Skip to main content

Python library extracting potential IOCs from a pcap file

Project description


Python tool to extract potential IOCs from a pcap file using pyshark

List of IOCs extracted :

  • IP addresses from IP packets
  • Domains and IP addresses from DNS requests
  • Domains, url and user-agents from HTTP requests
  • Domains from HTTPs X509 certificates

To install it, you can just do pip install pcap_ioc or install it from this repository with pip install ..


As a library

from pcap_ioc import Pcap

p = Pcap('FILE.pcap')
for i in p.indicators:

CLI tool

$ pcap_ioc
usage: pcap_ioc [-h] {ioc,misp,shell} ...

Process some pcaps.

positional arguments:
  {ioc,misp,shell}  Subcommand
    ioc             Extract IOCs
    misp            Extract IOCs and search in MISP
    shell           Open a shell with pyshark

optional arguments:
  -h, --help        show this help message and exit

To query MISP servers, you need to create a file ~/.misp with one entry for every MISP server for instance :

default: true


Then you can query one of these server with pcap_ioc misp -s misp2 file.pcap


This software is released under the MIT license.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pcap_ioc-0.1.2.tar.gz (3.7 kB view hashes)

Uploaded Source

Built Distribution

pcap_ioc-0.1.2-py3-none-any.whl (5.3 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page