PCAP File Carving

This playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files. Supported PCAP file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. Additional options enable you to filter the files to extract according to the file extension or the file actual type (MIME) and limit the amount of files to extract. Another feature enables you to specify a filter to create a new smaller PCAP file. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Detonate File - Generic

Integrations

This playbook does not use any integrations.

Scripts

  • Set
  • PcapFileExtractor
  • PcapMinerV2

Commands

  • file

Playbook Inputs


NameDescriptionDefault ValueRequired
RsaDecryptKeyEntryIDThis input specifies the file entry id for the RSA decrypt key if the user provided the key in the incident.File.EntryIDOptional
PcapFileEntryIDThis input specifies the file entry id for the PCAP file if the user provided the file in the incident. One PCAP file can run per incident.File.EntryIDOptional
WpaPasswordThis input value is used to provide a WPA (Wi-Fi Protected Access) password to decrypt encrypted 802.11 Wi-FI traffic.Optional
PcapFilterThis input specifies a search filter to be used on the PCAP file. Filters can be used to search only for a specific IP, protocols and other examples. The syntax is the same as in Wireshark which can be found here: https://www.wireshark.org/docs/man\-pages/wireshark\-filter.html
For this playbook, using a PCAP filter will generate a new smaller PCAP file based on the provided filter therefor thus reducing the extraction of non relevant files.Optional
ExtractedFilesLimitThis input limits the number of files to be extracted from the PCAP file. Default value is 5.5Optional
FileExtensionFilterThis input is used to select which file extensions to include or exclude from the PCAP file. Extensions must be comma separated, for example, png,gif,exe.
This setting cannot be used with the FileTypeFilter.Optional
FileTypeFilterThis input is used to select which file type (MIME type) to include or exclude from the PCAP file. Extensions must be comma separated, for example, image/jpeg,application/x-javascript
This setting cannot be used with the FileExtensionFilter.Optional
FilterTypeThis input is combined with the FileExtensionFilter input or the FileTypeFilter input. It specifies if the type/extensions list is inclusive or exclusive. Can be "inclusive" or "exclusive". Default is "inclusive".
Default value is 'inclusive'inclusiveOptional
AutoDetonateFilesThis input specifies whether to detonate files extracted from the PCAP. The default value is True, any other value will be considered as false.TrueOptional

Playbook Outputs


PathDescriptionType
DBotScoreThe DBotScore object.string
FileThe file objectstring
File.MaliciousThe File malicious descriptionstring

Playbook Image


PCAP File Carving