Publicly available PCAP files

This is a list of public packet capture repositories, which are freely available on the Internet.
Most of the sites listed below share their PCAP files as full content, but some do unfortunately only have truncated frames.

Computer Defence Exercises (CDX)

This category includes network traffic from exercises and competitions, such as Cyber Defense Exercises (CDX) and red-team/blue-team competitions.

MACCDC - Pcaps from National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition
http://www.netresec.com/?page=MACCDC

Captures from the "2009 Inter-Service Academy Cyber Defense Competition" served by Information Technology Operations Center (ITOC), United States Military Academy
https://www.itoc.usma.edu/research/dataset/

Capture the Flag Competitions (CTF)

PCAP files from capture-the-flag (CTF) competitions and challenges.

DEFCON Capture the Flag Contest traces (from DEF CON 8, 10 and 11)
http://cctf.shmoo.com/

DEFCON 17 Capture the Flag Contest traces
http://ddtek.biz/dc17.html
https://media.defcon.org/torrent/DEF CON 17 CTF.torrent (torrent)
https://media.defcon.org/dc-17/DEFCON 17 Hacking Conference - Capture the Flag complete packet capture.rar (direct download)

DEFCON Capture the Flag pcaps (see collections of files related to the Capture the Flag contest from DEF CON 17 to 22)
https://www.defcon.org/html/links/dc-torrent.html
https://www.defcon.org/html/torrent/DEF%20CON%2018%20CTF.torrent (DEF CON 18 torrent)
https://www.defcon.org/html/torrent/DEF%20CON%2019%20CTF.torrent (DEF CON 19 torrent)
https://www.defcon.org/html/torrent/DEF%20CON%2020%20ctf.torrent (DEF CON 20 torrent)
https://www.defcon.org/html/torrent/DEF%20CON%2021%20ctf%20friday.torrent (DEF CON 21 torrent, Friday) http://www.defcon.org/html/torrent/DEF%20CON%2021%20ctf%20saturday.torrent (DEF CON 21 torrent, Saturday) http://www.defcon.org/html/torrent/DEF%20CON%2021%20ctf%20sunday.torrent (DEF CON 21 torrent, Sunday) http://www.defcon.org/html/torrent/DEF%20CON%2022%20ctf%20teams.torrent (DEF CON 22 torrent)

CSAW CTF 2011 pcap files
http://captf.com/2011/CSAW-quals/networking/
http://repo.shell-storm.org/CTF/CSAW-2011/Networking/

Pcap files from UCSB International Capture The Flag, also known as the iCTF (by Giovanni Vigna)
https://ictf.cs.ucsb.edu/data.php

HackEire CTF Challenge pcaps from IRISSCON (by HackEire)
https://github.com/markofu/hackeire/

Malware Traffic

Captured malware traffic from honeypots, sandboxes or real world intrusions

Capture the hacker 2013 competition (by Dr. David Day of Sheffield Hallam University)
http://www.snaketrap.co.uk/ contains honeypot PCAP files from three different setups:

Contagio Malware Dump: Collection of PCAP files categorized as APT, Crime or Metasplot
http://www.mediafire.com/?a49l965nlayad (see blog post)
WARNING: The password protected zip files contain real malware
Also see Contagio's PCAP files per case:

Malware analysis blog that shares malware as well as PCAP files
http://malware-traffic-analysis.net/

Ponmocup malware/trojan (a.k.a. Milicenso) PCAP by Tom Ueltschi a.k.a. @c_APT_ure
http://download.netresec.com/pcap/ponmocup/vm-2.pcap
Also see original source (password protected zip) and analysis writeup (text)

Online client honeypot for sharing, browsing and analyzing web-based malware. PCAP download available for analyzed sites.
http://threatglass.com/

Forensic Challenges

Network forensics challenges and contests

Network Foreniscs Puzzle Contest (by Lake Missoula Group, LLC)
http://forensicscontest.com/puzzles

DFRWS 2008 Challenge
http://www.dfrws.org/2008/challenge/submission.shtml

DFRWS 2009 Challenge
http://www.dfrws.org/2009/challenge/submission.shtml

SCADA/ICS Network Captures

PCAP files from the DEF CON 22 Industrial Control System Village
http://media.defcon.org/DEF CON 22/DEF CON 22 ics village/ (requires RAR v5)

Note from Netresec:
Although the DEFCON 22 ICS Village PCAP is recorded in an ICS setup we've noticed that the 90MB capture file does not contain any SCADA/ICS traffic. The PCAP file only contains broadcast packets, which is why we suspect that they forgot to configure a monitor (SPAN) port on the switch.

Pcap files with attacks against Industrial Control Systems (created by US Cyber Challenge) - See Cyber Quest February 2012
http://uscc.cyberquests.org/

Uncategorized PCAP Repositories

Wireshark Sample Capures
http://wiki.wireshark.org/SampleCaptures
http://wiki.wireshark.org/Development/PcapNg#Example_pcapng_Capture_File

DARPA Intrusion Detection Data Sets from 1998 and 1999
http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/

OpenPacket.org Capture Repository (maintained by JJ Cummings created by Richard Bejtlich)
https://www.openpacket.org/capture/list

Over 4 GB of network forensic training data from DEEP (Digital Evaluation and Exploitation Department of Computer Science, Naval Postgraduate School). Case details can be found at Jesse Kornblum's blog.
http://digitalcorpora.org/corpora/network-packet-dumps (HTTP)
http://terasaur.org/item/downloads/computer-forensics-2009-m57-scenario/187 (Torrent)

PacketLife.net Packet Captures (Jeremy Stretch)
http://packetlife.net/captures/
http://packetlife.net/captures/leech/

MOME database
http://www.ist-mome.org/database/MeasurementData/?cmd=databrowse

EvilFingers PCAPs
https://www.evilfingers.com/repository/pcaps.php

Wireshark Network Analysis Study Guide (Laura Chappell)
http://wiresharkbook.com/studyguide.html (see "Book Supplements" or use this direct link to the 1.5 TB pcap file set)

Wireshark 101 Essential Skills for Network Analysis (Laura Chappell)
http://wiresharkbook.com/wireshark101.html (see "Book Supplements" or use this direct linkt to the 330 MB zip file)

Laura's Lab Kit v.9 ISO image (old)
http://cdn.novell.com/cached/video/bs_08/LLK9.iso

Sample capture files from: "Practical Packet Analysis - Using Wireshark to Solve Real-World Network Problems" by Chris Sanders
http://www.nostarch.com/download/ppa-capture-files.zip

Anonymous FTP connections to public FTP servers at the Lawrence Berkeley National Laboratory
http://www-nrg.ee.lbl.gov/anonymized-traces.html

Pcapr (Mu Dynamics) - A capture repository with pcap files of various traffic types
http://www.pcapr.net/

Understand project Downloads - Lots of different capture file formats (pcap, pcapng/ntar, pcangpklg and more...)
http://code.google.com/p/understand/downloads/list

I Smell Packets (website)
https://docs.google.com/leaf?id=0Bw6BFSu9NExVMjBjZDRkMTgtMmMyZi00M2ZlLWI2NzgtODM5NTZkM2U4OWQ1

ISCX 2012 Dataset. Over 80 GB of pcap data available for researchers (created by Ali Shiravi, Hadi Shiravi, and Mahbod Tavallaee from University of New Brunswick)
http://iscx.ca/dataset-request-form

Research PCAP datasets from FOI's Information Warfare Lab (FOI is The Swedish Defence Research Agency)
ftp://download.iwlab.foi.se/dataset/smia2011/Network_traffic/ (SMIA 2011)
ftp://download.iwlab.foi.se/dataset/smia2012/network_traffic/pcap/ (SMIA 2012)

Packet collections in PCAP-NG format by Teguh P. Alko
http://stuff.rop.io/packets/

Internet Traffic Archive (Berkeley Lab) - mostly tcpdump ASCII output
http://ita.ee.lbl.gov/html/traces.html

WITS: Waikato Internet Traffic Storage (traces in ERF format with headers plus 4 bytes of application data)
http://wand.net.nz/wits/
The FTP site uses rate limiting for IPv4 connections, but no ratelimit for IPv6 connections.

Bro IDS trace files (no application layer data)
ftp://ftp.bro-ids.org/enterprise-traces/hdr-traces05/

SimpleWeb captures (mainly packet headers)
http://www.simpleweb.org/wiki/Traces

Wireless LAN Traces from ACM SIGCOMM'01 (no application layer data)
http://sysnet.ucsd.edu/pawn/sigcomm-trace/

Wireshark Fuzzed Protocol Capures (only fuzzed packets)
ftp://wireshark.org/automated/captures/

Single PCAP files

Honeynet.org's Scan of the Month PCAPs
http://www.honeynet.org/scans/scan27/
http://www.honeynet.org/scans/scan28/

MDSec, Packets from a GSM 2.5G environment showing uplink/downlink, two MS devices, SIM APDU information.
https://github.com/HackerFantastic/Public/blob/master/misc/44CON-gsm-uplink-downlink-sim-example.pcap?raw=true

Raul Siles, “Pcap files containing a roaming VoIP session”
http://www.raulsiles.com/downloads/VoIP_roaming_session.zip

Russ McRee, W32/Sdbot infected machine
http://holisticinfosec.org/toolsmith/files/nov2k6/toolsmith.pcap

hack.lu 2009 Information Security Visualization Contest (honeypot traffic, mostly SSH and HTTP)
http://2009.hack.lu/index.php/InfoVisContest

Barracuda Labs on the PHP.net Compromise [blog post]
PCAP: http://barracudalabs.com/downloads/5f810408ddbbd6d349b4be4766f41a37.pcap

Barracuda Labs on the Cracked.com Malware [blog post]
PCAP: https://copy.com/UoJTysFFh6ef

Online PCAP Services

Convert PcapNG files to PCAP format
http://pcapng.com/

CloudShark - Wireshark-like analysis in your browser
http://www.cloudshark.org/

NetworkTotal - Runs uploaded PCAP through Suricata IDS
https://www.networktotal.com/

Pcap2Bubbles - online graphical vizualisation of flows
http://demo.pcap2bubbles.com/malcom/sniffer/

 

Have We Missed Some PCAP Hive?

Please send an e-mail to < info [at] netresec.com > or tweet to @netresec if you know some additional PCAP resource available on the Internet.

Do you need help with web hosting of your PCAP files?

Feel free to e-mail < info [at] netresec.com > or tweet to @netresec if you have PCAP files that you would like to share with the rest of the world, but need help with web hosting. We can provide a home online for your datasets, no matter how large they are.