Skip to main content


This Script is part of the PCAP Analysis Pack.#

PcapMIner V2 allows to parse PCAP files by displaying the all of the relevant data within including ip addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic and more. This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either: a) Use the pcap_filter parameter to filter your PCAP file and thus make is smaller. b) Copy the automation and change the default timeout parameter to match your needs.

Script Data#

Script Typepython3
Tagspcap, mine, file, Utility
Cortex XSOAR Version5.0.0


Argument NameDescription
entry_idThe entry_id of the PCAP file to mine.
protocol_outputA comma-separated list of protocols to output as context. If empty, will not output any protocols to context.
extract_stringsWhether to extract IP, URL, and Email from PCAP file. Can be "True" or "False".
pcap_filterFilter to apply on PCAP. Wireshark syntax as can be found here:
custom_regexYour own regular expression to extract from the PCAP.
filtered_file_nameThe name of the PCAP file to save to the War Room after applying the `pcap_filter` (i.e. `filtered_file.pcap`).
rsa_decrypt_key_entry_idThe entry ID for the RSA decryption key.
convs_to_displayNumber of conversations to display. The default is 15.
wpa_passwordThe WPA password. By providing the password you will be able to decrypt encrypted traffic data.
extract_ipsOutput to context the source and destination IPs in the PCAP file. Can be "True" or "False". The default is "False".


PCAPResults.BytesThe number of bytes transmitted in the PCAP file.Number
PCAPResults.PacketsThe number of packets transmitted in the PCAP file.Number
PCAPResults.EntryIDThe entryID of the PCAP file.String
PCAPResults.StreamCountThe number of streams in the PCAP file.String
PCAPResults.StartTimeThe date and time of the first packet in the PCAP file.Date
PCAPResults.EndTimeThe date and time of the last packet in the PCAP file.String
PCAPResults.UniqueSourceIPThe number of unique IPs from which packets were transmitted.Number
PCAPResults.UniqueDestIPThe number of unique IPs from to packets were transmitted.Number
PCAPResultsFlow.BytesThe number of bytes transmitted in the flow.String
PCAPResultsFlow.DestIPThe destination IP of the flow.String
PCAPResultsFlow.SourceIPThe source IP of the flow.String
PCAPResultsFlow.TransportThe transport protocol of the flow.String
PCAPResultsFlow.SourcePortThe source port of the flow.String
PCAPResultsFlow.DestPortThe destination port of the flow.String
PCAPResultsFlow.DurationThe duration of the flow (in seconds).String
PCAPResultsFlow.EndTimeThe date/time the flow ended.Date
PCAPResultsFlow.StartTimeThe date/time the flow started.Date
PCAPResults.URLThe URLs extracted from the file.String
PCAPResults.IPThe IPs extracted from the file.String
PCAPResults.EmailThe emails extracted from the file.String
PCAPResults.RegexThe regular expressions specified in `extract_regex` extracted from the file.String
PCAPResultsHTTP.ResponseStatusCodeThe response code.String
PCAPResultsHTTP.RequestVersionThe request version.String
PCAPResultsHTTP.RequestCacheControlThe cache control of the request.String
PCAPResultsHTTP.ResponseDateThe date/time of the response.Date
PCAPResultsHTTP.RequestMethodThe request method.String
PCAPResultsHTTP.RequestSourceIPThe source IP of the request.String
PCAPResultsHTTP.ResponseContentTypeThe response content type.String
PCAPResultsHTTP.RequestAgentThe request agent.String
PCAPResultsHTTP.RequestHostThe request host.String
PCAPResultsHTTP.ResponseVersionThe response version.String
PCAPResultsHTTP.IDThe ID of the HTTP interaction.String
PCAPResultsHTTP.EntryIDThe PCAP entry ID.String
PCAPResultsHTTP.RequestURIThe request URI.String
PCAPResultsHTTP.ResponseContentLengthThe length of the response content.String
PCAPResultsHTTP.ResponseCodeDescThe code description of the response.String
PCAPResultsDNS.IDThe ID of the DNS request.String
PCAPResultsDNS.RequestThe DNS request.String
PCAPResultsDNS.ResponseThe DNS response.String
PCAPResultsDNS.TypeThe type of the DNS request.String
PCAPResultsDNS.IDThe DNS packet ID.String
PCAPResultsDNS.EntryIDThe PCAP entry ID.String
PCAPResults.ProtocolsList of protocols found in the PCAP.String
PCAPResultsSMTP.FromThe mail sender.String
PCAPResultsSMTP.ToThe mail recipients.String
PCAPResultsSMTP.SubjectThe mail subject.String
PCAPResultsSMTP.MimeVersionThe mime version.String
PCAPResultsSMTP.IDThe SMTP packet's ID.String
PCAPResultsSMTP.EntryIDThe PCAP entry ID.String
PCAPResultsKERBEROS.EntryIDThe PCAP entry ID.String
PCAPResultsKERBEROS.RealmThe KERBEROS realm.String
PCAPResultsTelnet.DataThe telnet data.String
PCAPResultsTelnet.CommandsThe telnet commands.String
PCAPResultsTelnet.EntryIDThe PCAP entry ID.String
PCAPResultsLLMNR.EntryIDThe PCAP entry ID.String
PCAPResultsLLMNR.QueryClassThe LLMNR query class.String
PCAPResultsLLMNR.QueryNameThe LLMNR query name.String
PCAPResultsLLMNR.QuestionsThe LLMNR questions.String
PCAPResultsLLMNR.IDThe LLMNR packet ID.String
PCAPResultsLLMNR.QueryTypeThe LLMNR query type.String
PCAPResultsSYSLOG.EntryIDThe PCAP entry ID.String
PCAPResultsSYSLOG.IDThe SYSLOGS packet ID.String
PCAPResultsSYSLOG.MessageThe SYSLOGS message.String
PCAPResultsSYSLOG.HostnameThe SYSLOGS host name.String
PCAPResultsSYSLOG.TimestampThe SYSLOGS time stamp.String
PCAPResultsSMB2.EntryIDThe PCAP entry ID.String
PCAPResultsSMB2.IDThe SMB2 packet ID.String
PCAPResultsSMB2.UserNameThe SMB2 user name.String
PCAPResultsSMB2.DomainThe SMB2 domain.String
PCAPResultsSMB2.HostNameThe SMB2 host name.String
PCAPResultsSMB2.CommandThe SMB2 command.String
PCAPResultsSMB2.FileNameThe SMB2 file name.String
PCAPResultsSMB2.TreeThe SMB2 tree.String
PCAPResultsNETBIOS.EntryIDThe PCAP entry ID.String
PCAPResultsNETBIOS.IDThe NETIOS packet ID.String
PCAPResultsNETBIOS.NameThe NETIOS name.String
PCAPResultsNETBIOS.TypeThe NETIOS type.String
PCAPResultsNETBIOS.ClassThe NETIOS class.String
PCAPResultsIRC.EntryIDThe PCAP entry ID.String
PCAPResultsIRC.IDThe IRC packet ID.String
PCAPResultsIRC.RequestCommandThe IRC request command.String
PCAPResultsIRC.RequestTrailerThe IRC request trailer.String
PCAPResultsIRC.RequestPrefixThe IRC request prefix.String
PCAPResultsIRC.RequestParametersThe IRC request parameters.String
PCAPResultsIRC.ResponseCommandThe IRC response command.String
PCAPResultsIRC.ResponseTrailerThe IRC response trailers.String
PCAPResultsIRC.ResponsePrefixThe IRC response prefix.String
PCAPResultsIRC.ResponseParametersThe IRC response parameters.String
PCAPResultsFTP.EntryIDThe PCAP entry ID.String
PCAPResultsFTP.IDThe FTP packet ID.String
PCAPResultsFTP.RequestCommandThe FTP request command.String
PCAPResultsFTP.ResponseArgsThe FTP response arguments.String
PCAPResultsFTP.ResponseCodeThe FTP response code.String
PCAPResultsICMPICMP data.String
PCAPResultsSSH.EntryIDThe PCAP's entry ID.String
PCAPResultsSSH.ClientProtocolsThe SSH client protocols in the PCAP.String
PCAPResultsSSH.ServerProtocolsThe SSH server protocols in the PCAP.String
PCAPResultsSSH.KeyExchangeMessageCodeThe SSH key exchange message codes.String