The parameter we want to control is the specification of the optional packet-length parameter. It's OK if analysts accept the default (e.g. they do not specify the packet-length parameter), but we want to control who can execute the capture command with a packet-length different from the default (actually it would be OK if they specified a smaller packet-length that the default 68 bytes, but I'll be happy if we can control the use of the packet-length parameter at all).
So, capture Test1 access-list acl-test interface inside would be an example of a command we would want to permit, but capture Test1 access-list acl-test interface inside packet-length 256 we would want to control. I don't know if packet-length can be abbreviated, or if it could be specified in other positions since it is optional, but assume you will test for those things as well.
Can we control the priviledge access for Cisco 5500 ASA in CiscoSecure 3.3?