Export PCAP for Multiple Sessions

get

https://api.greynoise.io/v3/sessions/export

Returns a PCAP file containing packets from sessions matching the query criteria. The response is a binary PCAP file suitable for analysis with tools like Wireshark.

Not available when scope=demo (returns 403).

Query Params

scope

string

enum

Defaults to workspace

Controls the data scope for the query.

workspace: Query data from the current workspace (default). Requires the Sensors entitlement.
demo: Query demo/sample data. Requires the Swarm entitlement. Not available on export endpoints.

Allowed:

start_time

date-time

required

Start time for the query range (ISO 8601 format).

end_time

date-time

required

End time for the query range (ISO 8601 format).

query

string

Lucene query string to filter sessions.

size

integer

Defaults to 100

Maximum number of sessions to include in the export.

sort_by

string

Defaults to lastPacket

Field to sort results by.

sort_desc

string

enum

Defaults to true

Whether to sort in descending order.

Allowed:

Headers

string

enum

Defaults to application/json

Generated from available response content types

Allowed:

Responses

Language

Credentials

Header

URL

Response

Click Try It! to start a request and see the response here! Or choose an example:

application/vnd.tcpdump.pcap

application/json

200PCAP file containing matching session packets.

400Bad request - request syntax is invalid for the specified endpoint. Verify request syntax and try again.

401Unauthorized. Please check your API key.

403Forbidden - request is not authorized due to an invalid API key or plan limitations. If due to plan limitations, contact [email protected] to upgrade your plan and unlock full results.

404Resource not found.

429Too many requests. You've hit the rate-limit.

500Unexpected error