Get a Packet Capture (WildFire API)
Use this resource to request a packet capture (PCAP)
recorded during analysis of a particular sample. Use either the
MD5 or SHA-256 hash of the sample file as a search query. You can optionally
specify the platform of the desired PCAP to indicate which PCAP
should be returned. PCAPs are available 90 days from the date of
analysis for samples that have a malware WildFire verdict.
- Specify a valid dynamic analysis platform to avoid potential errors. If no platform is specified, the API tries to retrieve a PCAP from a session that yielded a verdict of Malware. If no PCAP is found, the API responds with a 404 error. To determine if a PCAP is available for a particular sample, Get a WildFire Analysis Report (WildFire API) and check to see if there is a<platform>field that supports PCAPs as shown in Request Parameters section, then check to see if the sample has a verdict of Malware:<malware>yes</malware>.
- Packet Captures are only available for file samples; attempting to retrieve a PCAP for a URL will result in a 404 response error.
Resource
/get/pcap/
Request
Parameters
Use the following form parameters when requesting
a sample:
Parameters | Description | Example |
---|---|---|
| ( Required ) API key | Example:
|
| ( Required ) MD5 or SHA-256 hash value
of the sample | Example:
|
| Target analysis environment (You
cannot specify a platform on a WildFire appliance). | Use one of the following numbers,
which represent different environments: WildFire Private
and Global Cloud
Example:
Platforms 60 and 61 are
identically configured to platforms 2 and 5 ,
respectively. These platforms analyze samples using the enhanced
custom hypervisor found only in the Global Cloud. |
WildFire Global Cloud only
|
Example Request
Make a POST request to
the
/get/pcap
resource and include
the API key, the MD5 or SHA-256 hash value of the sample, and optionally
the platform. Include the -JO
option to use
---the Content-Disposition filename as provided by the server, similar
to the following cURL command:curl -JO -F 'apikey=<API KEY>' -F 'hash=04f4f1c83f1e69b1f055202964536f13' -F 'platform=2' 'https://wildfire.paloaltonetworks.com/publicapi/get/pcap'
The
response saves the packet capture file using the
hash.platform.pcap
filename
convention:afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc.2.pcap
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.