1. Home
    2. WildFire
    3. WildFire API Reference
    4. Get WildFire Information through the WildFire API
    5. Get a Packet Capture (WildFire API)

    Get a Packet Capture (WildFire API)

    Use this resource to request a packet capture (PCAP) recorded during analysis of a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. You can optionally specify the platform of the desired PCAP to indicate which PCAP should be returned. PCAPs are available 90 days from the date of analysis for samples that have a malware WildFire verdict.
    Specify a valid dynamic analysis platform to avoid potential errors. If no platform is specified, the API tries to retrieve a PCAP from a session that yielded a verdict of Malware. If no PCAP is found, the API responds with a 404 error. To determine if a PCAP is available for a particular sample, Get a WildFire Analysis Report (WildFire API) and check to see if there is a
    <platform>
     field that supports PCAPs as shown in Request Parameters section, then check to see if the sample has a verdict of Malware:
    <malware>yes</malware>
    .

    Resource

    /get/pcap/

    Request Parameters

    Use the following form parameters when requesting a sample:
    Parameters
    Description
    Example
     
    apikey
    (
    Required
    ) API key
    Example:
    apikey=<API KEY>
    hash
    (
    Required
    ) MD5 or SHA-256 hash value of the sample
    Example:
    hash=afe6b95ad95bc689c356f34ec8d
	9094c495e4af57c932ac413b65ef132063acc
    platform
    Target analysis environment (You cannot specify a platform on a WildFire appliance).
    Use one of the following numbers, which represent different environments:
    WildFire Private and Global Cloud
    • 1
      : Windows XP, Adobe Reader 9.3.3, Office 2003
    • 2
      : Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
    • 3
      : Windows XP, Adobe Reader 11, Flash 11, Office 2010
    • 4
      : Windows 7 32-bit, Adobe Reader 11, Flash 11, Office 2010
    • 5
      : Windows 7 64-bit, Adobe Reader 11, Flash 11, Office 2010
    • 100
      : PDF Static Analyzer
    • 101
      : DOC/CDF Static Analyzer
    • 102
      : Java/Jar Static Analyzer
    • 103
      : Office 2007 Open XML Static Analyzer
    • 104
      : Adobe Flash Static Analyzer
    • 204
      : PE Static Analyzer
    • 800
      : Archives (RAR and 7-Zip files)
    Example:
    platform=2
    Platforms
    60
     and
    61
     are identically configured to platforms
    2
     and
    5
    , respectively. These platforms analyze samples using the enhanced custom hypervisor found only in the Global Cloud.
    WildFire Global Cloud
    only
    • 6
      : Windows XP, Internet Explorer 8, Flash 11
    • 20
      : Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
    • 21
      : Windows 7, Flash 11, Office 2010
    • 50
      : Mac OSX Mountain Lion
    • 60
      : Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
    • 61
      : Windows 7 64-bit, Adobe Reader 11, Flash 11, Office 2010
    • 66
      : Windows 10 64-bit, Adobe Reader 11, Flash 22, Office 2010
    • 105
      : RTF Static Analyzer
    • 110
      : Max OSX Static Analyzer
    • 200
      : APK Static Analyzer
    • 201:
       Android 2.3, API 10, avd2.3.1
    • 202:
       Android 4.1, API 16, avd4.1.1 X86
    • 203:
       Android 4.1, API 16, avd4.1.1 ARM
    • 205
      : Phishing Static Analyzer
    • 206
      : Android 4.3, API 18, avd4.3 ARM
    • 207:
       Script Static Analyzer
    • 300
      : Windows XP, Internet Explorer 8, Flash 13.0.0.281, Flash 16.0.0.305, Elink Analyzer
    • 301
      : Windows 7, Internet Explorer 9, Flash 13.0.0.281, Flash 17.0.0.169, Elink Analyzer
    • 302
      : Windows 7, Internet Explorer 10, Flash 16.0.0.305, Flash 17.0.0.169, Elink Analyzer
    • 303
      : Windows 7, Internet Explorer 11, Flash 16.0.0.305, Flash 17.0.0.169, Elink Analyzer
    • 400
      : Linux (ELF Files)
    • 403:
       Linux Script Dynamic Analyzer
    • 404:
       Linux Script Static Analyzer
    • 501
      : BareMetal Windows 7 x64, Adobe Reader 11, Flash 11, Office 2010

    Example Request

    Make a POST request to the
    /get/pcap
     resource and include the API key, the MD5 or SHA-256 hash value of the sample, and optionally the platform. Include the
    -JO
     option to use ---the Content-Disposition filename as provided by the server, similar to the following cURL command:
    curl -JO
-F 'apikey=<API KEY>' -F 'hash=04f4f1c83f1e69b1f055202964536f13'
-F 'platform=2' 'https://wildfire.paloaltonetworks.com/publicapi/get/pcap'
    The response saves the packet capture file using the
    hash.platform.pcap
     filename convention:
    afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc.2.pcap

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo