PCAP files contain network packet data created during a live network capture, often used for packet sniffing and analyzing data network characteristics. In the malware research field PCAPs are often used to:
- Record malware network communication when executed in sandboxed environments.
- Record honeyclient browser exploitation traces.
- Log network activity seen by network appliances and IDS.
We have seen that many users send their PCAPs to VirusTotal, these PCAPs often contain HTTP flows whereby a trojan is downloaded, recording worm scanning sweeps, logging exploits being delivered to a honeymonkey, etc. We want to help those users submitting PCAPs to VirusTotal and improve their research, that is why we have introduced PCAP analysis, its features are:
- Processes the files with popular intrusion detection systems (Snort and Suricata for the moment) and logs the rules that they trigger.
- Extracts file metadata with Wireshark.
- Lists DNS resolutions performed.
- Lists HTTP communication.
- Extracts files seen in the different network flows and links to the pertinent VirusTotal reports if the given file is of an interesting file type (portable executables, PDFs, flash, compressed bundles, etc.). If you are registered in VirusTotal Community and have signed in, these interesting files extracted from the network flow will be available for you to download as long as you are the first submitter of the PCAP (which when dealing with this type of files is the most common situation).
Without futher ado, let us paste a couple of examples of this new functionality (refer to the File details tab in order to see all of the aforementioned information):