Get a Packet Capture (WildFire API)

Use this resource to request a packet capture (PCAP) recorded during analysis of a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. You can optionally specify the platform of the desired PCAP to indicate which PCAP should be returned. PCAPs are available 90 days from the date of analysis for samples that have a malware WildFire verdict.
Specify a valid dynamic analysis platform to avoid potential errors. If no platform is specified, the API tries to retrieve a PCAP from a session that yielded a verdict of Malware. If no PCAP is found, the API responds with a 404 error. To determine if a PCAP is available for a particular sample, Get a WildFire Analysis Report (WildFire API) and check to see if there is a <platform> field that supports PCAPs as shown in Request Parameters section, then check to see if the sample has a verdict of Malware: <malware>yes</malware>.

Resource

/get/pcap/
Code copied to clipboard
Unable to copy due to lack of browser support.

Request Parameters

Use the following form parameters when requesting a sample:
Parameters
Description
Example
apikey
Code copied to clipboard
Unable to copy due to lack of browser support.
(Required) API key
Example:
apikey=b0e0e395614d46170ee7498452967c71
Code copied to clipboard
Unable to copy due to lack of browser support.
hash
Code copied to clipboard
Unable to copy due to lack of browser support.
(Required) MD5 or SHA-256 hash value of the sample
Example:
hash=afe6b95ad95bc689c356f34ec8d
	9094c495e4af57c932ac413b65ef132063acc
Code copied to clipboard
Unable to copy due to lack of browser support.
platform
Code copied to clipboard
Unable to copy due to lack of browser support.
Target analysis environment (You cannot specify a platform on a WildFire appliance).
Use one of the following numbers, which represent different environments:
WildFire Private and Global Cloud
  • 1: Windows XP, Adobe Reader 9.3.3, Office 2003
  • 2: Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
  • 3: Windows XP, Adobe Reader 11, Flash 11, Office 2010
  • 4: Windows 7 32-bit, Adobe Reader 11, Flash 11, Office 2010
  • 5: Windows 7 64-bit, Adobe Reader 11, Flash 11, Office 2010
  • 100: PDF Static Analyzer
  • 101: DOC/CDF Static Analyzer
  • 102: Java/Jar Static Analyzer
  • 103: Office 2007 Open XML Static Analyzer
  • 104: Adobe Flash Static Analyzer
  • 204: PE Static Analyzer
Example:
platform=2
Code copied to clipboard
Unable to copy due to lack of browser support.
Platforms 60 and 61 are identically configured to platforms 2 and 5, respectively. These platforms analyze samples using the enhanced custom hypervisor found only in the Global Cloud.
WildFire Global Cloudonly
  • 6: Windows XP, Internet Explorer 8, Flash 11
  • 20: Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
  • 21: Windows 7, Flash 11, Office 2010
  • 50: Mac OSX Mountain Lion
  • 60: Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
  • 61: Windows 7 64-bit, Adobe Reader 11, Flash 11, Office 2010
  • 66: Windows 10 64-bit, Adobe Reader 11, Flash 22, Office 2010
  • 105: RTF Static Analyzer
  • 110: Max OSX Static Analyzer
  • 200: APK Static Analyzer
  • 201: Android 2.3, API 10, avd2.3.1
  • 202: Android 4.1, API 16, avd4.1.1 X86
  • 203: Android 4.1, API 16, avd4.1.1 ARM
  • 205: Phishing Static Analyzer
  • 206: Android 4.3, API 18, avd4.3 ARM
  • 300: Windows XP, Internet Explorer 8, Flash 13.0.0.281, Flash 16.0.0.305, Elink Analyzer
  • 301: Windows 7, Internet Explorer 9, Flash 13.0.0.281, Flash 17.0.0.169, Elink Analyzer
  • 302: Windows 7, Internet Explorer 10, Flash 16.0.0.305, Flash 17.0.0.169, Elink Analyzer
  • 303: Windows 7, Internet Explorer 11, Flash 16.0.0.305, Flash 17.0.0.169, Elink Analyzer
  • 400: Linux (ELF Files)
  • 800: Archives (RAR and 7-Zip files)

Example Request

Make a POST request to the /get/pcap resource and include the API key, the MD5 or SHA-256 hash value of the sample, and optionally the platform. Include the -JO option to use ---the Content-Disposition filename as provided by the server, similar to the following cURL command:
curl -JO -F 'apikey=b0e0e395615d46120ee7498452967c72' -F 'hash=04f4f1c83f1e69b1f055202964536f13' -F 'platform=2' 'https://wildfire.paloaltonetworks.com/publicapi/get/pcap'
Code copied to clipboard
Unable to copy due to lack of browser support.
The response saves the packet capture file using the hash.platform.pcap filename convention:
afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc.2.pcap
Code copied to clipboard
Unable to copy due to lack of browser support.

Related Documentation