Introducing the
PacketTotal Search API


PacketTotal is an excellent tool for understanding the ever changing techniques of malicious adversaries and how they communicate.

Our new Search API provides a powerful interface that goes well beyond the search functionality granted by the public web interface.






Search by Indicators

Find packet captures containing any domain name, IP address, malware strain, protocol used (SSH, SMTP, etc.), and more.


{
   "result_count": 113,
   "results": [
      {
         "id": "4f2e492cbd2e...",
         "found_in": [
            "signature_alerts",
            "dns",
            "ftp"
         ],
         "match_score": 990.1
      },
      {
         "id": "cf3a2864569...",
         "found_in": [
            "signature_alerts",
            "intel"
         ],
         "match_score": 315.2
      },
      {
         "id": "g3112ga4119...",
         "found_in": [
            "dns",
            "ftp",
            "files",
            "modbus"
         ],
         "match_score": 221.5
      },
     ...
  ]
}

Understand the Results in Context

Retrieve analysis of any pcap on PacketTotal, including malicious signatures, top-talkers, and connection stats.


{
 "analysis_summary": {
  "top_talkers": {
   "source_ips": {
    "10.0.2.15": "100.0%"
   },
   "destination_ips": {
    "195.133.146.232": "50.0%",
    "104.25.219.21": "50.0%",
   }
  },
  "connection_statistics": {
   "services": {
    "dns": "90.9%",
    "ssl": "9.1%",
   },
   "transport_protocols": {
    "tcp": "66.6%",
    "udp": "33.3%"
   },
  },
  "file_statistics": {
   "mime_types": {
    "text/json": "100.0%"
   },
  },
  "signatures": [
   "ET TROJAN Malicious SSL certificate detected (Dridex CnC)"
  ],
  "malicious_traffic": true
 }
}

Download the Full Analysis

Download the packet capture, and any analysis files, including transferred files, signatures fired, logs generated, and external references.


├── a9b2b0b918asbeb708211248.pcap
├── artifacts
│   ├── HTTP
│   │   ├── Fltln4Pb20OxKj.exe
│   │   ├── FfYlbKjQolMXxl.htm
│   │   ├── FfYlbKjQolMXxl.htm
│   │   ├── FfYlbKjQoaMaxt.png
│   │   ├── FNtta1aaag1xKj.gif
│   │   ├── FNt9n4Pb20OxKj.exe
│   │   ├── FRZbQJ27l9yyZk.unk
│   │   ├── Ff69ya3WAI7blk.unk
│   │   └── Fi48k8mIyEUdSb.bat
│   └── SSL
│       ├── F02LWntDLnH25b.unk
│       ├── FwQ4ydN0IIFvka.unk
│       ├── FQa4ydN0IIFvka.unk
│       ├── FwQ5ydN0IIFvka.unk
│       ├── FxFFmvRbGAX1C8.unk
│       ├── FxAFmvRbGAX1C8.unk
│       ├── FxAf0vRbGAX1C8.unk
│       └── FzmSHNYfKVQ0Xg.unk
├── conn.csv
├── dhcp.csv
├── dns.csv
├── files.csv
├── http.csv
├── pe.csv
├── signature_alerts.csv
├── intel.csv
├── community_tags.csv
├── ssl.csv
├── weird.csv
└── x509.csv



In addition to these features, the API provides:


  • Similar Packet Captures: Quickly identify any pcaps with similar behavior or contents. Discover relationships between captures and easily identify common malicious techniques.

  • Background Search Jobs: For complex search queries, you may opt to run as a background job. These searches take longer to run, but often return much more comprehensive results.


Read the Docs