Search allows you to locate packet-captures of interest to you. You can search a hostnames, IP addresses, file hashes, dns queries, emerging threat signatures, or other network-based indicators.
For every packet-capture found, a list of Matched In logs will be included, signifying the specific log(s) where your query was matched. Below is an example of searching "pastebin.com", which appeared in multiple logs for several pcaps.
When you click the search bar, PacketTotal provides popular, pre-built search queries for you. If you are interested in building more complex queries quick searches are a great place to start. Clicking any one of these quick searches populates the search bar with the query. Quick searches are driven by the community, and are updated periodically.
If you have a cool search you wish to share, please let us know via the contact us button.
To help with more advanced searches we built search builder. To toggle the search builder interface, click the double-arrow icon to the left of the search icon, and then click Advanced Search.
Clicking any of the search templates in the left column allows you to search specifically for packet-captures that contain data in that log. After clicking any one of the templates, the specific search terms you can query will be populated in the Search terms section.
Below is an example of some of the search terms appearing when selecting the "Malicious Activity" template.
Equals vs Contains
When using search builder you may notice that asterisks are placed on both sides of the value. Asterisks are used for partial matches. For example, google.com will match both dns.google.com as well as www.google.com/images. Inversely, surrounding your term with quotes will look for an exact term match.
The AND/OR buttons appearing in the top right of search builder allows you to build boolean logic into your query.
- AND means both parts of your search query need to be true for a packet-capture to appear in your search result.
alert_signature:*trojan* AND http_hostname:*evilsite.org*
- In this example, the packet capture would have to contain both an alert signature with the word "trojan" in it, as well as the hostname containing evilsite.org in order for the packet-capture to appear in your search results.
- OR means either part of your search query can be true for a packet-capture to appear in your search result.
alert_signature:*trojan* OR http_hostname:*evilsite.org*
- In this example, either the packet capture would have to contain an alert signature with the word "trojan" in it, or one of the hostnames found in the packet capture would have to contain "evilsite.org" in it, or both, for the packet capture to appear in your search results. At least one needs to be true.
- NOT negates the statement directly following this operator.
Whichever operator is selected in the top right will be automatically placed in between your search terms as you click more than one. You can edit the search bar manually to place ANDs and ORs wherever you please. However, capitalization does matter, and OR is not the same as Or.
Additionally, can also surround your statements with parenthesis to logically separate sections within your query.
(alert_signature:*Windows file download HTTP* OR alert_signature:*Java EXE Download*) AND NOT alert_category:"Potential Corporate Privacy Violation"
Search Builder: Creating a Query
Start by clicking a search template. This allows you to search for packet-captures that specifically contain that category of data, such as "Malicious Activity" or "SMTP". After selecting a search template, the search terms for that template will appear. These terms correlate directly to column headings available within Console view.
Below is an example of using search builder to create a search query. By default, OR is selected in the top right, so each additional search term added to your query will have an "OR" rather than an "AND" between them.
In above example you would have to replace the "..." with literal values before searching.