PCAPs endpoint

A GET request to /api/open/pcaps allows you to get the list of all traces available on the machine.

This endpoint lets you to interact with packet capture (pcap)s that have been uploaded to Guardian from the Upload traces page of the System section.

Figure 1. Upload traces page

Upload traces page

A GET request to /api/open/pcaps/:id allows you to retrieve a given trace.

Requirements and Restrictions

  1. The authenticated user must be in a group having admin role or with Upload traces section enabled.
  2. In case the request body does not adhere to the format described above, the call returns a 422 error.
  3. If you specify an identifier (ID) of a trace that does not exist, the call returns a 404 error.
  4. If the request is accepted, the result will contain information on the retrieved trace.
Figure 2. Example of traces get all list request

Example of traces get all list request

Figure 3. Example of traces get by ID request

Example of traces get by Identifier request

A DELETE request to /api/open/pcaps/:id allows you to delete a given trace.

Requirements and Restrictions

  1. The authenticated user must be in a group having admin role or with Upload traces section enabled.
  2. In case the request body does not adhere to the format described above, the call returns a 422 error.
  3. If you specify an ID of a trace that does not exist, the call returns a 404 error.
  4. If the request is accepted, the trace will be deleted.
Figure 4. Example of trace delete request

Example of trace delete request

A POST request to /api/open/pcaps/upload allows you to upload a trace passed as a file in the body of the request.

Requirements and Restrictions

  1. The authenticated user must be in a group having admin role or with Upload traces section enabled.
  2. The trace should be passed in the form-data section of the request body.
  3. In case the request body does not adhere to the format described above, the call returns a 422 error.
  4. If the file sent in the request is not a valid trace, the call returns a 422 error along with an error reason describing the cause of the validation failure.
  5. If the request is accepted, the trace will be uploaded.
Figure 5. Example of trace upload request

Example of trace upload request

A POST request to /api/open/pcaps/import allows you to import a trace file that is already present in the machine.

Requirements and Restrictions

  1. The authenticated user must be in a group having admin role or with Upload traces section enabled.
  2. The trace file should be present in the /data/tmp directory of the machine.
  3. The filename parameter of the request should contain the name of the trace file.
  4. In case the request body does not adhere to the format described above, the call returns a 422 error.
  5. If the trace file is not a valid trace, the call returns a 422 error along with an error reason describing the cause of the validation failure.
  6. If the request is accepted, the trace will be uploaded.
Figure 6. Example of trace import request

Example of trace import request

A PATCH request to /api/open/pcaps allows you to replay a trace that has been previously uploaded or imported.

Requirements and Restrictions

  1. The authenticated user must be in a group having admin role or with Upload traces section enabled.
  2. The trace should be present in the list of the available traces returned by the GET request to /api/open/pcaps.
  3. The id parameter of the request should contain the ID of the trace.
  4. The use_packet_time boolean parameter should be set to true if you want to use the time of the packets; false otherwise.
  5. The data_to_reset_before_play parameter should be set to {} if you do not want to reset data before playing the trace. Otherwise, you need to specify a JavaScript Object Notation (JSON) dictionary with the sections you want to reset, for example {"alerts": true, "vi": true}. The list of all available sections is the following:
    • alerts_data
    • assertions
    • learning
    • network_data
    • process_data
    • queries
    • smart_polling_data
    • timemachine_data
    • traces_data
    • vi_data
    • vulnerability_data
    The list above reflects the options available for Data reset in the user interface (UI).
  6. In case the request body does not adhere to the format described above, the call returns a 422 error.
  7. If you specify an ID of a trace that does not exist, the call returns a 404 error.
  8. If the request is accepted, the trace will be replayed.
Figure 7. Example of trace replay request

Example of trace replay request

A PATCH request to /api/open/pcaps/note allows you to change the note field of a trace.

Requirements and Restrictions

  1. The authenticated user must be in a group having admin role or with Upload traces section enabled.
  2. The trace should be present in the list of the available traces returned by the GET request to /api/open/pcaps.
  3. The id parameter of the request should contain the ID of the trace.
  4. The note parameter of the request should contain the text you want to change.
  5. In case the request body does not adhere to the format described above, the call returns a 422 error.
  6. If the request is accepted, the note will be changed.
Figure 8. Example of trace note request

Example of trace note request