This is a list of public packet capture (PCAP) repositories, which are freely available on the Internet.
This category includes network traffic from exercises and competitions, such as Cyber Defense Exercises (CDX) and red-team/blue-team competitions.
MACCDC - Pcaps from National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition
https://www.netresec.com/?page=MACCDC
ISTS - Pcaps from the Information Security Talent Search
https://www.netresec.com/?page=ISTS
WRCCDC - Pcaps from the Western Regional Collegiate Cyber Defense Competition (over 1TB of PCAPs)
https://archive.wrccdc.org/pcaps/
Captures from the "2009 Inter-Service Academy Cyber Defense Competition" served by Information Technology Operations Center (ITOC), United States Military Academy
https://www.westpoint.edu/centers-and-research/cyber-research-center/data-sets
Captured malware traffic from honeypots, sandboxes or real world intrusions.
Contagio Malware Dump: Collection of PCAP files categorized as APT, Crime or Metasplot (archived web page). The PCAP files are hosted on DropBox and MediaFire
WARNING: The password protected zip files contain real malware. The password is infected666 followed by the last character before the zip extension, for example "infected666p" for *.pcap.zip files.
Also see Contagio's PCAP files per case:
Malware analysis blog that shares malware as well as PCAP files
https://www.malware-traffic-analysis.net/
Attacks against high-interaction honeypots running on Docker and Kubernetes. Created by Noah Spahn, Nils Hanke, Thorsten Holz, Christopher Kruegel and Giovanni Vigna from University of California, Ruhr-Universität Bochum and CISPA Helmholtz Center for Information Security.
https://share.netresec.com/s/S5ZG2cDKB9AbqwS
GTISK PANDA Malrec - PCAP files from malware samples run in PANDA, created by @moyix and GTISK
https://giantpanda.gtisc.gatech.edu/malrec/dataset/
Stratosphere IPS - PCAP and Argus datasets with malware traffic, created by Sebastian Garcia (@eldraco@infosec.exchange) at the ATG group of the Czech Technical University
https://www.stratosphereips.org/datasets-overview/
VM execution of info-stealer malware. Created by the Services, Cybersecurity and Safety research group at University of Twente.
https://www.utwente.nl/en/eemcs/scs/output/downloads/20171127_DEM/
Ponmocup malware/trojan (a.k.a. Milicenso) PCAP by Tom Ueltschi a.k.a. @c_APT_ure
(download temporarily unavailable)
Also see original source (password protected zip) and analysis writeup (text)
DGA-based Malware Communications from DoH Traffic by R. Mitsuhashi et al., Hokkaido University.
https://eprints.lib.hokudai.ac.jp/dspace/handle/2115/86574
PCAP file with PowerShell Empire (TCP 8081) and SSL wrapped C2 (TCP 445) traffic from CERT.SE's technical writeup of the major fraud and hacking criminal case "B 8322-16".
https://drive.google.com/open?id=0B7pTM0QU5apSdnF0Znp1Tko0ams
Shadowbrokers PCAPs by Eric Conrad, including ETERNALBLUE and ETERNALROMANCE.
https://www.dropbox.com/sh/kk24ewnqi9qjdvt/AACj7AHJrDHQeyJTuo1oBqeQa
Network forensics training, challenges and contests.
Hands-on Network Forensics - Training PCAP dataset from FIRST 2015
https://www.first.org/conference/2015/program#phands-on-network-forensics
Files mirrored by Netresec:
ENISA's Network Forensics training
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/technical-operational#network_forensics
Digital corpora for use in computer forensics education research from DEEP (Digital Evaluation and Exploitation Department of Computer Science, Naval Postgraduate School).
https://digitalcorpora.org/corpora/network-packet-dumps
PCAP files and logs covered in Nipun Jaswal's book Hands-On Network Forensics
https://github.com/nipunjaswal/networkforensics
Forensic Challenge 14 – "Weird Python" (The Honeynet ProjectThe Honeynet Project)
https://www.honeynet.org/challenges/forensics-challenge-14-weird-python/
Packet capture analysis labs "Packet Sleuth" by Ming Chow of Tufts University
https://github.com/tuftsdev/DefenseAgainstTheDarkArts/blob/gh-pages/labs/lab02-pcaps.md
DFRWS 2008 Challenge
https://old.dfrws.org/2008/challenge/submission.shtml
DFRWS 2009 Challenge
https://old.dfrws.org/2009/challenge/submission.shtml
DFIR Madness, Case 001 PCAP Analysis
https://dfirmadness.com/case-001-pcap-analysis/
DFIR MONTEREY 2015 Network Forensics Challenge (by Phil Hagen of SANS)
https://for572.com/2014-11nfchallengeevidence
(answers)
4SICS ICS Lab PCAP files - 360 MB of PCAP files from the ICS village at 4SICS
https://www.netresec.com/?page=PCAP4SICS
Repo with ICS PCAP files developed as a community asset by Tim Yardley, Anton Shipulin and many more.
https://github.com/ITI/ICS-Security-Tools/tree/master/pcaps
DigitalBond S4x15 ICS Village CTF PCAPs
https://www.netresec.com/?page=DigitalBond_S4
Compilation of ICS PCAP files indexed by protocol (by Jason Smith)
https://github.com/automayt/ICS-pcap
PCAP files with OT and IT protocols used in Industrial Control Systems (by ICS Defense / ICS Savunma).
https://github.com/EmreEkin/ICS-Pcaps/
DEF CON 23 ICS Village
https://media.defcon.org/DEF CON 23/DEF CON 23 villages/DEF CON 23 ics village/DEF CON 23 ICS Village packet captures.rar (requires RAR v5)
TRITON execition of the TriStation protocol by Nozomi Networks
https://github.com/NozomiNetworks/tricotools/blob/master/malware_exec.pcap
TriStation traffic
https://packettotal.com/app/analysis?id=0e55d9467f138d148c9635617bc8fd83
Chinese ICS CTF with Modbus/TCP and Siemens S7comm traffic (CTF WP – 工控业务流量分析)
https://github.com/NewBee119/ctf_ics_traffic
ICS Cybersecurity PCAP repository by Univ. of Coimbra CyberSec team
https://github.com/tjcruz-dei/ICS_PCAPS
PCAP files from capture-the-flag (CTF) competitions and challenges.
Note: Sniffing CTF's is known as "capture-the-capture-the-flag" or CCTF.
DEFCON CTF PCAPs from DEF CON 17 to 24 (look for the big RAR files inside the ctf directories)
https://media.defcon.org/
DEFCON CTF 2018 PCAP files
https://www.oooverflow.io/dc-ctf-2018-finals/
CSAW CTF 2011 pcap files
https://shell-storm.org/repo/CTF/CSAW-2011/Networking/
Pcap files from UCSB International Capture The Flag, also known as the iCTF
(by Giovanni Vigna)
https://ictf.cs.ucsb.edu/pages/archive.html
HackEire CTF Challenge pcaps from IRISSCON
https://github.com/markofu/hackeire/
https://github.com/MarioVilas/write-ups/raw/master/ncn-ctf-2014/Vodka/vodka (bzip2 compressed PCAP-NG file)
PhreakNIC CTF from 2016 (by _NSAKEY). Contains traffic to/from the target, the NetKoTH scoring server and the IRC server.
https://drive.google.com/drive/folders/0B9TXiR9NkjmpOHNMRTl6VVA2RnM
PCAP files from research by Gabi Nakibly et al. in Website-Targeted False Content Injection by Network Operators
https://www.cs.technion.ac.il/~gnakibly/TCPInjections/samples.zip
Packet injection against id1.cn, released by Fox-IT at BroCon 2015
https://github.com/fox-it/quantuminsert/blob/master/presentations/brocon2015/pcaps/id1.cn-inject.pcap
Packet injection against www.02995.com, doing a redirect to www.hao123.com (read more)
https://media.netresec.com/pcap/hao123-com_packet-injection.pcap
Packet injection against id1.cn, doing a redirect to batit.aliyun.com (read more)
https://media.netresec.com/pcap/id1-cn_packet-injection.pcap
Pcap files for testing Honeybadger TCP injection attack detection
https://github.com/david415/honeybadger-pcap-files
Man-in-the-Middle (MitM) attacks (a.k.a. "in-path attacks") in Turkey and Egypt discovered by Bill Marczak (read more).
https://github.com/citizenlab/badtraffic/tree/master/pcaps
"The Ultimate PCAP" by Johannes Weber (contains 80+ different protocols)
https://weberblog.net/the-ultimate-pcap/
Wireshark Sample Capures
https://wiki.wireshark.org/SampleCaptures
https://wiki.wireshark.org/Development/PcapNg#Example_pcapng_Capture_File
Chappell University Trace Files
https://www.chappell-university.com/traces
Nicholas Russo's "Job Aid" packet capture list
http://njrusmc.net/jobaid/jobaid.html
TcpReplay Sample Captures
https://tcpreplay.appneta.com/wiki/captures.html
Applied Communication Sciences' MILCOM 2016 datasets
https://www.netresec.com/?page=ACS_MILCOM_2016
Australian Defence Force Academy (ADFA) UNSW-NB15 data set (100 GB)
https://cloudstor.aarnet.edu.au/plus/index.php/s/2DhnLGDdEECo4ys?path=%2FUNSW-NB15%20-%20pcap%20files
DARPA Intrusion Detection Data Sets from 1998 and 1999
https://archive.ll.mit.edu/ideval/data/
PacketLife.net Packet Captures (Jeremy Stretch)
https://packetlife.net/captures/
Mixed PCAP file repo with a great deal of BACnet traffic (by Steve Karg)
https://kargs.net/captures/
Wireshark Network Analysis Study Guide (Laura Chappell)
https://www.chappell-university.com/studyguide (see "Book Supplements" or use this
direct link to the 1.5 GB pcap file set)
Wireshark 101 Essential Skills for Network Analysis (Laura Chappell)
https://www.chappell-university.com/wireshark101-2ndedition (see "Book Supplements" or use this
direct linkt to the 400 MB zip file)
Laura's Lab Kit v.9 ISO image (old)
http://cdn.novell.com/cached/video/bs_08/LLK9.iso
Freely available packet captures collected by Chris Sanders
https://github.com/chrissanders/packets
Sample capture files from: "Practical Packet Analysis - Using Wireshark to Solve Real-World Network Problems" by Chris Sanders
https://nostarch.com/download/ppa-capture-files.zip
Megalodon Challenge by Jasper Bongertz - "a real world network analysis problem, with all its confusion, drawbacks and uncertainties" (3.8 GB sanitized PCAP-NG files)
Blog post: https://blog.packet-foo.com/2015/07/the-megalodon-challenge/
Direct link: http://www.packet-foo.com/megalodon2015/MegalodonChallenge.7z
Pcaps and logs generated in @elcabezzonn's lab environment. Spans from malware, to normal traffic, to pentester tools
https://github.com/elcabezzonn/Pcaps
Anonymous FTP connections to public FTP servers at the Lawrence Berkeley National Laboratory from 2003
https://ee.lbl.gov/anonymized-traces.html
Understand project Downloads - Lots of different capture file formats (pcap, pcapng/ntar, pcangpklg and more...)
https://code.google.com/archive/p/understand/downloads
I Smell Packets (website)
https://docs.google.com/leaf?id=0Bw6BFSu9NExVMjBjZDRkMTgtMmMyZi00M2ZlLWI2NzgtODM5NTZkM2U4OWQ1
Canadian Institute for Cybersecurity (CIC) datasets
https://www.unb.ca/cic/datasets/index.html
Research PCAP datasets from FOI's Information Warfare Lab (FOI is The Swedish Defence Research Agency)
(download temporarily unavailable)
Technical challenges used by Sweden's National Defence Radio Establishment (FRA) for recruitment. Includes several PCAP challenges.
https://challenge.fra.se/
WITS: Waikato Internet Traffic Storage (traces in ERF format with headers plus 4 bytes of application data)
https://wand.net.nz/wits/
The FTP site uses rate limiting for IPv4 connections, but no ratelimit for IPv6 connections.
SimpleWeb captures (mainly packet headers)
https://www.simpleweb.org/wiki/index.php/Traces
Wireless LAN Traces from ACM SIGCOMM'01 (no application layer data)
https://www.sysnet.ucsd.edu/pawn/sigcomm-trace/
500 MB capture file from an F5 BIG-IP device vilnerable to CVE-2020–5902 (by the NCC Group)
https://github.com/nccgroup/Cyber-Defence/blob/master/Intelligence/Honeypot-Data/2020-F5-and-Citrix/f5-honeypot-release.tar.gz
MDSec, Packets from a GSM 2.5G environment showing uplink/downlink, two MS devices, SIM APDU information.
https://github.com/HackerFantastic/Public/blob/master/misc/44CON-gsm-uplink-downlink-sim-example.pcap?raw=true
SDN OpenFlow pcap-ng file by SDN/IPv6 expert Jeff Carrell.
(download temporarily unavailable)
Demo of JexBoss (Jboss EXploitation Tool) "JBoss exploits - View from a Victim" by Andre M. DiMino
http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html
Raul Siles, “Pcap files containing a roaming VoIP session”
http://www.raulsiles.com/old/downloads/VoIP_roaming_session.zip
Russ McRee, W32/Sdbot infected machine
https://holisticinfosec.io/toolsmith/files/nov2k6/toolsmith.pcap
Triage Sandbox
https://tria.ge/
Hybrid Analysis Sandbox
https://www.hybrid-analysis.com/
ANY.RUN Interactive Sandbox
https://any.run/
Joe Sandbox Cloud
https://www.joesandbox.com/
Cuckoo Sandbox
https://cuckoo.cert.ee/
CAPE Sandbox
https://capesandbox.com/
Have We Missed Some PCAP Hive?
Please send an e-mail to info@netresec.com or tweet to @netresec if you know some additional PCAP resource available on the Internet.
Do you need help with web hosting of your PCAP files?
Feel free to e-mail info@netresec.com or tweet to @netresec if you have PCAP files that you would like to share with the rest of the world, but need help with web hosting. We can provide a home online for your datasets, no matter how large they are.
Why do we like PCAP files so much?
Because: PCAP or it didn't happen!