Skip to main content

Python library extracting potential IOCs from a pcap file

Project description


Python tool to extract potential IOCs from a pcap file using pyshark

List of IOCs extracted :

  • IP addresses from IP packets
  • Domains and IP addresses from DNS requests
  • Domains, url and user-agents from HTTP requests
  • Domains from HTTPs X509 certificates

To install it, you can just do pip install pcap_ioc or install it from this repository with pip install ..


As a library

from pcap_ioc import Pcap

p = Pcap('FILE.pcap')
for i in p.indicators:

CLI tool

$ pcap_ioc
usage: pcap_ioc [-h] {ioc,misp,shell} ...

Process some pcaps.

positional arguments:
  {ioc,misp,shell}  Subcommand
    ioc             Extract IOCs
    misp            Extract IOCs and search in MISP
    shell           Open a shell with pyshark

optional arguments:
  -h, --help        show this help message and exit

To query MISP servers, you need to create a file ~/.misp with one entry for every MISP server for instance :

default: true


Then you can query one of these server with pcap_ioc misp -s misp2 file.pcap


This software is released under the MIT license.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for pcap-ioc, version 0.1.2
Filename, size File type Python version Upload date Hashes
Filename, size pcap_ioc-0.1.2-py3-none-any.whl (5.3 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size pcap_ioc-0.1.2.tar.gz (3.7 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page