: Get a Packet Capture (WildFire API)
Focus
Focus

Get a Packet Capture (WildFire API)

Table of Contents

Get a Packet Capture (WildFire API)

Use this resource to request a packet capture (PCAP) recorded during analysis of a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. You can optionally specify the platform of the desired PCAP to indicate which PCAP should be returned. PCAPs are available 90 days from the date of analysis for samples that have a malware WildFire verdict.
  • Specify a valid dynamic analysis platform to avoid potential errors. If no platform is specified, the API tries to retrieve a PCAP from a session that yielded a verdict of Malware. If no PCAP is found, the API responds with a 404 error. To determine if a PCAP is available for a particular sample, Get a WildFire Analysis Report (WildFire API) and check to see if there is a <platform> field that supports PCAPs as shown in Request Parameters section, then check to see if the sample has a verdict of Malware: <malware>yes</malware>.
  • Packet Captures are only available for file samples; attempting to retrieve a PCAP for a URL will result in a 404 response error.

Resource

/get/pcap/

Request Parameters

Use the following form parameters when requesting a sample:
Parameters
Description
Example
apikey
(Required) API key
Example:
apikey=<API KEY>
agent
(Required for Prisma Access and Prisma Cloud Compute-based WildFire public API keys) Designates the API key type
Example:
agent=pcc
Options include:
  • pcc—for use with Prisma Cloud Compute-based WildFire public API keys
  • prismaaccessapi—for use with Prisma Access-based WildFire public API keys
hash
(Required) MD5 or SHA-256 hash value of the sample
Example:
hash=afe6b95ad95bc689c356f34ec8d 9094c495e4af57c932ac413b65ef132063acc
platform
Target analysis environment (You cannot specify a platform on a WildFire appliance).
Use one of the following numbers, which represent different environments:
WildFire Private and Global Cloud
  • 1: Windows XP, Adobe Reader 9.3.3, Office 2003 (only available in the WildFire private cloud)
  • 2: Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007 (only available in the WildFire private cloud)
  • 3: Windows XP, Adobe Reader 11, Flash 11, Office 2010 (only available in the WildFire private cloud)
  • 4: Windows 7 32-bit, Adobe Reader 11, Flash 11, Office 2010
  • 5: Windows 7 64-bit, Adobe Reader 11, Flash 11, Office 2010
  • 100: PDF Static Analyzer
  • 101: DOC/CDF Static Analyzer
  • 102: Java/Jar Static Analyzer
  • 103: Office 2007 Open XML Static Analyzer
  • 104: Adobe Flash Static Analyzer
  • 204: PE Static Analyzer
  • 800: Archives (RAR and 7-Zip files)
Example:
platform=2
While platform 5 is identically configured to platform 61, the latter analyzes samples using an enhanced custom hypervisor found only in the WildFire Global Cloud.
WildFire Global Cloud only
  • 21: Windows 7, Flash 11, Office 2010
  • 50: Mac OSX Mountain Lion
  • 61: Windows 7 64-bit, Adobe Reader 11, Flash 11, Office 2010
  • 66: Windows 10 64-bit, Adobe Reader 11, Flash 22, Office 2010
  • 105: RTF Static Analyzer
  • 110: Max OSX Static Analyzer
  • 200: APK Static Analyzer
  • 201: Android 2.3, API 10, avd2.3.1
  • 202: Android 4.1, API 16, avd4.1.1 X86
  • 203: Android 4.1, API 16, avd4.1.1 ARM
  • 205: Phishing Static Analyzer
  • 206: Android 4.3, API 18, avd4.3 ARM
  • 207: Script Static Analyzer
  • 301: Windows 7, Internet Explorer 9, Flash 13.0.0.281, Flash 17.0.0.169, Elink Analyzer
  • 302: Windows 7, Internet Explorer 10, Flash 16.0.0.305, Flash 17.0.0.169, Elink Analyzer
  • 303: Windows 7, Internet Explorer 11, Flash 16.0.0.305, Flash 17.0.0.169, Elink Analyzer
  • 400: Linux (ELF Files)
  • 403: Linux Script Dynamic Analyzer
  • 404: Linux Script Static Analyzer
  • 501: BareMetal Windows 7 x64, Adobe Reader 11, Flash 11, Office 2010

Example Request

Make a POST request to the /get/pcap resource and include the API key, the MD5 or SHA-256 hash value of the sample, and optionally the platform. Include the -JO option to use ---the Content-Disposition filename as provided by the server, similar to the following cURL command:
curl -JO -F 'apikey=<API KEY>' -F 'hash=04f4f1c83f1e69b1f055202964536f13' -F 'platform=2' 'https://wildfire.paloaltonetworks.com/publicapi/get/pcap'
The response saves the packet capture file using the hash.platform.pcap filename convention:
afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc.2.pcap