An alchemists view from the bar

Network Security Alchemy – PCAP files

with 8 comments

I am in the process of uploading a load of pcap files to from my “” collection. Because openpacket doesn’t provide an interface to include supporting data, below is network map that should help anyone who needs to use these pcaps. They were sniffed from a test network I built and should contain a good mix of systems and protocols.

Expect to see:

  • http
  • https
  • pop3
  • smtp
  • bittorrent
  • ldap
  • irc
  • msn
  • smb
  • dcerpc
  • ssh
Network Map -

Network Map -

While I fight with Openpcap’s upload limits, a complete archive of can be found here.



Written by leonward

April 10, 2009 at 12:50 pm

Posted in Uncategorized

Tagged with , ,

8 Responses

Subscribe to comments with RSS.

  1. is a brilliant idea!


    April 21, 2009 at 7:52 pm

    • Yes it is, and to keep it going make sure you contribute! More pcaps are always required.



      April 22, 2009 at 6:06 pm

  2. Hi
    I need traces for DNS ENUM over IP , over GTP and different field scenario………plz help


    May 20, 2009 at 9:37 pm

    • It’s probably best to ask at rather than here.


      May 27, 2009 at 1:45 pm

  3. The examples.pcap [1-7] is said to be “normal”.
    By this do you mean to say that there are no “malicious” or “attack” traffic?

    If this a lab generated traffic completely isolated from the internet?


    September 13, 2009 at 3:53 am

    • Kind of, the isn’t any intentional nastiness in 1-8, but there is in later pcaps in the series. The network was isolated from the Internet by a couple of firewalls preventing no ingress connections.
      The later files with malicious traffic in were larger than Openpacket’s max upload size, I think JJ may have increased it so ill try to upload the others again.

      Meanwhile, I have added a download link to the complete archive in the post above that contains both “clean” and “dirty” data.



      September 14, 2009 at 8:24 am

  4. Hi,
    I have a question regarding usage of this pcap file.
    I am working on a virtual network. Do I need to create the same topology to be able to use this pcap sample?
    What are the preliminary steps for using this sample as the normal traffic in my network?

    Many thanks.



    November 1, 2012 at 8:00 am

    • Hi,

      Things should be the same in the virtual world, just make sure your NIC is in promisc and can see the same traffic your sensor can view.


      August 15, 2014 at 9:17 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: