Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Example: pcap

Inputs

  • examples/inputs/pcap-samples/README.md
  • examples/inputs/pcap-samples/sample_network.pcap

Profile

# PCAP Network Capture Analysis Example
# This demonstrates parsing network packet capture (PCAP) files
# The sample_network.pcap file contains a minimal valid PCAP structure with one packet

decode = []

tag = "pcap"

# PCAP file header pattern (magic bytes)
[[patterns]]
  name = "PCAP Magic (LE)"
  pattern = "D4:C3:B2:A1"
  type = "bytes"

[[patterns]]
  name = "PCAP Magic (BE)"
  pattern = "A1:B2:C3:D4"
  type = "bytes"

[[patterns]]
  name = "PCAP-NG Magic"
  pattern = "0A:0D:0D:0A"
  type = "bytes"

# Network protocol patterns
[[patterns]]
  name = "Ethernet Frame"
  pattern = "08:00"
  type = "bytes"

[[patterns]]
  name = "IPv4 Packet"
  pattern = "45:00"
  type = "bytes"

# DNS traffic patterns
[[patterns]]
  name = "DNS Query Port"
  pattern = "00:35"
  type = "bytes"

[[patterns]]
  name = "DNS Response Port"
  pattern = "00:35"
  type = "bytes"

# Common suspicious patterns in network traffic
[[patterns]]
  name = "Private IP Range 192.168"
  pattern = "192\\.168\\."
  type = "regex"

[[patterns]]
  name = "Private IP Range 10."
  pattern = "10\\."
  type = "regex"

# HTTP patterns
[[patterns]]
  name = "HTTP GET"
  pattern = "GET "
  type = "string"

[[patterns]]
  name = "HTTP POST"
  pattern = "POST "
  type = "string"

[[patterns]]
  name = "HTTP User-Agent"
  pattern = "User-Agent:"
  type = "string"
  case-insensitive = true

# Potential malicious patterns
[[patterns]]
  name = "Suspicious User-Agent"
  pattern = "curl|wget|python|powershell"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Port Scan Pattern"
  pattern = "SYN|RST|FIN"
  type = "string"

Report outputs

Triage report (converted from triage_report.json)

total_files2
critical_count0
high_count0
medium_count0
low_count0
minimal_count2
must_investigate_count0
all_scoresNone
generated_at2026-02-01T11:39:25.366428348+00:00

top_scores

characteristics_scorefile_typefile_type_scoremust_investigatepathpattern_count_scorepattern_matchespattern_severity_scorereasonsrisk_levelscoresha256
0Other0False/sample_network.pcap546["4 suspicious patterns detected"]Minimal11572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90
0Other0False/README.md000[]Minimal0a3e97de119a856c104957ef70de33278488b86d5c682f8d35dbb0f47c053f485

CSV outputs

errors.csv

Empty CSV

files.csv

pathfile_namesha256file_createdfile_modifiedfile_accessedmime_types_from_file_extensionis_symbolic_linkis_extracted_fileis_decoded_fileis_deobfuscated_filetag
/sample_network.pcapsample_network.pcap572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c902026-02-01T11:24:46.719969497Z2026-02-01T11:24:46.719969497Z2026-02-01T11:25:18.689983469Z["application/vnd.tcpdump.pcap"]0000
/README.mdREADME.mda3e97de119a856c104957ef70de33278488b86d5c682f8d35dbb0f47c053f4852026-02-01T11:24:46.719969497Z2026-02-01T11:24:46.719969497Z2026-02-01T11:25:18.689983469Z["application/x-genesis-rom"]0000

pattern_matches.csv

idsha256pattern_namematch_typematchlocationlength
1572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90PCAP Magic (LE)bytes�ò�04
2572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90Ethernet Framebytes522
3572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90IPv4 PacketbytesE542
4572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90DNS Query Portbytes762

signature_matches.csv

Empty CSV

unique_files.csv

sha256sha1md5file_sizemime_type_for_contentshannon_entropy
572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90f4cce328565be999ba6285127fb5cab6b105e87e0142c4bceadf5a8e3a21bac95684244390application/vnd.tcpdump.pcap3.07257160262939
a3e97de119a856c104957ef70de33278488b86d5c682f8d35dbb0f47c053f4857003b899cedb7e97ecdb284e8d450cd9fb5af151eb8b335532bc6cc6615224654cdd56821053text/plain4.73902362133387