Skip to main content

PCAP Analysis

Download With Dependencies

Don't miss out on critical forensic data! This Content Pack automates PCAP file analysis such as parsing, searching, extracting indicators, and more.

A common use case in incident response and forensics is analyzing network traffic and protocols by using network packet capture files as part of an investigation. PCAP files provide all the critical traffic data such as IP addresses in use, protocols, as well as the actual payload of the traffic itself.
The PCAP Analysis pack includes the PCAP Miner V2 script, as well as playbooks that automate the process of searching for and summarizing data within PCAP files, extracting indicators, decrypting traffic, and more. Cortex XSOAR can leverage the power of Wireshark to parse, search, and extract data from PCAP files.
With this content pack, you can significantly reduce the time and effort by automating the process of analyzing PCAP files and not miss out on critical data that can be extracted from them.
The PCAP Analysis playbook is meant to demonstrate the full range of PCAP analysis capabilities, however, the most common use case is to use each of the sub-playbooks separately. Review each playbook README for configuration details.

What does this pack do?

The script and playbooks included in this pack help you automate repetitive tasks associated with PCAP files:

  • Search PCAP files for common objects such as IP addresses, ports, protocols, or custom search filters just like in Wireshark.
  • Search for specific regex patterns with the payload.
  • Parse and extract protocol-specific data for several common protocols such as DNS, HTTP, and many more.
  • Display summarized search results.
  • Decrypt various encrypted traffic such as SSL and WPA (as long as decryption keys are provided).
  • Extract indicators such as IP addresses, URLs, domains, and files from the payload and perform enrichment on those indicators.

We encourage you to learn more about the PCAP Analysis playbook

Demo Video

PCAP Analysis in Cortex XSOAR

Pack Contributors:


  • Masahiko Inoue

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

A common use case in incident response and forensics is analyzing network traffic and protocols by using network packet capture files as part of an investigation. PCAP files provide all the critical traffic data such as IP addresses in use, protocols, as well as the actual payload of the traffic itself.
The PCAP Analysis pack includes the PCAP Miner V2 script, as well as playbooks that automate the process of searching for and summarizing data within PCAP files, extracting indicators, decrypting traffic, and more. Cortex XSIAM can leverage the power of Wireshark to parse, search, and extract data from PCAP files.
With this content pack, you can significantly reduce the time and effort by automating the process of analyzing PCAP files and not miss out on critical data that can be extracted from them.
The PCAP Analysis playbook is meant to demonstrate the full range of PCAP analysis capabilities, however, the most common use case is to use each of the sub-playbooks separately. Review each playbook README for configuration details.

What does this pack do?

The script and playbooks included in this pack help you automate repetitive tasks associated with PCAP files:

  • Search PCAP files for common objects such as IP addresses, ports, protocols, or custom search filters just like in Wireshark.
  • Search for specific regex patterns with the payload.
  • Parse and extract protocol-specific data for several common protocols such as DNS, HTTP, and many more.
  • Display summarized search results.
  • Decrypt various encrypted traffic such as SSL and WPA (as long as decryption keys are provided).
  • Extract indicators such as IP addresses, URLs, domains, and files from the payload and perform enrichment on those indicators.

We encourage you to learn more about the PCAP Analysis playbook

Demo Video

PCAP Analysis in Cortex XSIAM

Pack Contributors:


  • Masahiko Inoue

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJune 29, 2020
Last ReleaseJune 26, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.