Search

Search allows you to quickly parse the thousands of packet captures on PacketTotal for particular indicators or patterns. You can search a hostname, IP address, or any other network indicator.

For every packet capture that PacketTotal returns for your search query, PacketTotal will tell you the specific log in which it found your search query in the Matched In column. Below is an example for searching "pastebin.com", which appeared in multiple logs for several pcaps.

Pastebin Search Example

When you click into the search bar, PacketTotal automatically provides popular, pre-made search queries for you. Clicking one of these quick search terms automatically populates the search bar with the query.

Quick Search

Search Builder

To help with advanced searches, PacketTotal created search builder. To reveal search builder, click the double-arrow down icon to the left of the search icon.

Introducing Search Builder

Clicking any of the search templates in the left column allows you to search specifically for packet captures that contain data in that log. After clicking one of the templates, the specific search terms you can query for that log automatically populates in the Search terms column.

Below is an example of some of the search terms appearing when selecting the "Malicious Activity" template.

Search Builder: Malicious Activity Template

A list of all search terms, what they mean, and how to format them can be found here.

AND, OR

The AND/OR buttons appearing in the top right of search builder help tell the story of what you want in your query.

  • AND means both parts of your search query need to be true for a packet capture to appear in your search result.
    • alert_signature:*trojan* AND http_hostname:*evilsite.org*
      • In this example, the packet capture would have to both contain an alert signature with the word "trojan" in it, and one of the hostnames found in the packet capture would have to contain "evilsite.org" for the packet capture to appear in your search results. Both parts have to be true.
  • OR means either part of your search query need to be true for a packet capture to appear in your search result.
    • alert_signature:*trojan* OR http_hostname:*evilsite.org*
      • In this example, either the packet capture would have to contain an alert signature with the word "trojan" in it, or one of the hostnames found in the packet capture would have to contain "evilsite.org" in it, or both, for the packet capture to appear in your search results. At least one needs to be true.

Whichever button is selected in the top right will be automatically placed inbetween your search terms as you click more than one. You can edit the search bar manually to place ANDs and ORs wherever you please.

Search Builder: Creating a Query

Start by clicking a search template. This allows you to search for packet captures that specifically contain that category of data, such as "Malicious Activity" or "SMTP". After selecting a search template, the search terms for that template appear. These are the specific fields you can search for within the packet captures that already have that kind of log data.

Below is an example of using search builder to create a search query. By default, OR is selected in the top right, so each additional search term you add to your query will have an "OR" rather than an "AND" between them.

Search Builder in Action

Replacing the "..." with our actual values, below is an example of using search builder to create a query for malicious packet captures that have either an alert_siganture containing the word "trojan" OR an http_hostname somewhere in the packet capture containing the name evilsite.org.

Search Builder: Specific Query

Search Builder: Terms & Definitions

General

  • Malicious Activity
    • Terms
  • Suspicious Activity
    • Terms
  • Connections
    • Terms
  • Strange Activity
    • Terms

By Application Protocol

  • DHCP
    • Terms
  • DNP3
    • Terms
  • FTP
    • Terms
  • HTTP
    • Terms
  • IRC
    • Terms
  • Modbus
    • Terms
  • RDP
    • Terms
  • MySQL
    • Terms
  • SIP
    • Terms
  • SMTP
    • Terms
  • SNMP
    • Terms
  • SSH
    • Terms
  • Syslog
    • Terms

By Security Protocol

  • Kerberos
    • Terms
  • Radius
    • Terms
  • SSL Certificates
    • Terms
  • PKI (X.509)
    • Terms

By Encapsulated Data

  • Transferred Files
    • Terms
  • Extracted Executable Files
    • Terms
  • Tunnels
    • Terms

Other

  • Dynamic Protocol Detection
    • Terms
  • Modbus Registers
    • Terms
  • Modbus Hosts
    • Terms