Get a Packet Capture (WildFire API)
Use this resource to request a packet capture (PCAP) recorded during analysis of a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. You can optionally specify the platform of the desired PCAP to indicate which PCAP should be returned. PCAPs are available 90 days from the date of analysis for samples that have a malware WildFire verdict.
Specify a valid dynamic analysis platform to avoid potential errors. If no platform is specified, the API tries to retrieve a PCAP from a session that yielded a verdict of Malware. If no PCAP is found, the API responds with a 404 error. To determine if a PCAP is available for a particular sample, Get a WildFire Analysis Report (WildFire API) and check to see if there is a
<platform>field that supports PCAPs as shown in Request Parameters section, then check to see if the sample has a verdict of Malware:
Use the following form parameters when requesting a sample:
Required) API key
Required) MD5 or SHA-256 hash value of the sample
Target analysis environment (You cannot specify a platform on a WildFire appliance).
Use one of the following numbers, which represent different environments:
WildFire Private and Global Cloud
61are identically configured to platforms
5, respectively. These platforms analyze samples using the enhanced custom hypervisor found only in the Global Cloud.
WildFire Global Cloud
Make a POST request to the
/get/pcapresource and include the API key, the MD5 or SHA-256 hash value of the sample, and optionally the platform. Include the
-JOoption to use ---the Content-Disposition filename as provided by the server, similar to the following cURL command:
curl -JO -F 'apikey=<API KEY>' -F 'hash=04f4f1c83f1e69b1f055202964536f13' -F 'platform=2' 'https://wildfire.paloaltonetworks.com/publicapi/get/pcap'
The response saves the packet capture file using the