MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

PCAP Collection

Collect full network traffic for future research and analysis.

PCAP Collection allows a defenders to use the data to examine an adversary’s network traffic more closely, including studying if it is encoded and/or encrypted. PCAP can be run through tools to replay the traffic to get a real-time view of what happened over the wire. These tools can also parse the traffic and send results to a SIEM for monitoring and alerting.

ID: DTE0028
Tactics:  Collect Detect


DOS0116 There is an opportunity to detect adversary activity that uses obfuscated communication.
DOS0170 There is an opportunity to collect network data and analyze the adversary activity it contains.

Use Cases

DUC0116 A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation.
DUC0170 Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.


DPR0049 Collect PCAP on a decoy network to improve visibility into an adversary's network activity.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1001 Data Obfuscation Command and Control
T1020 Automated Exfiltration Exfiltration
T1030 Data Transfer Size Limits Exfiltration
T1105 Ingress Tool Transfer Command and Control