AppPacCap

Application Packet Capture: A better way to PCAP.

Filter and Search

AppPacCap's provides powerful filtering and search capabilities to the packets you capture. The syntax supports boolean logic (&&, ||, !) and can perform full packet searching. Filtering can be applied at the start of a capture session or during a PCAP export request so only matching packets are saved. Searching can be performed at any point and will cause AppPacCap to search through all active and completed capture sessions.

The following are the tokens that can be used when building your search or filter query. The API search_verify_filter can be used to check if a filter string has valid syntax. Any additional filtering can be performed through the customizable front-end.

	                  
eth
eth.type
eth.addr
eth.src
eth.dst

arp

ip
ip.addr
ip.flags
ip.len
ip.ttl
ip.pro
ip.id
ip.chksum
ip.src
ip.dst

tcp.srcport
tcp.dstport
tcp.ack
tcp.seq
tcp.flags
tcp.chksum

udp.srcport
udp.dstport
udp.len
udp.chksum

icmp
icmp.code
icmp.type
icmp.chksum
	                  
	                

There are two ways to perform a full packet search. You can search by hex values or by characters. To search by hex, each value must start with 0x and be separated by a space. Character searching is case insensitive with narrow and wide character support. Which either way you use to search, it must be enclosed with quotes (").

Search with hex

                  
ip.addr == 192.168.3.0 && "0x4d 0x5a"
                  
                

Search with characters

                  
ip.addr == 192.168.3.0 && "MZ"