The pcap renderer attempts to decode entries as packets and display them in a human-readable text format. It will, for instance, display the various flags and options set at the Ethernet, IP, and TCP layers of a packet. It can also decode 802.11 packets as captured from a wireless interface in monitor mode.
The pcap renderer has a special download option, named simply ‘pcap’, which allows you to save the packets in the current query as a Wireshark-readable packet capture file.
The pcap renderer has no option flags and takes no arguments.
The following query assumes the “packet” tag contains packets captured with the Network Capture ingester. It simply displays the packets as text. This is a way to get a general look at what kind of traffic might exist on your network:
You can also restrict the entries by using search modules as usual:
tag=packet packet tcp.Port==80 | pcap
Having determined that this traffic appears interesting, you can click the Download button to save it in the PCAP format for further inspection with a tool such as Wireshark.