Use this resource to request a packet capture (PCAP) recorded during analysis of a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. You can optionally specify the platform of the desired PCAP to indicate which PCAP should be returned. PCAPs are available 90 days from the date of analysis for samples that have a malware WildFire verdict.
Specify a valid dynamic analysis platform to avoid potential errors. If no platform is specified, the API tries to retrieve a PCAP from a session that yielded a verdict of Malware. If no PCAP is found, the API responds with a 404 error. To determine if a PCAP is available for a particular sample, Get a WildFire Analysis Report (WildFire API) and look for a <platform> field that supports PCAPs as shown in Request Parameters, then determine if the sample has a verdict of Malware: <malware>yes</malware> .
Resource
/get/pcap/
Request Parameters
Use the following form parameters when requesting a sample:
Parameters Description Example
apikey (Required) API key Example: apikey=b0e0e395614d46170ee7498452967c71
hash (Required) MD5 or SHA-256 hash value of the sample Example: hash=afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc
platform Target analysis environment (You cannot specify a platform on a WF-500 appliance). Use one of the following numbers, which represent different environments: WildFire Private and Global Cloud 1 : Windows XP, Adobe Reader 9.3.3, Office 2003 2 : Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007 3 : Windows XP, Adobe Reader 11, Flash 11, Office 2010 4 : Windows 7 32-bit, Adobe Reader 11, Flash 11, Office 2010 5 : Windows 7 64-bit, Adobe Reader 11, Flash 11, Office 2010 100 : PDF Static Analyzer 101 : DOC/CDF Static Analyzer 102 : Java/Jar Static Analyzer 103 : Office 2007 Open XML Static Analyzer 104 : Adobe Flash Static Analyzer 204 : PE Static Analyzer WildFire Global Cloud only 6 : Windows XP, Internet Explorer 8, Flash 11 20 : Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007 21 : Windows 7, Flash 11, Office 2010 50 : Mac OSX Mountain Lion 60 : Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007 61 : Windows 7 64-bit, Adobe Reader 11, Flash 11, Office 2010 66 : Windows 10 64-bit, Adobe Reader 22, Flash 11, Office 2010 105 : RTF Static Analyzer 110 : Max OSX Static Analyzer 200 : APK Static Analyzer 201 : Android 2.3, API 10, avd2.3.1 202 : Android 4.1, API 16, avd4.1.1 X86 203 : Android 4.1, API 16, avd4.1.1 ARM 205 : Phishing Static Analyzer 206 : Android 4.3, API 18, avd4.3 ARM 300 : Windows XP, Internet Explorer 8, Flash 13.0.0.281, Flash 16.0.0.305, Elink Analyzer 301 : Windows 7, Internet Explorer 9, Flash 13.0.0.281, Flash 17.0.0.169, Elink Analyzer 302 : Windows 7, Internet Explorer 10, Flash 16.0.0.305, Flash 17.0.0.169, Elink Analyzer 303 : Windows 7, Internet Explorer 11, Flash 16.0.0.305, Flash 17.0.0.169, Elink Analyzer 400 : Linux (ELF files) 800 : Archives (RAR and 7-Zip files) Example: platform=2 Platforms 60 and 61 are identically configured to platforms 2 and 5, respectively. These platforms analyze samples using the enhanced custom hypervisor found only in the Global Cloud.
Example Request
Get a Sample
Make a POST request to the /get/pcap resource and include the API key, the MD5 or SHA-256 hash value of the sample, and optionally the platform. Include the -JO option to use the Content-Disposition filename as provided by the server, similar to the following cURL command: curl -JO -F 'apikey=b0e0e395615d46120ee7498452967c72' -F 'hash=04f4f1c83f1e69b1f055202964536f13' -F 'platform=2' 'https://wildfire.paloaltonetworks.com/publicapi/get/pcap' The response saves the packet capture file using the hash.platform.pcap filename convention: afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc.2.pcap

Related Documentation