popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

No static analysis available.
swagger: '2.0'
version: '2019-05-01T03:45:07Z'
title: The PacketTotal API
description: |
### Analyze, search, correlate, and download PCAP files, based on their behaviors and contents.
- name: analyze
description: |
#### Upload and analyze PCAPs.
- name: search
description: |
#### Run quick searches or create a longer running deep search task, and retrieve the results later.
- name: pcaps
description: |
#### Retrieve information or analysis about a specific capture. Download the PCAP file, its corresponding analysis, signatures, and intelligence, as well as any files carved during processing.
- name: usage
description: |
#### Get information about your subscription, and details around your current usage.
host: "api.packettotal.com"
basePath: "/v1"
schemes:
- "https"
paths:
/analyze/base64:
post:
description: |
### Submit pcap/pcapng files for analysis on PacketTotal.com; accepts base64 encoded pcap/pcapng file.
#### The API currently restricts uploads to *6MB*. For larger PCAPs use the website still analyzes PCAPs up to 50MB.
```
curl -X GET -H "x-api-key: <my-api-key>" https://api.packettotal.com/v1/analyze/base64 -d '{"pcap_base64": "YmFzZTY0IHZlcnNpb24gb2YgeW91ciBwY2FwIG9yIHBjYXBuZyBmaWxl...", "pcap_name": "my-public-pcap.pcap"}'
```
### If the packet capture has not been analyzed before, results contain the id of the pcap and a link to the site queue.
```
{"id": "f45ce26678146c59cb056acaddbad111", "queue": "https://packettotal.com/app/queue?id=f45ce26678146c59cb056acaddbad111"}
```
tags: ['analyze']
consumes:
- "application/json"
produces:
- "application/json"
parameters:
- in: "body"
name: "PCAPAnalyzeRequestBody"
required: true
schema:
$ref: "#/definitions/PCAPAnalyzeRequestBody"
responses:
202:
description: "202 response"
schema:
$ref: "#/definitions/PCAPAnalyzeResult"
500:
description: "500 response"
401:
description: "401 response"
schema:
$ref: "#/definitions/Error"
303:
description: "303 response"
schema:
$ref: "#/definitions/PCAPInfoResult"
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_public_pcap_submission/invocations"
responses:
default:
statusCode: "200"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
/pcaps:
get:
description: |
### Get high-level information about a random PCAP file.
```
curl -X GET -H "x-api-key: <my-api-key>" https://api.packettotal.com/v1/pcaps
```
### Randomly selected PCAPs come from a set of pre-selected, interesting PCAP files. This output format is equivalent to the `GET` `/pcaps/<pcap_id>` endpoint.
```
{
"pcap_metadata": {
"md5": "6790f3c5efb47ed94226294500320568",
"name": "wannacry_2ng.pcap",
"byte_size": null,
"logs": [
"conn",
"x509",
"dns",
"ssl",
"weird",
"files",
"notice",
"signature_alerts",
"intel"
],
"analyzed_date": "2018-11-06 06:23:22",
"download_link": "/pcaps/6790f3c5efb47ed94226294500320568/download",
"analysis_link": "/pcaps/6790f3c5efb47ed94226294500320568/analysis",
"similar_pcaps_link": "/pcaps/6790f3c5efb47ed94226294500320568/similar",
"pcap_glyph_link": "https://s3.amazonaws.com/packettotalpub/files/6790f3c5efb47ed94226294500320568/pcap-mosaic.png",
"packettotal_link": "https://packettotal.com/app/analysis?id=6790f3c5efb47ed94226294500320568",
"message": "This PCAP was selected randomly, since no id was specified."
}
}
```
tags:
- pcaps
produces:
- "application/json"
responses:
200:
description: "200 response"
schema:
$ref: "#/definitions/PCAPInfoResult"
500:
description: "500 response"
schema:
$ref: "#/definitions/Error"
401:
description: "Subscription expired, please renew your subscription."
schema:
$ref: "#/definitions/Error"
429:
description: "API subscription limit reached."
schema:
$ref: "#/definitions/Error"
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_pcap_info_get/invocations"
responses:
default:
statusCode: "200"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
/pcaps/{pcap_id}:
get:
description: |
### Get high-level information about a specific PCAP file.
```
curl -X GET -H "x-api-key: <my-api-key>" https://api.packettotal.com/v1/pcaps/d210f4dbea97949f694e849507951881
```
### Results will contain high-level information, such as what logs were extracted, the date it was analyzed, and additional references.
```
{
"pcap_metadata": {
"md5": "d210f4dbea97949f694e849507951881",
"name": "20180815Emotetinfectipca.pcap",
"byte_size": 1583713,
"logs": [
"conn",
"x509",
"dns",
"ssl",
"files",
"notice",
"http",
"pe",
"signature_alerts",
"intel"
],
"analyzed_date": "2019-01-01 06:40:18",
"download_link": "/pcaps/d210f4dbea97949f694e849507951881/download",
"analysis_link": "/pcaps/d210f4dbea97949f694e849507951881/analysis",
"similar_pcaps_link": "/pcaps/d210f4dbea97949f694e849507951881/similar",
"pcap_glyph_link": "https://s3.amazonaws.com/packettotalpub/files/d210f4dbea97949f694e849507951881/pcap-mosaic.png",
"packettotal_link": "https://packettotal.com/app/analysis?id=d210f4dbea97949f694e849507951881"
}
}
```
tags: ["pcaps"]
produces:
- "application/json"
parameters:
- name: "pcap_id"
in: "path"
description: "An md5 hash corresponding to the PCAP file submission on PacketTotal.com.\
\ This hash can be derived by hashing the PCAP file in question."
required: true
type: "string"
responses:
200:
description: "Highlevel PCAP Overview"
schema:
$ref: "#/definitions/PCAPInfoResult"
headers:
Access-Control-Allow-Origin:
type: "string"
500:
description: "General Server Error"
schema:
$ref: "#/definitions/Error"
401:
description: "Subscription expired, please renew your subscription."
schema:
$ref: "#/definitions/Error"
404:
description: "PCAP not found."
schema:
$ref: "#/definitions/Error"
429:
description: "API subscription limit reached."
schema:
$ref: "#/definitions/Error"
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_pcap_info_get/invocations"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
/pcaps/{pcap_id}/analysis:
get:
description: |
### Get a detailed report of PCAP traffic, carved files, signatures, and top-talkers.
```
curl -X GET -H "x-api-key: <my-api-key>" https://api.packettotal.com/v1/pcaps/d210f4dbea97949f694e849507951881/analysis
```
### Analysis results contain high-level protocol statistics, signatures, and intelligence that PacketTotal discovered during analysis and enrichment.
```
{
"analysis_summary": {
"top_talkers": {
"source_ips": {
"10.8.15.103": "100.0%"
},
"destination_ips": {
"130.0.236.141": "48.3%",
"203.94.66.109": "20.7%",
"10.8.15.1": "17.2%",
"195.162.24.96": "3.4%",
"201.148.107.187": "3.4%",
"93.88.93.99": "3.4%",
"216.58.216.196": "3.4%"
}
},
"connection_statistics": {
"services": {
"dns": "17.2%",
"http": "10.3%",
"null": "20.7%",
"ssl": "51.7%"
},
"transport_protocols": {
"udp": "17.2%",
"tcp": "82.8%"
},
"average_sent_packets": 24.724137931034484,
"average_received_packets": 34.827586206896555,
"average_sent_bytes": 1727.0,
"average_received_bytes": 50945.96551724138,
"first_connection_time": "2018-08-15 22:49:34.964999",
"last_connection_time": "2018-08-15 23:04:32.418999",
"total_duration_seconds": 897
},
"dns_statistics": {
"queries": {
"akademia.gnatyshyn.pl": "20.0%",
"soportek.cl": "20.0%",
"theeunload.website": "20.0%",
"www.google.com": "20.0%",
"mykeeptake.xyz": "20.0%"
},
"record_types": {
"A": "100.0%"
}
},
"file_statistics": {
"mime_types": {
"application/pkix-cert": "66.7%",
"null": "16.7%",
"text/html": "8.3%",
"application/msword": "4.2%",
"application/x-dosexec": "4.2%"
},
"sources": {
"SSL": "66.7%",
"HTTP": "33.3%"
},
"executables": {
"operating_systems": {
"Windows 2000": "100.0%"
},
"compile_cpu_architectures": {
"I386": "100.0%"
},
"assembly_sections": {
".text,.text,.idata,.rsrc,.reloc": "100.0%"
}
}
},
"signatures": [
"ET POLICY Office Document Download Containing AutoOpen Macro",
"ET POLICY PE EXE or DLL Windows file download HTTP",
"SURICATA TLS invalid record version",
"SURICATA TLS invalid record/traffic"
],
"external_references": [
{
"ioc": "195.162.24.96",
"ref_link": "https://www.malware-traffic-analysis.net/2018/08/16/index2.html"
},
{
"ioc": "130.0.236.141",
"ref_link": "http://malware-traffic-analysis.net/2018/08/16/index2.html"
},
{
"ioc": "195.162.24.96",
"ref_link": "http://malware-traffic-analysis.net/2018/08/16/index2.html"
},
{
"ioc": "201.148.107.187",
"ref_link": "http://malware-traffic-analysis.net/2018/08/16/index2.html"
},
{
"ioc": "130.0.236.141",
"ref_link": "http://malware-traffic-analysis.net/2018/08/16/index2.html"
},
{
"ioc": "soportek.cl",
"ref_link": "http://malware-traffic-analysis.net/2018/08/16/index2.html"
},
{
"ioc": "akademia.gnatyshyn.pl",
"ref_link": "http://malware-traffic-analysis.net/2018/08/16/index2.html"
}
],
"malicious_traffic": false,
"accuracy": "perfect",
"http_statistics": {
"user_agents": {
"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko": "25.0%",
"null": "25.0%",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2;": "50.0%"
},
"methods": {
"GET": "100.0%"
},
"status_codes": {
"301": "25.0%",
"200": "75.0%"
}
}
}
}
```
tags:
- pcaps
produces:
- "application/json"
parameters:
- name: "pcap_id"
in: "path"
description: "An md5 hash corresponding to the PCAP file submission on PacketTotal.com.\
\ This hash can be derived by hashing the PCAP file in question."
required: true
type: "string"
- name: "accuracy"
in: "query"
description: "The scope of the initial query. Lower accuracies rely on partial\
\ sample sets to generate statistics. Valid accuracies (low, medium, or\
\ high). Defaults to low."
required: false
type: "string"
responses:
200:
description: "Analysis summary of PCAP file"
schema:
$ref: "#/definitions/PCAPAnalysisSummaryResult"
headers:
Access-Control-Allow-Origin:
type: "string"
500:
description: "General Server Error"
schema:
$ref: "#/definitions/Error"
401:
description: "Subscription expired, please renew your subscription."
schema:
$ref: "#/definitions/Error"
404:
description: "PCAP not found."
schema:
$ref: "#/definitions/Error"
429:
description: "API subscription limit reached."
schema:
$ref: "#/definitions/Error"
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_analysis_info_comprehensive_summary_get/invocations"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
/pcaps/{pcap_id}/download:
get:
description: |
### Download a PCAP analysis archive. The result is a zip archive containing the PCAP itself, CSVs representing various analysis results, and all carved files.'
```
wget --header "x-api-key: <my-api-key>" "https://api.packettotal.com/v1/pcaps/536cf06ca83704844d789f56caf22ee6/download" -O "analysis-package-536cf06ca83704844d789f56caf22ee6.zip"
```
### An example archive, once unziped may have the following file structure.
```
536cf06ca83704844d789f56caf22ee6.pcap
artifacts
F1mhaU3LVb8I2iujv1.exe
F1yn3M3oLw0i0Vf5S.gif
F3xHPl1vQI1KNgkRFi.unknown
F5M45KC1WjrJiv9uf.htm
F6QL4B47pi9G4cYfn2.png
F7RGjM30ZTIm11ejkh.unknown
F90Oou4VnK1MqMVtuj.bat
F9Zawz4L1zIvo0hfB3.jpe
FD7PMn44UaHslZYO1l.jpe
FDokeT1yjoM4LI7Yoc.pdf
FFtbjHNPtHUmS87P1.pdf
FGiuPD3UjpTcBKigjc.unknown
FGmApk257odESSVXTh.gif
FHnWE13JWxsYH1M2Hi.jpe
FHzKNk3aY5Yg8Ti8N.gif
FI9pQju4FWpzHAEne.unknown
FIR4z744kRsIKWgyDh.png
FJ486E1mmlEj2b2V51.htm
FJ7G602zaLw3XjbDH8.png
FJJcDF4emi56yq3LMj.unknown
FJl6Gc1hE0JvLXvQF7.unknown
FJxIAS1DrQLI9vyUhg.gif
FKis7TKLYQdYSs8Xh.gif
FL285H1ZQf3p4lhI13.png
FxQCiZ1W3UPl4omGHa.png
FyOAXa1hyGuikr5DM9.bat
FzbweP2hOuYvxwkAck.gif
conn.csv
dns.csv
files.csv
http.csv
notice.csv
output
pe.csv
ssh.csv
weird.csv
```
### Depending on whether or not the PCAP + analysis package has already been generated you may not immediately receive a file, and instead receive an `HTTP 202` or `200`, depending on whether the package has already begun building.
```
{
"id": "536cf06ca83704844d789f56caf22ee6",
"message": "PCAP analysis package generating."
}
```
### When the download is ready, it will return a `302`, redirecting the client to a signed-S3 link.
tags:
- pcaps
produces:
- "application/json"
- "application/zip"
parameters:
- name: "pcap_id"
in: "path"
description: "An md5 hash corresponding to the PCAP file submission on PacketTotal.com.\
\ This hash can be derived by hashing the PCAP file in question."
required: true
type: "string"
responses:
200:
description: "Download request is currently processing."
schema:
$ref: "#/definitions/PCAPDownloadWaitRequest"
headers:
Access-Control-Allow-Origin:
type: "string"
301:
description: "Redirect to PCAP analysis package download location."
schema:
$ref: "#/definitions/Empty"
202:
description: "A new download request has been created."
schema:
$ref: "#/definitions/PCAPDownloadCreateRequest"
500:
description: "General Server Error"
schema:
$ref: "#/definitions/Error"
401:
description: "Subscription expired, please renew your subscription."
schema:
$ref: "#/definitions/Error"
404:
description: "PCAP not found."
schema:
$ref: "#/definitions/Error"
429:
description: "API subscription limit reached."
schema:
$ref: "#/definitions/Error"
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_pcap_analysis_download_get/invocations"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
/pcaps/{pcap_id}/similar:
get:
description: |
### Get a similarity graph relative to the current PCAP file.
```
curl -X GET -H "x-api-key: <my-api-key>" "https://api.packettotal.com/v1/pcaps/536cf06ca83704844d789f56caf22ee6/similar?pretty&intensity=minimal&weighted_mode=behavior"
```
### Results contain PCAPs that exhibit similar behaviors or contain similar content. Results are organized with the most similar PCAPs on top, and the terms that were found shared within both.
```
{
"similar": {
"result_count": 153,
"results": [
{
"id": "e342810c3e498da4584b5d4b9df4fab7",
"match_score": 140,
"common_terms": 24,
"matches": [
[
{
"type": "connection.ip",
"values": [
"195.70.35.150"
]
},
{
"type": "connection.ip",
"values": [
"130.117.72.81"
]
},
{
"type": "connection.ip",
"values": [
"209.85.135.104"
]
},
{
"type": "connection.ip",
"values": [
"212.72.49.150"
]
}
],
[
{
"type": "dns.host",
"values": [
"104.1.168.192.in-addr.arpa"
]
},
{
"type": "dns.host",
"values": [
"121.4.168.192.in-addr.arpa"
]
},
{
"type": "dns.host",
"values": [
"www.sedo.com"
]
},
{
"type": "dns.host",
"values": [
"security.yahoo.com"
]
},
{
"type": "dns.host",
"values": [
"w.sharethis.com"
]
},
{
"type": "dns.host",
"values": [
"us.i1.yimg.com"
]
},
{
"type": "dns.host",
"values": [
"yf6.yahoo.com"
]
},
{
"type": "dns.host",
"values": [
"yf4.yahoo.com"
]
},
{
"type": "dns.host",
"values": [
"yf5.yahoo.com"
]
},
{
"type": "dns.host",
"values": [
"n7g.akamai.net"
]
}
],
[
{
"type": "file.hash",
"values": [
"427bf5d67456e2e3b96e07a7be8ce6308bd6ade3"
]
},
{
"type": "file.hash",
"values": [
"7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb"
]
},
{
"type": "file.hash",
"values": [
"d0b6634f1e899f7afecb0aef809b92b6d97e5d16"
]
},
{
"type": "file.hash",
"values": [
"e06e1f6d77adf87bd09315571b211f3dac5d13dd"
]
},
{
"type": "file.hash",
"values": [
"b26ce849351e349c0da2ab78856ed3485dd785e7"
]
},
{
"type": "file.hash",
"values": [
"6435444bfecd9979e2fa91c95aa0578144179b9c"
]
},
{
"type": "file.hash",
"values": [
"6dec8244b1e1eed2a616cf9b18acab9c5e75c37f"
]
},
{
"type": "file.hash",
"values": [
"c51ecfc332b1194366b9e0d3d691029c3d7aacac"
]
},
{
"type": "file.hash",
"values": [
"6411cb1bf34a44a1ef3c8013a684772ab051029b"
]
},
{
"type": "file.hash",
"values": [
"f496e56173b7db0fad58579ddb73cdcc6e1ff9da"
]
}
]
]
},
...over 1000 more...
]
},
"intensity": "minimal",
"prioritize_uncommon_fields": false,
"weighting_mode": "behavior"
}
```
tags:
- pcaps
produces:
- "application/json"
parameters:
- name: "pcap_id"
in: "path"
description: "An md5 hash corresponding to the PCAP file submission on PacketTotal.com.\
\ This hash can be derived by hashing the PCAP file in question."
required: true
type: "string"
- name: "weighting_mode"
in: "query"
description: |
Weight search results either based on their similarity to the behaviors exhibited or contents contained within the current PCAP file.
##### Valid Values:
- ##### behavior `[default]`
- ##### content
required: false
type: "string"
- name: "intensity"
in: "query"
description: |
The scope of the search, basically translates to the maximum number of aggregations to exhaust.
##### Valid Values:
- ##### minimal `[default]`
- ##### low
- ##### medium
- ##### high
###### * using a high level intensity, may result in occassional timeouts.
required: false
type: "string"
- name: "prioritize_uncommon_fields"
in: "query"
description: "By default, the most common values are used to seed the initial\
\ similarity search. Enabling this parameter, seeds the initial search with\
\ the least common values instead."
required: false
type: "string"
- name: "pretty"
in: "query"
description: "Format the resulting JSON."
required: false
type: "string"
responses:
200:
description: "Similar PCAPs and match information"
schema:
$ref: "#/definitions/PCAPSimilarSearchResults"
headers:
Access-Control-Allow-Origin:
type: "string"
500:
description: "General Server Error"
schema:
$ref: "#/definitions/Error"
401:
description: "Subscription expired, please renew your subscription."
schema:
$ref: "#/definitions/Error"
404:
description: "PCAP not found."
schema:
$ref: "#/definitions/Error"
429:
description: "API subscription limit reached."
schema:
$ref: "#/definitions/Error"
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_analysis_similar_get/invocations"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
/search:
get:
description: |
### Search with term or with a valid Lucene query.
```
curl -X GET -H "x-api-key: <my-api-key>" "https://api.packettotal.com/v1/search?query=evil.com?pretty"
```
### And get a list of matches.
```
{
"result_count": 5,
"results": [
{
"id": "b2a094b1882f52ab8befd3d8ad9d7f9a",
"found_in": [
"ssl",
"x509",
"notice"
],
"match_score": 49.893993
},
{
"id": "0826bfbd4a68519945b9af594a5a87d7",
"found_in": [
"http",
"dns"
],
"match_score": 49.418064
},
{
"id": "385b9a5b3da0d56260f2be329e110795",
"found_in": [
"x509",
"ssl",
"notice"
],
"match_score": 44.704461
},
{
"id": "8e13e95bc12ad8415c4d8e8d313affac",
"found_in": [
"http",
"dns"
],
"match_score": 32.184632
},
{
"id": "5d710cf7fffa56ab9d2fee6e2a500933",
"found_in": [
"http",
"dns"
],
"match_score": 31.916094
}
]
```
tags:
- search
produces:
- "application/json"
parameters:
- name: "query"
in: "query"
description: "A search term, such as an IP address or file hash."
required: true
type: "string"
- name: "pretty"
in: "query"
description: "Format the resulting JSON."
required: false
type: "string"
responses:
200:
description: "Results of a search"
schema:
$ref: "#/definitions/PCAPSearchResults"
headers:
Access-Control-Allow-Origin:
type: "string"
500:
description: "General Server Error"
schema:
$ref: "#/definitions/Error"
401:
description: "Subscription expired, please renew your subscription."
schema:
$ref: "#/definitions/Error"
429:
description: "API subscription limit reached."
schema:
$ref: "#/definitions/Error"
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_simple_search_get/invocations"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
/search/deep:
post:
description: |
### Get the results from a deep search task.
```
curl -X GET -H "x-api-key: <my-api-key>" https://api.packettotal.com/v1/search/deep/results/6d42bc2875101cd3c48a5db1abe406ac?pretty
```
### And get a list of matches. Typically results are available within `5 minutes` of search creation time.
```
{
"results": [
{
"id": "a3628739c7959029c81ee74008dabcc7",
"found_in": [
"intel",
"signature_alerts"
],
"match_score": 5478.033031799922
},
{
"id": "63e2d63a40f1a225fa2d4d71b01a109f",
"found_in": [
"community_tags",
"signature_alerts"
],
"match_score": 3445.932026999953
},
{
"id": "f12872c2f512f273e30b99a3ff73b82f",
"found_in": [
"intel",
"signature_alerts"
],
"match_score": 2444.7712419999957
}
]
}
```
tags:
- search
consumes:
- "application/json"
produces:
- "application/json"
parameters:
- in: "body"
name: "DeepSearchCreateRequestBody"
required: true
schema:
$ref: "#/definitions/DeepSearchCreateRequestBody"
responses:
200:
description: "200 response"
schema:
$ref: "#/definitions/DeepSearchCreateRequest"
headers:
Access-Control-Allow-Origin:
type: "string"
400:
description: "Invalid query - malformed JSON or missing 'query' in body."
schema:
$ref: "#/definitions/Error"
202:
description: "202 response"
schema:
$ref: "#/definitions/DeepSearchCreateRequest"
500:
description: "500 response"
schema:
$ref: "#/definitions/Error"
401:
description: "Subscription expired, please renew your subscription."
schema:
$ref: "#/definitions/Error"
429:
description: "API subscription limit reached."
schema:
$ref: "#/definitions/Error"
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_deep_search_create_post/invocations"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
/search/deep/results/{search_id}:
get:
description: |
### Get the results from a deep search task.
```
curl -X GET -H "x-api-key: <my-api-key>" https://api.packettotal.com/v1/search/deep/results/6d42bc2875101cd3c48a5db1abe406ac?pretty
```
### And get a list of matches. Typically results are available within `5 minutes` of search creation time.
```
{
"results": [
{
"id": "a3628739c7959029c81ee74008dabcc7",
"found_in": [
"intel",
"signature_alerts"
],
"match_score": 5478.033031799922
},
{
"id": "63e2d63a40f1a225fa2d4d71b01a109f",
"found_in": [
"community_tags",
"signature_alerts"
],
"match_score": 3445.932026999953
},
{
"id": "f12872c2f512f273e30b99a3ff73b82f",
"found_in": [
"intel",
"signature_alerts"
],
"match_score": 2444.7712419999957
}
]
}
```
tags:
- search
produces:
- "application/json"
parameters:
- name: "search_id"
in: "path"
description: "An id corresponding to the search you previously created. This\
\ id is returned when calling POST /search/deep."
required: true
type: "string"
- name: "pretty"
in: "query"
description: "Format the resulting JSON."
required: false
type: "string"
responses:
200:
description: "Results of a deep search task."
schema:
$ref: "#/definitions/PCAPSearchResults"
headers:
Access-Control-Allow-Origin:
type: "string"
500:
description: "General Server Error"
schema:
$ref: "#/definitions/Error"
401:
description: "Subscription expired, please renew your subscription."
404:
description: "No results found for search_id."
429:
description: "API subscription limit reached."
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_deep_search_retrieve_get/invocations"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
/usage:
get:
description: |
### Retrive usage and subscription plan information.
```
curl -X GET -H "x-api-key: <my-api-key>" https://api.packettotal.com/v1/usage
```
### Output can be used to programatically determine how many requests you have remaining.
```
{
"user": "<my-api-id>",
"create_date": "2019-02-18 20:03:30.039993",
"subscription_end": "2019-03-20 20:03:30.039993",
"subscription_renew_count": 0,
"usage_plan": "data-scientist",
"limits": {
"reset_period_hours": 730,
"simple_search_request_limit": 50000,
"deep_search_request_limit": 2000,
"pcap_analysis_analysis_summary_limit": 2000,
"pcap_analysis_similar_limit": 2000,
"pcap_analysis_download_request_limit": 5000
},
"stats": {
"request_window": {
"start": "2019-01-20 19:18:33.876792",
"end": "2019-02-20 05:18:33.876792",
"description": "Requested operations are based off of the number of requests made between 2019-01-20 19:18:33.876792 and now."
},
"deep_search_create_request": {
"used": 50,
"remaining": 1950
},
"simple_search_request": {
"used": 13,
"remaining": 49987
},
"pcap_analysis_download_request": {
"used": 987,
"remaining": 5000
},
"pcap_analysis_summary_request": {
"used": 1,
"remaining": 2000
},
"pcap_analysis_similar_request": {
"used": 2,
"remaining": 500
}
}
}
```
tags:
- usage
produces:
- "application/json"
responses:
200:
description: "200 response"
schema:
$ref: "#/definitions/UsageResult"
headers:
Access-Control-Allow-Origin:
type: "string"
500:
description: "General Server Error"
schema:
$ref: "#/definitions/Error"
security:
- api_key: []
x-amazon-apigateway-integration:
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:107152071835:function:psa_usage_stats_get/invocations"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
securityDefinitions:
api_key:
type: "apiKey"
name: "x-api-key"
in: "header"
definitions:
DeepSearchCreateRequest:
type: "object"
properties:
search_id:
type: "string"
message:
type: "string"
results_uri:
type: "string"
title: "PCAPDownloadRequestCreate"
description: "A simple message indicating that the search task was created successfully,\
\ and will be available shortly at the /results endpoint."
UsageResult:
type: "object"
properties:
user:
type: "string"
create_date:
type: "string"
subscription_end:
type: "string"
usage_plan:
type: "string"
subscription_renew_count:
type: "number"
limits:
type: "object"
properties:
reset_period_hours:
type: "string"
simple_search_request_limit:
type: "string"
deep_search_request_limit:
type: "string"
pcap_analysis_download_request_limit:
type: "number"
pcap_analysis_analysis_summary_limit:
type: "string"
pcap_analysis_similar_limit:
type: "string"
stats:
type: "object"
properties:
request_window:
type: "object"
properties:
start:
type: "string"
end:
type: "string"
description:
type: "string"
deep_search_create_request:
type: "object"
properties:
used:
type: "number"
remaining:
type: "number"
simple_search_request:
type: "object"
properties:
used:
type: "number"
remaining:
type: "number"
pcap_analysis_download_request:
type: "object"
properties:
used:
type: "number"
remaining:
type: "number"
pcap_analysis_summary_request:
type: "object"
properties:
used:
type: "number"
remaining:
type: "number"
pcap_analysis_similar_request:
type: "object"
properties:
used:
type: "number"
remaining:
type: "number"
title: "UsageResult"
description: "Information about your usage plan and subscription."
PCAPSearchResults:
type: "object"
properties:
result_count:
type: "number"
results:
type: "array"
items:
type: "object"
properties:
id:
type: "string"
result_count:
type: "number"
found_in:
type: "array"
items:
type: "string"
title: "PCAPSearchResults"
description: "The results from either a search or deep search. Output is a list\
\ of PCAPs matching the query."
Error:
type: "object"
properties:
message:
type: "string"
title: "Error"
description: "An Error State"
PCAPSimilarSearchResults:
type: "object"
properties:
similar:
type: "object"
properties:
result_count:
type: "integer"
results:
type: "array"
items:
type: "object"
properties:
id:
type: "string"
match_score:
type: "integer"
common_terms:
type: "integer"
matches:
type: "array"
items:
type: "object"
properties:
type:
type: "string"
values:
type: "array"
items:
type: "string"
title: "PCAPSimilarSearchResults"
description: "A list of PCAP files sharing attributes similar to the current."
PCAPInfoResult:
type: "object"
properties:
pcap_metadata:
type: "object"
properties:
md5:
type: "string"
name:
type: "string"
analyzed_date:
type: "string"
byte_size:
type: "number"
logs:
type: "array"
items:
type: "string"
analysis_link:
type: "string"
similar_pcaps_link:
type: "string"
pcap_glyph_link:
type: "string"
packettotal_link:
type: "string"
title: "PCAPInfoResult"
description: "A high-level overview of the contents of a PCAP file."
DeepSearchCreateRequestBody:
type: "object"
properties:
query:
type: "string"
title: "DeepSearchCreateRequestBody"
Empty:
type: "object"
title: "Empty"
description: "Null Response/Redirect"
PCAPDownloadWaitRequest:
type: "object"
properties:
id:
type: "string"
message:
type: "string"
title: "PCAPDownloadWaitRequest"
description: "Generated while a PCAP file is being processed for download."
PCAPAnalyzeResult:
type: "object"
properties:
id:
type: "string"
queue:
type: "string"
title: "PCAPAnalyzeResult"
PCAPAnalyzeRequestBody:
type: "object"
properties:
pcap_base64:
type: "string"
pcap_name:
type: "string"
sources:
type: "array"
items:
type: "string"
title: "PCAPAnalyzeRequestBody"
PCAPAnalysisSummaryResult:
type: "object"
properties:
analysis_summary:
type: "object"
properties:
accuracy:
type: "string"
connection_statistics:
type: "object"
properties:
services:
type: "object"
properties: {}
transport_protocols:
type: "object"
properties: {}
average_sent_packets:
type: "number"
average_received_packets:
type: "number"
average_sent_bytes:
type: "number"
average_received_bytes:
type: "number"
first_connection_time:
type: "string"
last_connection_time:
type: "string"
total_duration_seconds:
type: "integer"
dns_statistics:
type: "object"
properties:
queries:
type: "object"
properties: {}
record_types:
type: "object"
properties: {}
external_references:
type: "array"
items:
type: "string"
file_statistics:
type: "object"
properties:
mime_types:
type: "object"
properties: {}
sources:
type: "object"
properties: {}
http_statistics:
type: "object"
properties:
user_agents:
type: "object"
properties: {}
methods:
type: "object"
properties: {}
status_codes:
type: "object"
properties: {}
malicious_traffic:
type: "boolean"
signatures:
type: "array"
items:
type: "string"
top_talkers:
type: "object"
properties:
source_ips:
type: "object"
properties: {}
destination_ips:
type: "object"
properties: {}
title: "PCAPAnalysisSummaryResult"
description: "An in depth summary of the contents of a PCAP file."
PCAPDownloadCreateRequest:
type: "object"
properties:
id:
type: "string"
message:
type: "string"
title: "PCAPDownloadCreateRequest"
description: "Generated when the PCAP file requested has not finished processing."
x-amazon-apigateway-documentation:
version: "1.1.2.1"
createdDate: "2019-02-20T03:47:53Z"
documentationParts:
- location:
type: "API"
properties:
description: "Search and download PCAPs, artifacts, and analysis from PacketTotal.com"
- location:
type: "METHOD"
path: "/pcaps/{pcap_id}/analysis"
method: "GET"
properties:
description: "Get a detailed report of PCAP traffic, carved files, signatures,\
\ and top-talkers."
- location:
type: "METHOD"
path: "/pcaps/{pcap_id}/download"
method: "GET"
properties:
description: "Download a PCAP analysis archive. The result is a zip archive\
\ containing the PCAP itself, CSVs representing various analysis results,\
\ and all carved files."
- location:
type: "METHOD"
path: "/pcaps/{pcap_id}/similar"
method: "GET"
properties:
description: "Get a similarity graph relative to the current PCAP file."
- location:
type: "METHOD"
path: "/pcaps/{pcap_id}"
method: "GET"
properties:
description: "Get highlevel information about a specific PCAP file."
- location:
type: "METHOD"
path: "/pcaps"
method: "GET"
properties:
description: "Get highlevel information about a random PCAP file."
- location:
type: "METHOD"
path: "/search/deep/results/{search_id}"
method: "GET"
properties:
description: "Get the results from a deep search task."
- location:
type: "METHOD"
path: "/search/deep"
method: "POST"
properties:
description: "Create a new deep search task. Search for a term or with a Lucene\
\ query."
- location:
type: "METHOD"
path: "/search"
method: "GET"
properties:
description: "Search for a term or with a valid Lucene query."
- location:
type: "METHOD"
path: "/usage"
method: "GET"
properties:
description: "Retrive usage and subscription plan information."
- location:
type: "MODEL"
name: "DeepSearchCreateRequest"
properties:
description: "A simple message indicating that the search task was created successfully,\
\ and will be available shortly at the /results endpoint."
- location:
type: "MODEL"
name: "Empty"
properties:
description: "Null Response/Redirect"
- location:
type: "MODEL"
name: "Error"
properties:
description: "An Error State"
- location:
type: "MODEL"
name: "PCAPAnalysisSummaryResult"
properties:
description: "An in depth summary of the contents of a PCAP file."
- location:
type: "MODEL"
name: "PCAPDownloadCreateRequest"
properties:
description: "Generated when the PCAP file requested has not finished processing."
- location:
type: "MODEL"
name: "PCAPDownloadRequestCreate"
properties:
description: "A simple message, indicating that the download request has been\
\ sent to the backend for processing, and the PCAP will available shortly. "
- location:
type: "MODEL"
name: "PCAPDownloadRequestWait"
properties:
description: "A simple message, indicating that the download request has already\
\ been sent to the backend, and is still processing."
- location:
type: "MODEL"
name: "PCAPDownloadWaitRequest"
properties:
description: "Generated while a PCAP file is being processed for download."
- location:
type: "MODEL"
name: "PCAPInfoResult"
properties:
description: "A high-level overview of the contents of a PCAP file."
- location:
type: "MODEL"
name: "PCAPSearchResults"
properties:
description: "The results from either a search or deep search. Output is a list\
\ of PCAPs matching the query."
- location:
type: "MODEL"
name: "PCAPSimilarSearchResults"
properties:
description: "A list of PCAP files sharing attributes similar to the current."
- location:
type: "MODEL"
name: "UsageResult"
properties:
description: "Information about your usage plan and subscription."
- location:
type: "PATH_PARAMETER"
path: "/pcaps/{pcap_id}"
method: "GET"
name: "pcap_id"
properties:
description: "An md5 hash corresponding to the PCAP file submission on PacketTotal.com.\
\ This hash can be derived by hashing the PCAP file in question."
- location:
type: "PATH_PARAMETER"
path: "/search/deep/results/{search_id}"
method: "GET"
name: "search_id"
properties:
description: "An id corresponding to the search you previously created. This\
\ id is returned when calling POST /search/deep."
- location:
type: "QUERY_PARAMETER"
path: "/pcaps/{pcap_id}/analysis"
method: "GET"
name: "accuracy"
properties:
description: "The scope of the initial query. Lower accuracies rely on partial\
\ sample sets to generate statistics. Valid accuracies (low, medium, or high).\
\ Defaults to low."
- location:
type: "QUERY_PARAMETER"
path: "/pcaps/{pcap_id}/similar"
method: "GET"
name: "intensity"
properties:
description: "The scope of the search, basically the maximum number of results\
\ each sub_search is allowed to return, where a sub_search is often referred\
\ to as search groups (minimal, low, medium, or high). Defaults to minimal."
- location:
type: "QUERY_PARAMETER"
path: "/pcaps/{pcap_id}/similar"
method: "GET"
name: "pretty"
properties:
description: "Format the resulting JSON."
- location:
type: "QUERY_PARAMETER"
path: "/search"
method: "GET"
name: "pretty"
properties:
description: "Format the resulting JSON."
- location:
type: "QUERY_PARAMETER"
path: "/pcaps/{pcap_id}/similar"
method: "GET"
name: "prioritize_uncommon_fields"
properties:
description: "By default, the most common values are used to seed the initial\
\ similarity search. Enabling this parameter, seeds the initial search with\
\ the least common values instead."
- location:
type: "QUERY_PARAMETER"
path: "/pcaps/{pcap_id}"
method: "GET"
name: "query"
properties:
description: "A search term, such as an IP address or file hash."
- location:
type: "QUERY_PARAMETER"
path: "/search"
method: "GET"
name: "query"
properties:
description: "A search term, such as an IP address or file hash."
- location:
type: "QUERY_PARAMETER"
path: "/pcaps/{pcap_id}/similar"
method: "GET"
name: "weighting_mode"
properties:
description: "Weight search results either based on their similarity to the\
\ behaviors exhibited or contents contained within the current PCAP file.\
\ Supported weighting modes - (content, behavior). Defaults to behavior weighting\
\ model."
- location:
type: "RESOURCE"
properties:
description: "Search, correlate, and download PCAP files, based on their behaviors\
\ and contents."
- location:
type: "RESOURCE"
path: "/pcaps/analysis/{pcap_id}"
properties:
description: "Given a search query, returns a list of matching PCAP files."
- location:
type: "RESOURCE"
path: "/pcaps/{pcap_id}/analysis"
properties:
description: "From here, get a more detailed report of the type of traffic contained\
\ within the PCAP file."
- location:
type: "RESOURCE"
path: "/pcaps/{pcap_id}/download"
properties:
description: "From here, download a PCAP file, artifacts, and analysis."
- location:
type: "RESOURCE"
path: "/pcaps/{pcap_id}/similar"
properties:
description: "From here, find similar PCAP files based on the current's contents\
\ or behavior."
- location:
type: "RESOURCE"
path: "/pcaps/{pcap_id}"
properties:
description: "From here, perform various operations against a given PCAP file."
- location:
type: "RESOURCE"
path: "/pcaps"
properties:
description: "From here, lookup and download PCAP files."
- location:
type: "RESOURCE"
path: "/search/deep/results/{search_id}"
properties:
description: "From here, Get results from a specific deep search task."
- location:
type: "RESOURCE"
path: "/search/deep/results"
properties:
description: "From here, Get the results of deep search tasks."
- location:
type: "RESOURCE"
path: "/search/deep"
properties:
description: "From here, create long running deep searches, ideal for complex,\
\ or broad queries."
- location:
type: "RESOURCE"
path: "/search"
properties:
description: "From here, run various types of searches against PacketTotal.com"
- location:
type: "RESOURCE"
path: "/usage"
properties:
description: "From here, get information about your usage and subscription plan."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/analysis"
method: "GET"
statusCode: "200"
properties:
description: "Analysis summary of PCAP file"
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/analysis"
method: "GET"
statusCode: "401"
properties:
description: "Subscription expired, please renew your subscription."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/analysis"
method: "GET"
statusCode: "429"
properties:
description: "API subscription limit reached."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/download"
method: "GET"
statusCode: "200"
properties:
description: "Download request is currently processing."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/download"
method: "GET"
statusCode: "202"
properties:
description: "A new download request has been created."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/download"
method: "GET"
statusCode: "301"
properties:
description: "Redirect to PCAP analysis package download location."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/download"
method: "GET"
statusCode: "401"
properties:
description: "Subscription expired, please renew your subscription."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/download"
method: "GET"
statusCode: "404"
properties:
description: "PCAP not found."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/download"
method: "GET"
statusCode: "429"
properties:
description: "API subscription limit reached."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/download"
method: "GET"
statusCode: "500"
properties:
description: "General Server Error"
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/similar"
method: "GET"
statusCode: "200"
properties:
description: "Similar PCAPs and match information"
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/similar"
method: "GET"
statusCode: "401"
properties:
description: "Subscription expired, please renew your subscription."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}/similar"
method: "GET"
statusCode: "429"
properties:
description: "API subscription limit reached."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}"
method: "GET"
statusCode: "200"
properties:
description: "Highlevel PCAP Overview"
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}"
method: "GET"
statusCode: "401"
properties:
description: "Subscription expired, please renew your subscription."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}"
method: "GET"
statusCode: "404"
properties:
description: "PCAP not found."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}"
method: "GET"
statusCode: "429"
properties:
description: "API subscription limit reached."
- location:
type: "RESPONSE"
path: "/pcaps/{pcap_id}"
method: "GET"
statusCode: "500"
properties:
description: "General Server Error"
- location:
type: "RESPONSE"
path: "/pcaps"
method: "GET"
statusCode: "401"
properties:
description: "Subscription expired, please renew your subscription."
- location:
type: "RESPONSE"
path: "/pcaps"
method: "GET"
statusCode: "429"
properties:
description: "API subscription limit reached."
- location:
type: "RESPONSE"
path: "/search/deep/results/{search_id}"
method: "GET"
statusCode: "200"
properties:
description: "Results of a deep search task."
- location:
type: "RESPONSE"
path: "/search/deep/results/{search_id}"
method: "GET"
statusCode: "404"
properties:
description: "No results found for search_id."
- location:
type: "RESPONSE"
path: "/search/deep"
method: "POST"
statusCode: "400"
properties:
description: "Invalid query - malformed JSON or missing 'query' in body."
- location:
type: "RESPONSE"
path: "/search/deep"
method: "POST"
statusCode: "401"
properties:
description: "Subscription expired, please renew your subscription."
- location:
type: "RESPONSE"
path: "/search/deep"
method: "POST"
statusCode: "429"
properties:
description: "API subscription limit reached."
- location:
type: "RESPONSE"
path: "/search"
method: "GET"
statusCode: "200"
properties:
description: "Results of a search"
- location:
type: "RESPONSE"
path: "/search"
method: "GET"
statusCode: "401"
properties:
description: "Subscription expired, please renew your subscription."
- location:
type: "RESPONSE"
path: "/search"
method: "GET"
statusCode: "429"
properties:
description: "API subscription limit reached."
- location:
type: "RESPONSE"
path: "/search"
method: "GET"
statusCode: "500"
properties:
description: "General Server Error"
- location:
type: "RESPONSE"
path: "/usage"
method: "GET"
statusCode: "500"
properties:
description: "General Server Error"
x-amazon-apigateway-gateway-responses:
DEFAULT_4XX:
responseParameters:
gatewayresponse.header.Access-Control-Allow-Methods: "'GET,OPTIONS'"
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
No antivirus signatures available.
No IRMA results available.