Searching Captures

Wouldn’t it be nice if you could search existing packet captures for a protocol?
Well now you can with Search Pcaps. Search over 6000 pcaps to find the right one!

Search Syntax

  • All columns are searchable (including description)
  • Space is AND
  • Double quotes can be used to search for strings with spaces
  • To ensure that you search for captures containing a protocol (and not in the description), use brackets like [igmp]


igmp "AirPcap trace": Find all captures that reference the igmp protocol and “AirPcap trace” in the description. wlan llc [radiotap]: All captures that reference wlan and llc in description or protocols, and contain the radiotap protocol.

Inequality Search Syntax

  • A column in ["size", "length", "packets", "ifaces"]
  • An operator in ["==", "!=", ">=", "<=", ">", "<"]
  • A numeric value. KB/MB/GB are understod when comparing size


size >= 100KB: All captures that are 100KB or larger
length > 60: All captures longer than 60 seconds


Finding Captures

Sometimes it can be beneficial to use someone else’s captures instead of your own. Here are a couple reasons why this might make sense:

  • You are learning how a protocol works and do not have access to the devices that use it
  • You could capture traffic, but it would be faster to download an existing capture
  • You are writing a protocol dissector and need more test files

Whatever your reason, there are many repositories of public packet captures. The largest collection of packet capture collections is hosted by Netresec. Of these, Wireshark’s Sample Captures is the most complete.

