Introducing the
PacketTotal API


PacketTotal is an excellent tool for understanding the ever changing techniques of malicious adversaries and how they communicate within our networks.

Our new API provides the ability to analyze, search, and download malicious network traffic.





Analyze Packet Captures

Programatically upload and analyze .pcap/.pcapng files. View the results on PacketTotal.com, or explore through the API.
*6MB Upload Max


                {
                  'id': '10fc81d13d6914b599f4299ab1dc51f4',
                  'queue': 'https://packettotal.com/app/queue?id=10fc81d13d6914b599f4299ab1dc51f4'
                }
              

Search by Indicators

Find packet captures containing any domain name, IP address, malware strain, protocol used (SSH, SMTP, etc.), and more.


{
   "result_count": 113,
   "results": [
      {
         "id": "4f2e492cbd2e...",
         "found_in": [
            "signature_alerts",
            "dns",
            "ftp"
         ],
         "match_score": 990.1
      },
      {
         "id": "cf3a2864569...",
         "found_in": [
            "signature_alerts",
            "intel"
         ],
         "match_score": 315.2
      },
      {
         "id": "g3112ga4119...",
         "found_in": [
            "dns",
            "ftp",
            "files",
            "modbus"
         ],
         "match_score": 221.5
      },
     ...
  ]
}

Understand the Results in Context

Retrieve analysis of any pcap on PacketTotal, including malicious signatures, top-talkers, and connection stats.


{
 "analysis_summary": {
  "top_talkers": {
   "source_ips": {
    "10.0.2.15": "100.0%"
   },
   "destination_ips": {
    "195.133.146.232": "50.0%",
    "104.25.219.21": "50.0%",
   }
  },
  "connection_statistics": {
   "services": {
    "dns": "90.9%",
    "ssl": "9.1%",
   },
   "transport_protocols": {
    "tcp": "66.6%",
    "udp": "33.3%"
   },
  },
  "file_statistics": {
   "mime_types": {
    "text/json": "100.0%"
   },
  },
  "signatures": [
   "ET TROJAN Malicious SSL certificate detected (Dridex CnC)"
  ],
  "malicious_traffic": true
 }
}

Download the Full Analysis

Download the packet capture, and any analysis files, including transferred files, signatures fired, logs generated, and external references.


├── a9b2b0b918asbeb708211248.pcap
├── artifacts
│   ├── HTTP
│   │   ├── Fltln4Pb20OxKj.exe
│   │   ├── FfYlbKjQolMXxl.htm
│   │   ├── FfYlbKjQolMXxl.htm
│   │   ├── FfYlbKjQoaMaxt.png
│   │   ├── FNtta1aaag1xKj.gif
│   │   ├── FNt9n4Pb20OxKj.exe
│   │   ├── FRZbQJ27l9yyZk.unk
│   │   ├── Ff69ya3WAI7blk.unk
│   │   └── Fi48k8mIyEUdSb.bat
│   └── SSL
│       ├── F02LWntDLnH25b.unk
│       ├── FwQ4ydN0IIFvka.unk
│       ├── FQa4ydN0IIFvka.unk
│       ├── FwQ5ydN0IIFvka.unk
│       ├── FxFFmvRbGAX1C8.unk
│       ├── FxAFmvRbGAX1C8.unk
│       ├── FxAf0vRbGAX1C8.unk
│       └── FzmSHNYfKVQ0Xg.unk
├── conn.csv
├── dhcp.csv
├── dns.csv
├── files.csv
├── http.csv
├── pe.csv
├── signature_alerts.csv
├── intel.csv
├── community_tags.csv
├── ssl.csv
├── weird.csv
└── x509.csv



In addition to these features, the API provides:


  • Similar Packet Captures: Quickly identify any pcaps with similar behavior or contents. Discover relationships between captures and easily identify common malicious techniques.

  • Background Search Jobs: For complex search queries, you may opt to run as a background job. These searches take longer to run, but often return much more comprehensive results.


Read the Docs  Download the SDK