We at Netresec maintain a list showing where pcap files can be found on the Internet. Some pcap repositories in this list, like Pcapr and OpenPacket.org have quite extensive lists of pcap files with indexed meta data about what protocols each pcap file contains.
However, sometimes I find my self in need of traffic from some particular application or protocol, which I'm not able to generate myself. These are situations when I turn to Google for answers. In the spirit of “Google hacking” you can use keywords like “filetype:pcap” or “ext:pcap” to find pcap files. You can also add the letter í (notice the acute accent) to the search query in order to remove some non-pcap files from the search results. The reason why this works is because Google interpret a part of the PCAP file header fields as the letter í. It is also usually a good idea to further limit your search by adding some data specific for the traffic you're looking for into the search query.
You can, for example, use this query to find SMTP traffic (VXNlcm5hbWU6 is 'Username:' Base64 encoded):
You can find Gmail traffic with (notice the use of the gmailchat cookie):
SMB / CIFS traffic can be found with:
I think you get the hang of this now...
Posted by Erik Hjelmvik on Sunday, 17 July 2011 09:31:00 (UTC/GMT)