
Adapters (int)
TotalPackets (int)
TotalBytes (int)
TotalConnections (int)
- Version
Indicates structure version. - Processes
Total number of running processes. - Captures
Total number of active captures. - LastCaptureId
Last completed capture id. - ActiveVersion
Value used to indicate when a capture session has changed. Gets incremented on each change. - Adapters
Total number of network adapters. - TotalPackets
Total number of packets captured or not. - TotalBytes
Total number of bytes captured or not. - TotalConnections
Total number of connections identified.
THREAD Object
The THREAD object provides the process thread information. THREAD is defined below:
Version (int)
Id (int)
ProcessId (int)
TotalPackets (int)
TotalBytes (int)
TotalConnections (int)
DTGStart (int)
DTGEnd (int)
- Version
Indicates structure version. - Id
Id of the trigger object that can be used to reference it. - ProcessId
Id of the process the thread is associated with. - TotalPackets
Total number of packets. - TotalBytes
Total number of bytes. - TotalConnections
Total number of connections. - DTGStart
Date in UTC filetime of when the thread started. - DTGEnd
Date in UTC filetime of when the thread closed. 0 if it is still running.
TRIGGER Object
The TRIGGER object provides the user defined trigger data. TRIGGER is defined below:
Version (int)
Id (int)
Name (string)
TriggerType (int)
Filter (string)
Flags (int)
IsDirectory (int)
ModuleName (string)
Path (string)
ImgSrc (string)
Actions (listOf int)
- Version
Indicates structure version. - Id
ID of the trigger object that can be used to reference it. - Name
Trigger name useful for display purposes. - TriggerType
Type of the trigger. - Filter
Filter that will be applied for any capture session started by this trigger. - Flags
Option flags for the trigger event. - IsDirectory
Set to 1 if the path is a directory. - ModuleName
Executable file name (without path) of the trigger process. - Path
Full file path of trigger process. - ImgSrc
Relative image source (i.e. /img/icons/...) to the trigger process icon. - Actions
List of associated action ids.