PCAP Analysis | Marketplace

Details
Content
Dependencies
Version History

Don't miss out on critical forensic data! This Content Pack automates PCAP file analysis such as parsing, searching, extracting indicators, and more.

A common use case in incident response and forensics is analyzing network traffic and protocols by using network packet capture files as part of an investigation. PCAP files provide all the critical traffic data such as IP addresses in use, protocols, as well as the actual payload of the traffic itself.
The PCAP Analysis pack includes the PCAP Miner V2 script, as well as playbooks that automate the process of searching for and summarizing data within PCAP files, extracting indicators, decrypting traffic, and more. Cortex XSOAR can leverage the power of Wireshark to parse, search, and extract data from PCAP files.
With this content pack, you can significantly reduce the time and effort by automating the process of analyzing PCAP files and not miss out on critical data that can be extracted from them.
The PCAP Analysis playbook is meant to demonstrate the full range of PCAP analysis capabilities, however, the most common use case is to use each of the sub-playbooks separately. Review each playbook README for configuration details.

What does this pack do?

The script and playbooks included in this pack help you automate repetitive tasks associated with PCAP files:

Search PCAP files for common objects such as IP addresses, ports, protocols, or custom search filters just like in Wireshark.
Search for specific regex patterns with the payload.
Parse and extract protocol-specific data for several common protocols such as DNS, HTTP, and many more.
Display summarized search results.
Decrypt various encrypted traffic such as SSL and WPA (as long as decryption keys are provided).
Extract indicators such as IP addresses, URLs, domains, and files from the payload and perform enrichment on those indicators.

We encourage you to learn more about the PCAP Analysis playbook

Demo Video

Pack Contributors:

Masahiko Inoue

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

A common use case in incident response and forensics is analyzing network traffic and protocols by using network packet capture files as part of an investigation. PCAP files provide all the critical traffic data such as IP addresses in use, protocols, as well as the actual payload of the traffic itself.
The PCAP Analysis pack includes the PCAP Miner V2 script, as well as playbooks that automate the process of searching for and summarizing data within PCAP files, extracting indicators, decrypting traffic, and more. Cortex XSIAM can leverage the power of Wireshark to parse, search, and extract data from PCAP files.
With this content pack, you can significantly reduce the time and effort by automating the process of analyzing PCAP files and not miss out on critical data that can be extracted from them.
The PCAP Analysis playbook is meant to demonstrate the full range of PCAP analysis capabilities, however, the most common use case is to use each of the sub-playbooks separately. Review each playbook README for configuration details.

What does this pack do?

The script and playbooks included in this pack help you automate repetitive tasks associated with PCAP files:

Search PCAP files for common objects such as IP addresses, ports, protocols, or custom search filters just like in Wireshark.
Search for specific regex patterns with the payload.
Parse and extract protocol-specific data for several common protocols such as DNS, HTTP, and many more.
Display summarized search results.
Decrypt various encrypted traffic such as SSL and WPA (as long as decryption keys are provided).
Extract indicators such as IP addresses, URLs, domains, and files from the payload and perform enrichment on those indicators.

We encourage you to learn more about the PCAP Analysis playbook

Demo Video

Pack Contributors:

Masahiko Inoue

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Automations

Name	Description
PcapFileExtractStreams	Extract payloads of each stream from a pcap file.
PcapFileExtractor	This automation extracts all possible files from a PCAP file.
PcapExtractStreams	Extract payloads of each stream from a pcap. The payloads will be retrieved with an array of dictionaries of these keys: protocol client_ip client_port server_ip server_port stream_size stream_text stream_base64 outgoing_size outgoing_text outgoing_base64 incoming_size incoming_text incoming_base64.
PcapMinerV2	PcapMIner V2 allows to parse PCAP files by displaying the all of the relevant data within including ip addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic and more. This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either: a) Use the `pcap_filter` parameter to filter your PCAP file and thus make is smaller. b) Copy the automation and change the `default timeout` parameter to match your needs.
PcapConvert	Convert packet data to the standard pcap. Currently it only supports CDL(NGFW) pcap from which to convert.

Incident Fields

Name	Description
PCAP End Time
PCAP Number Of Streams
PCAP File Name
PCAP Number Of Packets
PCAP file
PCAP Flows
PCAP File Size
PCAP Encryption key
PCAP Start Time

Incident Types

Name	Description
PCAP Analysis

Layouts

Name	Description
PCAP Analysis

Playbooks

Name	Description
PCAP Search	This playbook is used to parse and search within PCAP files. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. The user inputs which objects the playbook should search for in the PCAP. The values to search are IP addresses, CIDR ranges, and TCP or UDP ports or protocols. In the event that more than one input type was specified, specify in the QueryOperator input (such as IP addresses and TCP ports) if the PCAP filter query will use an AND or an OR operator between the inputs. Another option is to use advanced filters just like in Wireshark to use refined filters or for objects not specified in other inputs. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
PCAP Parsing And Indicator Enrichment	This playbook is used to parse and extract indicators within PCAP files and perform enrichment on the detected indicators. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. The user inputs which indicator types are to be enriched including, email, URLs, IP addresses. The user can specify in the inputs which indicators are internal or that will be treated as internal (not enriched). The user can also specify a specific regex pattern to search for. Another option is to specify the protocol types to be printed to context for data extraction. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and add an RSA certificate to decrypt SSL traffic. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
PCAP File Carving	This playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files. Supported PCAP file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. Additional options enable you to filter the files to extract according to the file extension or the actual file type (MIME), and limit the amount of files to extract. Another feature enables you to specify a filter to create a new smaller PCAP file. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
PCAP Analysis	This playbook leverages all of the PCAP miner and PCAP file extractor sub playbook capabilities, including: * Search for specific values in a PCAP file * Parse and enrich detected indicators such as IP addresses, URLs, email addresses and domains found by the search . * Carve (extract) files found in the http, smb and other protocols and perform enrichment and detonation.

Automations

Name	Description
PcapMinerV2	PcapMIner V2 allows to parse PCAP files by displaying the all of the relevant data within including ip addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic and more. This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either: a) Use the `pcap_filter` parameter to filter your PCAP file and thus make is smaller. b) Copy the automation and change the `default timeout` parameter to match your needs.
PcapFileExtractStreams	Extract payloads of each stream from a pcap file.
PcapExtractStreams	Extract payloads of each stream from a pcap. The payloads will be retrieved with an array of dictionaries of these keys: protocol client_ip client_port server_ip server_port stream_size stream_text stream_base64 outgoing_size outgoing_text outgoing_base64 incoming_size incoming_text incoming_base64.
PcapConvert	Convert packet data to the standard pcap. Currently it only supports CDL(NGFW) pcap from which to convert.
PcapFileExtractor	This automation extracts all possible files from a PCAP file.

Incident Fields

Name	Description
PCAP Start Time
PCAP Flows
PCAP Encryption key
PCAP file
PCAP File Size
PCAP Number Of Streams
PCAP End Time
PCAP Number Of Packets

Incident Types

Name	Description
PCAP Analysis

Playbooks

Name	Description
PCAP Parsing And Indicator Enrichment	This playbook is used to parse and extract indicators within PCAP files and perform enrichment on the detected indicators. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per alert. The user inputs which indicator types are to be enriched including, email, URLs, IP addresses. The user can specify in the inputs which indicators are internal or that will be treated as internal (not enriched). The user can also specify a specific regex pattern to search for. Another option is to specify the protocol types to be printed to context for data extraction. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and add an RSA certificate to decrypt SSL traffic. To display the results within the relevant alert fields, the playbook needs to run in a PCAP Analysis alert type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
PCAP Analysis	This playbook leverages all of the PCAP miner and PCAP file extractor sub playbook capabilities, including: * Search for specific values in a PCAP file * Parse and enrich detected indicators such as IP addresses, URLs, email addresses and domains found by the search . * Carve (extract) files found in the http, smb and other protocols and perform enrichment and detonation.
PCAP File Carving	This playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files. Supported PCAP file types are pcap, cap, pcapng. The playbook can handle one PCAP file per alert. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. Additional options enable you to filter the files to extract according to the file extension or the actual file type (MIME), and limit the amount of files to extract. Another feature enables you to specify a filter to create a new smaller PCAP file. To display the results within the relevant alert fields, the playbook needs to run in a PCAP Analysis alert type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
PCAP Search	This playbook is used to parse and search within PCAP files. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per alert. The user inputs which objects the playbook should search for in the PCAP. The values to search are IP addresses, CIDR ranges, and TCP or UDP ports or protocols. In the event that more than one input type was specified, specify in the QueryOperator input (such as IP addresses and TCP ports) if the PCAP filter query will use an AND or an OR operator between the inputs. Another option is to use advanced filters just like in Wireshark to use refined filters or for objects not specified in other inputs. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. To display the results within the relevant alert fields, the playbook needs to run in a PCAP Analysis alert type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR

Optional Content Packs (40)

Pack Name	Pack By
APIVoid	By: Cortex XSOAR
AbuseIPDB	By: Cortex XSOAR
AlienVault OTX	By: Cortex XSOAR
Anomali ThreatStream	By: Cortex XSOAR
AutoFocus by Palo Alto Networks	By: Cortex XSOAR
Awake Security	By: Cortex XSOAR
CrowdStrike Falcon Intel	By: Cortex XSOAR
EclecticIQ Platform	By: EclecticIQ
Flashpoint	By: Flashpoint
Chronicle	By: Chronicle
Google Safe Browsing	By: Cortex XSOAR
HelloWorld	By: Cortex XSOAR
Ipstack	By: Cortex XSOAR
IsItPhishing	By: Cortex XSOAR
MISP	By: Cortex XSOAR
Maltiverse	By: Cortex XSOAR
MaxMind GeoIP2	By: Cortex XSOAR
OpenPhish	By: Cortex XSOAR
PassiveTotal	By: RiskIQ
PhishTank	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Pipl	By: Cortex XSOAR
PolySwarm	By: PolySwarm
Pwned	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR
Shodan	By: Cortex XSOAR
SlashNext Phishing Incident Response - Annual Subscription (Direct Subscription)	By: SlashNext
ThreatConnect	By: Cortex XSOAR
ThreatExchange	By: Cortex XSOAR
ThreatMiner	By: Cortex XSOAR
ThreatQ	By: Cortex XSOAR
TruSTAR (Deprecated)	By: TruSTAR
URLhaus	By: Cortex XSOAR
URLScan.io	By: urlscan GmbH
VirusTotal	By: VirusTotal
IBM X-Force Exchange	By: Cortex XSOAR
Zscaler Internet Access	By: Cortex XSOAR
Analyst1	By: Analyst1
Ipinfo	By: Cortex XSOAR
FireEye iSIGHT	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR

2.4.10 - 1647729 (November 14, 2024)

Scripts

PcapConvert

Updated the Docker image to: demisto/pcap-miner:1.0.0.115465.

PcapFileExtractStreams

Updated the Docker image to: demisto/pcap-miner:1.0.0.115465.

PcapExtractStreams

Updated the Docker image to: demisto/pcap-miner:1.0.0.115465.

PcapMinerV2

Updated the Docker image to: demisto/pcap-miner:1.0.0.115465.

Related pull requests:
- 37191
- 37183

Download

2.4.9 - 1125139 (June 26, 2024)

Scripts

PcapExtractStreams

Updated the Docker image to: demisto/pcap-miner:1.0.0.96695.

Related pull requests:
- 34968
- 34716
- 34718
- 34717
- 34719
- 34715

Download

2.4.8 - 916317 (March 26, 2024)

Scripts

PcapFileExtractor

Updated the Docker image to: demisto/pcap-miner:1.0.0.90440.

PcapMinerV2

Updated the Docker image to: demisto/pcap-miner:1.0.0.90440.

Related pull requests:
- 33514
- 33458
- 33455
- 33501
- 33509
- 33490
- 33477
- 33461
- 33365
- 33315
- 33454

Download

2.4.7 - R828628 (February 14, 2024)

Scripts

PcapConvert

Updated the Docker image to: demisto/pcap-miner:1.0.0.80182.

Related pull requests:
- 30894

Download

2.4.6 - 6647170 (October 19, 2023)

Scripts

PcapFileExtractStreams

Added an entry_id parameter to the output.
Updated the Docker image to: demisto/pcap-miner:1.0.0.78355.

Related pull requests:
- 30306
- 30289

Download

2.4.5 - R5692327 (July 5, 2023)

Layouts

PCAP Analysis
This item is no longer supported in XSIAM.

Related pull requests:
- 24222

Download

2.4.4 - R3921089 (October 26, 2022)

Scripts

PcapExtractStreams
Fixed an issue where it doesn't return any errors when failed to parse a pcap.
Updated the Docker image to: demisto/pcap-miner:1.0.0.32154.
PcapConvert
Fixed an issue where it doesn't return any errors when failed to parse a pcap.
Updated the Docker image to: demisto/pcap-miner:1.0.0.32154.

Related pull requests:
- 20027
- 19947

Download

2.4.3 - 3200623 (July 4, 2022)

Scripts

New: PcapConvert

You can now convert packet data to the standard pcap. Currently, it only supports CDL(NGFW) pcap from which to convert. (Available from Cortex XSOAR 6.2.0).

New: PcapFileExtractStreams

You can now extract payloads of each stream from a pcap file. (Available from Cortex XSOAR 6.2.0).

New: PcapExtractStreams

You can now extract payloads of each stream from a pcap. (Available from Cortex XSOAR 6.2.0).

Related pull requests:
- 19150

Download

2.4.2 - R2943817 (May 18, 2022)

Scripts

PcapFileExtractor

Fixed lint issues.

Download

2.4.1 - 2387690 (February 9, 2022)

Incident Fields

PCAP File Name

Download

2.4.0 - R2146019 (December 21, 2021)

Layouts

PCAP Analysis Incident

Added a new section to show the carved extracted files.

Playbooks

PCAP File Carving

Check whether to perform auto enrichment to carved files using the playbook input.
Extended playbook file outputs.

Download

2.3.8 - 276977 (February 10, 2021)

Playbooks

PCAP Parsing And Indicator Enrichment

Fixed input for email enrichment task.

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	June 29, 2020
Last Release	November 14, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.