How to Read a PCAP Without Drowning in Rows
Opening a big capture and scrolling from the top is how investigations stall. Here's a repeatable four-step way to get from a raw PCAP to a defensible conclusion.
Read articleReal investigations rarely start with a tidy PCAP. Often all you have is a firewall log or a hex dump pasted into a ticket. Here's how to turn that text into packet evidence.
Key takeaways
In a textbook, an investigation starts with a well-formed PCAP. In practice, it starts with whatever someone could grab: a FortiGate diagnostic sniffer log, a few lines of hex pasted into a ticket, the output of a command-line capture on a box you can't get a file off. The packet data is in there — it's just wrapped in text a normal analyser won't open.
Throwing that evidence away because it isn't a .pcap is a mistake. Reading it by eye, byte by byte, is a slower mistake. The useful middle path is to normalise the text back into capture data you can investigate properly.
Most text-based packet evidence falls into a few familiar shapes, and each one is closer to a real capture than it looks:
You can decode a header by hand. You shouldn't have to. Once text-based evidence is normalised into a packet model, everything you'd normally do becomes available again: filtering, protocol categorisation, following a stream, spotting the anomaly in context. The evidence stops being a wall of characters and becomes something you can navigate.
It also keeps your investigation consistent. If a finding from a firewall log lands in the same packet log, with the same detail view and the same traceability as a finding from a capture file, your report doesn't have a weak seam where the evidence came from text instead of a PCAP.
Text evidence is often incomplete, and pretending otherwise leads to bad conclusions. A few habits keep you honest:
Yes. A FortiGate diagnostic sniffer log is packet data serialised as text. Normalising it back into a packet model lets you filter, categorise protocols, and follow streams just like a PCAP — no original capture file required.
A hex dump is raw frame or payload bytes. Converting those bytes into capture data reconstructs the packet model, so instead of decoding headers by eye you get the normal investigation workflow: packet log, detail view, and stream reconstruction.
It can be, if you respect its limits. Preserve timestamps, watch for truncated frames, and always keep the original text so findings trace back to the source. Treated carefully, a firewall log or hex dump is legitimate evidence — treated carelessly, it's a source of confident mistakes.