Application Packet Capture: A better way to PCAP.
Filter and Search
AppPacCap's provides powerful filtering and search capabilities to the packets you capture. The syntax supports boolean logic (&&, ||, !) and can perform full packet searching. Filtering can be applied at the start of a capture session or during a PCAP export request so only matching packets are saved. Searching can be performed at any point and will cause
AppPacCap to search through all active and completed capture sessions.
The following are the tokens that can be used when building your search or filter query. The API
search_verify_filter can be used to check if a filter string has valid syntax. Any additional filtering can be performed through the customizable front-end.
eth eth.type eth.addr eth.src eth.dst arp ip ip.addr ip.flags ip.len ip.ttl ip.pro ip.id ip.chksum ip.src ip.dst tcp.srcport tcp.dstport tcp.ack tcp.seq tcp.flags tcp.chksum udp.srcport udp.dstport udp.len udp.chksum icmp icmp.code icmp.type icmp.chksum
There are two ways to perform a full packet search. You can search by hex values or by characters. To search by hex, each value must start with
0x and be separated by a space. Character searching is case insensitive with narrow and wide character support. Which either way you use to search, it must be enclosed with quotes (
Search with hex
ip.addr == 192.168.3.0 && "0x4d 0x5a"
Search with characters
ip.addr == 192.168.3.0 && "MZ"