Publicly available PCAP files

This is a list of public packet capture (PCAP) repositories, which are freely available on the Internet.

Network Forensics

Network forensics training, challenges and contests.

Hands-on Network Forensics - Training PCAP dataset from FIRST 2015
https://www.first.org/conference/2015/program#phands-on-network-forensics
Files mirrored by Netresec:

Digital corpora for use in computer forensics education research from DEEP (Digital Evaluation and Exploitation Department of Computer Science, Naval Postgraduate School).
https://digitalcorpora.org/corpora/network-packet-dumps

PCAP files and logs covered in Nipun Jaswal's book Hands-On Network Forensics
https://github.com/nipunjaswal/networkforensics

Packet capture analysis labs "Packet Sleuth" by Ming Chow of Tufts University
https://github.com/tuftsdev/DefenseAgainstTheDarkArts/blob/gh-pages/labs/lab02-pcaps.md

DFIR Madness, Case 001 PCAP Analysis
https://dfirmadness.com/case-001-pcap-analysis/

DFIR MONTEREY 2015 Network Forensics Challenge (by Phil Hagen of SANS)
https://for572.com/2014-11nfchallengeevidence (answers)

SCADA/ICS Network Captures

4SICS ICS Lab PCAP files - 360 MB of PCAP files from the ICS village at 4SICS
https://www.netresec.com/?page=PCAP4SICS

Repo with ICS PCAP files developed as a community asset by Tim Yardley, Anton Shipulin and many more.
https://github.com/ITI/ICS-Security-Tools/tree/master/pcaps

DigitalBond S4x15 ICS Village CTF PCAPs
https://www.netresec.com/?page=DigitalBond_S4

Compilation of ICS PCAP files indexed by protocol (by Jason Smith)
https://github.com/automayt/ICS-pcap

PCAP files with OT and IT protocols used in Industrial Control Systems (by ICS Defense / ICS Savunma).
https://github.com/EmreEkin/ICS-Pcaps/

TRITON execition of the TriStation protocol by Nozomi Networks
https://github.com/NozomiNetworks/tricotools/blob/master/malware_exec.pcap

TriStation traffic
https://packettotal.com/app/analysis?id=0e55d9467f138d148c9635617bc8fd83

Chinese ICS CTF with Modbus/TCP and Siemens S7comm traffic (CTF WP – 工控业务流量分析)
https://github.com/NewBee119/ctf_ics_traffic

ICS Cybersecurity PCAP repository by Univ. of Coimbra CyberSec team
https://github.com/tjcruz-dei/ICS_PCAPS

Protocol Reference Captures

"The Ultimate PCAP" by Johannes Weber (contains 80+ different protocols)
https://weberblog.net/the-ultimate-pcap/

Wireshark Sample Capures
https://wiki.wireshark.org/SampleCaptures
https://wiki.wireshark.org/Development/PcapNg#Example_pcapng_Capture_File

Chappell University Trace Files
https://www.chappell-university.com/traces

Wireshark Network Analysis Study Guide (Laura Chappell)
https://www.chappell-university.com/studyguide (see "Book Supplements" or use this direct link to the 1.5 GB pcap file set)

Wireshark 101 Essential Skills for Network Analysis (Laura Chappell)
https://www.chappell-university.com/wireshark101-2ndedition (see "Book Supplements" or use this direct linkt to the 400 MB zip file)

Laura's Lab Kit v.9 ISO image (old)
http://cdn.novell.com/cached/video/bs_08/LLK9.iso

Freely available packet captures collected by Chris Sanders
https://github.com/chrissanders/packets

Sample capture files from: "Practical Packet Analysis - Using Wireshark to Solve Real-World Network Problems" by Chris Sanders
https://nostarch.com/download/ppa-capture-files.zip

PacketLife.net Packet Captures (Jeremy Stretch)
https://web.archive.org (archived site)

Nicholas Russo's "Job Aid" packet capture list
https://web.archive.org (archived site)

Cyber Defence Exercises (CDX)

This category includes network traffic from exercises and competitions, such as Cyber Defense Exercises (CDX) and red-team/blue-team competitions.

MACCDC - Pcaps from National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition
https://www.netresec.com/?page=MACCDC

ISTS - Pcaps from the Information Security Talent Search
https://www.netresec.com/?page=ISTS

WRCCDC - Pcaps from the Western Regional Collegiate Cyber Defense Competition (over 1TB of PCAPs)
https://archive.wrccdc.org/pcaps/

Malware Traffic

Captured malware traffic from honeypots, sandboxes or real world intrusions.

Contagio Malware Dump: Collection of PCAP files categorized as APT, Crime or Metasplot (archived web page). The PCAP files are hosted on DropBox and MediaFire

WARNING: The password protected zip files contain real malware. The password is infected666 followed by the last character before the zip extension, for example "infected666p" for *.pcap.zip files.

Also see Contagio's PCAP files per case:

Malware analysis blog that shares malware as well as PCAP files
https://www.malware-traffic-analysis.net/

Attacks against high-interaction honeypots running on Docker and Kubernetes. Created by Noah Spahn, Nils Hanke, Thorsten Holz, Christopher Kruegel and Giovanni Vigna from University of California, Ruhr-Universität Bochum and CISPA Helmholtz Center for Information Security.
https://share.netresec.com/s/S5ZG2cDKB9AbqwS

GTISK PANDA Malrec - PCAP files from malware samples run in PANDA, created by @moyix and GTISK
https://giantpanda.gtisc.gatech.edu/malrec/dataset/

Stratosphere IPS - PCAP and Argus datasets with malware traffic, created by Sebastian Garcia (@eldraco@infosec.exchange) at the ATG group of the Czech Technical University
https://www.stratosphereips.org/datasets-overview/

VM execution of info-stealer malware. Created by the Services, Cybersecurity and Safety research group at University of Twente.
https://www.utwente.nl/en/eemcs/scs/output/downloads/20171127_DEM/

DGA-based Malware Communications from DoH Traffic by R. Mitsuhashi et al., Hokkaido University.
https://eprints.lib.hokudai.ac.jp/dspace/handle/2115/86574

Shadowbrokers PCAPs by Eric Conrad, including ETERNALBLUE and ETERNALROMANCE.
https://www.dropbox.com/sh/kk24ewnqi9qjdvt/AACj7AHJrDHQeyJTuo1oBqeQa

Capture the Flag Competitions (CTF)

PCAP files from capture-the-flag (CTF) competitions and challenges.

Note: Sniffing CTF's is known as "capture-the-capture-the-flag" or CCTF.

DEFCON CTF PCAPs from DEF CON 17 to 24 (look for the big RAR files inside the ctf directories)
https://media.defcon.org/

DEFCON CTF 2018 PCAP files
https://www.oooverflow.io/dc-ctf-2018-finals/

CSAW CTF 2011 pcap files
https://shell-storm.org/repo/CTF/CSAW-2011/Networking/

HackEire CTF Challenge pcaps from IRISSCON
https://github.com/markofu/hackeire/

https://github.com/MarioVilas/write-ups/raw/master/ncn-ctf-2014/Vodka/vodka (bzip2 compressed PCAP-NG file)

Packet Injection Attacks / Man-on-the-Side Attacks

PCAP files from research by Gabi Nakibly et al. in Website-Targeted False Content Injection by Network Operators
https://www.cs.technion.ac.il/~gnakibly/TCPInjections/samples.zip

Packet injection against id1.cn, released by Fox-IT at BroCon 2015
https://github.com/fox-it/quantuminsert/blob/master/presentations/brocon2015/pcaps/id1.cn-inject.pcap

Packet injection against www.02995.com, doing a redirect to www.hao123.com (read more)
https://media.netresec.com/pcap/hao123-com_packet-injection.pcap

Packet injection against id1.cn, doing a redirect to batit.aliyun.com (read more)
https://media.netresec.com/pcap/id1-cn_packet-injection.pcap

Pcap files for testing Honeybadger TCP injection attack detection
https://github.com/david415/honeybadger-pcap-files

Man-in-the-Middle (MitM) attacks (a.k.a. "in-path attacks") in Turkey and Egypt discovered by Bill Marczak (read more).
https://github.com/citizenlab/badtraffic/tree/master/pcaps

Uncategorized PCAP Repositories

TcpReplay Sample Captures
https://tcpreplay.appneta.com/wiki/captures.html

Applied Communication Sciences' MILCOM 2016 datasets
https://www.netresec.com/?page=ACS_MILCOM_2016

Australian Defence Force Academy (ADFA) UNSW-NB15 data set (100 GB)
https://cloudstor.aarnet.edu.au/plus/index.php/s/2DhnLGDdEECo4ys?path=%2FUNSW-NB15%20-%20pcap%20files

DARPA Intrusion Detection Data Sets from 1998 and 1999
https://archive.ll.mit.edu/ideval/data/

Mixed PCAP file repo with a great deal of BACnet traffic (by Steve Karg)
https://kargs.net/captures/

Megalodon Challenge by Jasper Bongertz - "a real world network analysis problem, with all its confusion, drawbacks and uncertainties" (3.8 GB sanitized PCAP-NG files)
Blog post: https://blog.packet-foo.com/2015/07/the-megalodon-challenge/
Direct link: http://www.packet-foo.com/megalodon2015/MegalodonChallenge.7z

Pcaps and logs generated in @elcabezzonn's lab environment. Spans from malware, to normal traffic, to pentester tools
https://github.com/elcabezzonn/Pcaps

Anonymous FTP connections to public FTP servers at the Lawrence Berkeley National Laboratory from 2003
https://ee.lbl.gov/anonymized-traces.html

Understand project Downloads - Lots of different capture file formats (pcap, pcapng/ntar, pcangpklg and more...)
https://code.google.com/archive/p/understand/downloads

I Smell Packets (website)
https://docs.google.com/leaf?id=0Bw6BFSu9NExVMjBjZDRkMTgtMmMyZi00M2ZlLWI2NzgtODM5NTZkM2U4OWQ1

Canadian Institute for Cybersecurity (CIC) datasets
https://www.unb.ca/cic/datasets/index.html

Technical challenges used by Sweden's National Defence Radio Establishment (FRA) for recruitment. Includes several PCAP challenges.
https://challenge.fra.se/

WITS: Waikato Internet Traffic Storage (traces in ERF format with headers plus 4 bytes of application data)
https://wand.net.nz/wits/
The FTP site uses rate limiting for IPv4 connections, but no ratelimit for IPv6 connections.

SimpleWeb captures (mainly packet headers)
https://www.simpleweb.org/wiki/index.php/Traces

Wireless LAN Traces from ACM SIGCOMM'01 (no application layer data)
https://www.sysnet.ucsd.edu/pawn/sigcomm-trace/

Single PCAP files

500 MB capture file from an F5 BIG-IP device vilnerable to CVE-2020–5902 (by the NCC Group)
https://github.com/nccgroup/Cyber-Defence/blob/master/Intelligence/Honeypot-Data/2020-F5-and-Citrix/f5-honeypot-release.tar.gz

MDSec, Packets from a GSM 2.5G environment showing uplink/downlink, two MS devices, SIM APDU information.
https://github.com/HackerFantastic/Public/blob/master/misc/44CON-gsm-uplink-downlink-sim-example.pcap?raw=true

SDN OpenFlow pcap-ng file by SDN/IPv6 expert Jeff Carrell.
(download temporarily unavailable)

Demo of JexBoss (Jboss EXploitation Tool) "JBoss exploits - View from a Victim" by Andre M. DiMino
http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html

Raul Siles, “Pcap files containing a roaming VoIP session”
http://www.raulsiles.com/old/downloads/VoIP_roaming_session.zip

Russ McRee, W32/Sdbot infected machine
https://holisticinfosec.io/toolsmith/files/nov2k6/toolsmith.pcap

Sandboxes that Generate PCAP Files

Triage Sandbox
https://tria.ge/

Hybrid Analysis Sandbox
https://www.hybrid-analysis.com/

ANY.RUN Interactive Sandbox
https://any.run/

Joe Sandbox Cloud
https://www.joesandbox.com/

Cuckoo Sandbox
https://cuckoo.cert.ee/

CAPE Sandbox
https://capesandbox.com/

 

Have We Missed Some PCAP Hive?

Please send an e-mail to info@netresec.com or tweet to @netresec if you know some additional PCAP resource available on the Internet.

Do you need help with web hosting of your PCAP files?

Feel free to e-mail info@netresec.com or tweet to @netresec if you have PCAP files that you would like to share with the rest of the world, but need help with web hosting. We can provide a home online for your datasets, no matter how large they are.

Why do we like PCAP files so much?

Because: PCAP or it didn't happen!

PCAP or it didn't happen
PCAP or it didn't happen RetroWave style