GreyNoise
API Reference

Export PCAP for Multiple Sessions

get
https://api.greynoise.io/v3/sessions/export

Returns a PCAP file containing packets from sessions matching the query criteria.
The response is a binary PCAP file suitable for analysis with tools like Wireshark.

Not available when scope=demo (returns 403).

Query Params
string
enum
Defaults to workspace

Controls the data scope for the query.

  • workspace: Query data from the current workspace (default). Requires the Sensors entitlement.
  • demo: Query demo/sample data. Requires the Swarm entitlement. Not available on export endpoints.
Allowed:
date-time
required

Start time for the query range (ISO 8601 format).

date-time
required

End time for the query range (ISO 8601 format).

string

Lucene query string to filter sessions.

string
enum
Defaults to page

Export selection mode.

  • page: Export a single page of results (use with page and page_size). This is the default.
  • all: Export all sessions matching the query, up to page_size results.
Allowed:
integer
≥ 1
Defaults to 1

Page number to export when mode=page.

integer
1 to 1000
Defaults to 100

Number of sessions per page when mode=page, or the maximum number of
sessions to export when mode=all. The legacy size parameter is
accepted as an alias.

string
Defaults to lastPacket

Field to sort results by.

string
enum
Defaults to true

Whether to sort in descending order.

Allowed:
Headers
string
enum
Defaults to application/json

Generated from available response content types

Allowed:
Responses

Updated 2 months ago

Language
Credentials
Header
URL
LoadingLoading…
Response
Click Try It! to start a request and see the response here! Or choose an example:
application/vnd.tcpdump.pcap
application/json

Updated 2 months ago