PCAP File Carving

This playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files. Supported PCAP file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. Additional options enable you to filter the files to extract according to the file extension or the actual file type (MIME), and limit the amount of files to extract. Another feature enables you to specify a filter to create a new smaller PCAP file. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Detonate File - Generic


This playbook does not use any integrations.


  • Set
  • PcapMinerV2
  • PcapFileExtractor


  • file

Playbook Inputs#

NameDescriptionDefault ValueRequired
RsaDecryptKeyEntryIDThis input specifies the file entry id for the RSA decrypt key if the user provided the key in the incident.File.EntryIDOptional
PcapFileEntryIDThis input specifies the file entry id for the PCAP file if the user provided the file in the incident. One PCAP file can run per incident.File.EntryIDOptional
WpaPasswordThis input value is used to provide a WPA (Wi-Fi Protected Access) password to decrypt encrypted 802.11 Wi-FI traffic.Optional
PcapFilterThis input specifies a search filter to be used on the PCAP file. Filters can be used to search only for a specific IP, protocols and other examples. The syntax is the same as in Wireshark which can be found here: https://www.wireshark.org/docs/man-pages/wireshark-filter.html
For this playbook, using a PCAP filter will generate a new smaller PCAP file based on the provided filter therefor thus reducing the extraction of non relevant files.
ExtractedFilesLimitThis input limits the number of files to be extracted from the PCAP file. Default value is 5.5Optional
FileExtensionFilterThis input is used to select which file extensions to include or exclude from the PCAP file. Extensions must be comma separated, for example, png,gif,exe.
This setting cannot be used with the FileTypeFilter.
FileTypeFilterThis input is used to select which file type (MIME type) to include or exclude from the PCAP file. Extensions must be comma separated, for example, image/jpeg,application/x-javascript
This setting cannot be used with the FileExtensionFilter.
FilterTypeThis input is combined with the FileExtensionFilter input or the FileTypeFilter input. It specifies if the type/extensions list is inclusive or exclusive. Can be "inclusive" or "exclusive". Default is "inclusive".
Default value is 'inclusive'
AutoDetonateFilesThis input specifies whether to detonate files extracted from the PCAP. The default value is True, any other value will be considered as false.TrueOptional

Playbook Outputs#

DBotScoreThe DBotScore object.string
FileThe file objectstring
File.MaliciousThe File malicious descriptionstring

Playbook Image#

PCAP File Carving