his is a list of public packet capture repositories, which are freely available on the Internet.
Most of the sites listed below share Full Packet Capture (FPC) files, but some do unfortunately only have truncated frames.
Cyber Defence Exercises (CDX)
This category includes network traffic from exercises and competitions, such as Cyber Defense Exercises (CDX) and red-team/blue-team competitions.
MACCDC – Pcaps from National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition
ISTS – Pcaps from The Information Security Talent Search
Captures from the “2009 Inter-Service Academy Cyber Defense Competition” served by Information Technology Operations Center (ITOC), United States Military Academy
Captured malware traffic from honeypots, sandboxes or real world intrusions.
Contagio Malware Dump: Collection of PCAP files categorized as APT, Crime or Metasplot
http://www.mediafire.com/?a49l965nlayad (see blog post)
WARNING: The password protected zip files contain real malware
Also see Contagio’s PCAP files per case:
- Trojan.Tbot http://contagiodump.blogspot.com/2012/12/dec-2012-skynet-tor-botnet-trojantbot.html
- ZeroAccess Trojan http://contagiodump.blogspot.com/2012/10/blackhole-2-exploit-kit-files-partial.html
- CVE-2012-4681 http://contagiodump.blogspot.com/2012/09/cve-2012-4681-samples-original-apt-and.html
- Trojan Taidoor http://contagiodump.blogspot.com/2011/11/nov-3-cve-2011-0611-1104statmentpdf.html
- Poison Ivy CnC http://contagiodump.blogspot.com/2011/07/message-targeting-experts-on-japan.html
Malware analysis blog that shares malware as well as PCAP files
Stratosphere IPS – PCAP and Argus datasets with malware traffic, created by Sebastian Garcia (@eldracote) at the ATG group of the Czech Technical University
Ponmocup malware/trojan (a.k.a. Milicenso) PCAP by Tom Ueltschi a.k.a. @c_APT_ure
Also see original source (password protected zip) and analysis writeup (text)
Free malware analysis sandbox. Malware samples can be uploaded or searched, PCAP files from sandbox execution can be downloaded.
Online client honeypot for sharing, browsing and analyzing web-based malware. PCAP download available for analyzed sites.
Shadowbrokers PCAPs by Eric Conrad, including ETERNALBLUE and ETERNALROMANCE.
Network forensics training, challenges and contests.
Hands-on Network Forensics – Training PCAP dataset from FIRST 2015
https://www.first.org/_assets/conf2015/networkforensics_virtualbox.zip (VirtualBox VM)
- 4.4 GB PCAP with malware, client- and server side attacks as well as “normal” internet traffic
- VM login credentials are: user/password
- PCAP files are in /nsm/sensor_data/securityonion_eth1/dailylogs/ as specified in the training documentation
Forensic Challenge 14 – “Weird Python“ (The Honeynet ProjectThe Honeynet Project)
Network Foreniscs Puzzle Contest (by Lake Missoula Group, LLC)
DFRWS 2008 Challenge
DFRWS 2009 Challenge
DFIR MONTEREY 2015 Network Forensics Challenge (by Phil Hagen of SANS)
SCADA/ICS Network Captures
DigitalBond S4x15 ICS Village CTF PCAPs
Compilation of ICS PCAP files indexed by protocol (by Jason Smith)
DEF CON 23 ICS Village
https://media.defcon.org/DEF CON 23/DEF CON 23 villages/DEF CON 23 ics village/DEF CON 23 ICS Village packet captures.rar (requires RAR v5)
Capture the Flag Competitions (CTF)
PCAP files from capture-the-flag (CTF) competitions and challenges.
Note: Sniffing CTF’s is known as “capture-the-capture-the-flag” or CCTF.
DEFCON Capture the Flag Contest traces (from DEF CON 8, 10 and 11)
DEFCON 17 Capture the Flag Contest traces
DEFCON CTF PCAPs from DEF CON 17 to 24 (look for the big RAR files inside the ctf directories)
CSAW CTF 2011 pcap files
No cON Name 2014 CTF Finals, “Vodka” challenge
https://github.com/MarioVilas/write-ups/raw/master/ncn-ctf-2014/Vodka/vodka (bzip2 compressed PCAP-NG file)
PhreakNIC CTF from 2016 (by _NSAKEY). Contains traffic to/from the target, the NetKoTH scoring server and the IRC server.
Packet Injection Attacks / Man-on-the-Side Attacks
PCAP files from research by Gabi Nakibly et al. in Website-Targeted False Content Injection by Network Operators
Packet injection against id1.cn, released by Fox-IT at BroCon 2015
Packet injection against http://www.02995.com, doing a redirect to http://www.hao123.com (read more)
Packet injection against id1.cn, doing a redirect to batit.aliyun.com (read more)
Pcap files for testing Honeybadger TCP injection attack detection
Uncategorized PCAP Repositories
SharkFest’15 Packet Challenge
https://sharkfest.wireshark.org/assets/presentations15/packetchallenge.zip (via SharkFest)
Packet analysis challenge by Johannes Weber
Additional PCAP files from Johannes can be found here: https://blog.webernetz.net/tag/pcap/
TcpReplay Sample Captures
Applied Communication Sciences’ MILCOM 2016 datasets
DARPA Intrusion Detection Data Sets from 1998 and 1999
OpenPacket.org Capture Repository (maintained by JJ Cummings created by Richard Bejtlich)
Tim’s packet Zoo
Over 4 GB of network forensic training data from DEEP (Digital Evaluation and Exploitation Department of Computer Science, Naval Postgraduate School). Case details can be found at Jesse Kornblum’s blog.
Mixed PCAP file repo with a great deal of BACnet traffic (by Steve Karg)
Laura’s Lab Kit v.9 ISO image (old)
Sample capture files from: “Practical Packet Analysis – Using Wireshark to Solve Real-World Network Problems” by Chris Sanders
Megalodon Challenge by Jasper Bongertz – “a real world network analysis problem, with all its confusion, drawbacks and uncertainties” (3.8 GB sanitized PCAP-NG files)
Blog post: https://blog.packet-foo.com/2015/07/the-megalodon-challenge/
Direct link: http://www.packet-foo.com/megalodon2015/MegalodonChallenge.7z
Anonymous FTP connections to public FTP servers at the Lawrence Berkeley National Laboratory
Pcapr (Mu Dynamics) – A capture repository with pcap files of various traffic types
Understand project Downloads – Lots of different capture file formats (pcap, pcapng/ntar, pcangpklg and more…)
ISCX 2012 Dataset. Over 80 GB of pcap data available for researchers (created by Ali Shiravi, Hadi Shiravi, and Mahbod Tavallaee from University of New Brunswick)
Research PCAP datasets from FOI’s Information Warfare Lab (FOI is The Swedish Defence Research Agency)
ftp://download.iwlab.foi.se/dataset/smia2011/Network_traffic/ (SMIA 2011, FTP server)
https://download.netresec.com/pcap/smia-2011/ (SMIA 2011, web mirror)
ftp://download.iwlab.foi.se/dataset/smia2012/network_traffic/pcap/ (SMIA 2012, FTP server)
https://download.netresec.com/pcap/smia-2012/ (SMIA 2012, web mirror)
Internet Traffic Archive (Berkeley Lab) – mostly tcpdump ASCII output
WITS: Waikato Internet Traffic Storage (traces in ERF format with headers plus 4 bytes of application data)
The FTP site uses rate limiting for IPv4 connections, but no ratelimit for IPv6 connections.
Bro IDS trace files (no application layer data)
SimpleWeb captures (mainly packet headers)
Wireless LAN Traces from ACM SIGCOMM’01 (no application layer data)
Wireshark Fuzzed Protocol Capures (only fuzzed packets)
Single PCAP files
Honeynet.org’s Scan of the Month PCAPs
CrypMic ransomware infection (read the blog post)
MDSec, Packets from a GSM 2.5G environment showing uplink/downlink, two MS devices, SIM APDU information.
SDN OpenFlow pcap-ng file by SDN/IPv6 expert Jeff Carrell.
Demo of JexBoss (Jboss EXploitation Tool) “JBoss exploits – View from a Victim” by Andre M. DiMino
Raul Siles, “Pcap files containing a roaming VoIP session”
Russ McRee, W32/Sdbot infected machine
Joke Snelders, WiFi traffic encrypted with WPA pre-shared key (passphrase “subnet16121930”, SSID “dd-wrt2”).
Read Joke’s “Wireshark and TShark: Decrypt Sample Capture File” blog post for decryption instructions.
hack.lu 2009 Information Security Visualization Contest (honeypot traffic, mostly SSH and HTTP)
Barracuda Labs on the PHP.net Compromise [blog post]
Online PCAP Services
Convert PcapNG files to PCAP format
CloudShark – Wireshark-like analysis in your browser
NetworkTotal – Runs uploaded PCAP through Suricata IDS
PacketTotal – Runs uploaded PCAP through Bro and Suricata IDS and makes it publicly avaliable
Pcap2Bubbles – online graphical vizualisation of flows
Have We Missed Some PCAP Hive?
Please send an e-mail to < info [at] netresec.com > or tweet to @netresec if you know some additional PCAP resource available on the Internet.
Do you need help with web hosting of your PCAP files?
Feel free to e-mail < info [at] netresec.com > or tweet to @netresec if you have PCAP files that you would like to share with the rest of the world, but need help with web hosting. We can provide a home online for your datasets, no matter how large they are.
Why do we like PCAP files so much?
Because: PCAP or it didn’t happen!