This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 1 and 471 (spanning 470 versions)
Revision 1 as of 2004-09-27 03:12:27
Size: 471
Editor: GeraldCombs
Comment: Add the SampleCaptures page
Revision 471 as of 2009-09-13 19:21:23
Size: 29121
Editor: 125
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
== Sample Captures == #acl AdministratorGroup:read,write,delete,revert Known:read,write,revert All:read,write
<<TableOfContents>>

== Sample Capture ==
So you're at home tonight, having just installed Wireshark. You want to take the program for a test drive. But your home LAN doesn't have any interesting or exotic packets on it? Here's some goodies to try. Please note that if for some reason your version of Wireshark doesn't have zlib support, you'll have to gunzip any file with a '''.gz''' extension.

== How to add a new Capture File ==
If you want to include a new example capture file, you should attach it to this page (click 'attachments' in header above). In the corresponding text, you might explain what this file is doing and what protocols, mechanisms or events it explains. Links from here to the related protocol pages are also welcome.

Please don't just attach your capture file to the page without putting an attachment link in the page, in the format '''{{{attachment:}}}'''''''''attachment'''''{{{.}}}'''''ext''; if you don't put an attachment link in the page, it's not obvious that the capture file is available. ''

''It's also a very good idea to put links at the related protocol pages pointing to your file. Referring to an attachment on this page from another Wiki page requires a link on that other Wiki page in the format '''{{{attachment:SampleCaptures/}}}'''''''''attachment'''''{{{.}}}'''''ext''. For an example of this, see the NetworkTimeProtocol page.

== Other Sources of Capture Files ==
If you don't find what you're looking for, you may also try:

 * http://www.packet-level.com/traces/index.htm
 * http://www.icir.org/enterprise-tracing/download.html (unsorted capture of enterprise traffic - use the .anon files)
 * http://www.techtraces.com/sample_captures (sorted VoIP traces)
 * https://www.openpacket.org/capture/list (open repository of traces particularly related to digital security)
 * http://www.packetlife.net/captures/ (organized and moderated; many captures include a topology drawing for reference)
 * http://www.pcapr.net/ (web 2.0 for pcaps with editing, DoS, etc; powered by wireshark)
 * http://mail.im.tku.edu.tw/~miller.lai/pcap/pcapList.php (Pcap samples of different applications )

== General / Unsorted ==
[[attachment:Obsolete_Packets.cap]] (libpcap) Contains various obscure/no longer in common use protocols, including Banyan VINES, AppleTalk and DECnet.

[[attachment:Apple_IP-over-IEEE_1394_Packet.pcap]] (libpcap) An ICMP packet encapsulated in Apple's IP-over-1394 (ap1394) protocol

[[attachment:SkypeIRC.cap]] (libpcap) Some Skype, IRC and DNS traffic.

[[attachment:ipp.pcap]] (libpcap) CUPS printing via IPP (test page)

[[attachment:IrDA_Traffic.ntar]] (pcap-ng) Various IrDA packets, use Wireshark 1.3.0 (SVN revision 28866 or higher) to view

[[attachment:9p.cap]] (libpcap) Plan 9 9P protocol, various message types.

[[attachment:EmergeSync.cap]] (libpcap) rsync packets, containing the result of an "emerge sync" operation on a Gentoo system

[[attachment:afs.cap.gz]] (libpcap) Andrew File System, based on RX protocol. Various operations.

[[attachment:ascend.trace.gz]] (Ascend WAN router) Shows how Wireshark parses special Ascend data

[[attachment:atm_capture1.cap]] (libpcap) A trace of ATM Classical IP packets.

[[attachment:bacnet-arcnet.cap]] (libpcap) Some BACnet packets encapsulated in ARCnet framing

[[attachment:bfd-raw-auth-simple.pcap]] (libpcap) BFD packets using simple password authentication.

[[attachment:bfd-raw-auth-md5.pcap]] (libpcap) BFD packets using md5 authentication.

[[attachment:bfd-raw-auth-sha1.pcap]] (libpcap) BFD packets using SHA1 authentication.

[[attachment:BT_USB_LinCooked_Eth_80211_RT.ntar.gz]] (pcap-ng) A selection of Bluetooth, Linux mmapped USB, Linux Cooked, Ethernet, IEEE 802.11, and IEEE 802.11 RadioTap packets in a pcap-ng file, to showcase the power of the file format, and Wireshark's support for it. SVN revision 28436 of Wireshark 1.1.4 or later is required to fully utilise the content in this file.

[[attachment:bootparams.cap.gz]] (libpcap) A couple of rpc.bootparamsd 'getfile' and 'whoami' requests.

[[attachment:cmp-trace.pcap.gz]] (libpcap) Certificate Management Protocol (CMP) certificate requests.

[[attachment:cmp-in-http-with-errors-in-cmp-protocol.pcap.gz]] (libpcap) Certificate Management Protocol (CMP) version 2 encapsulated in HTTP. Full "Initialization Request" and rejected "Key Update Request". There are some errors in the CMP packages.

[[attachment:cmp_in_http_with_pkixcmp-poll_content_type.pcap.gz]] (libpcap) Certificate Management Protocol (CMP) version 2 encapsulated in HTTP. The CMP messages are of the deprecated but used content-type "pkixcmp-poll", so they are using the TCP transport style. In two of the four CMP messages, the content type is not explicitly set, thus they cannot be dissected correctly.

[[attachment:cigi2.pcap.gz]] (libpcap) Common Image Generator Interface (CIGI) version 2 packets.

[[attachment:cigi3.pcap.gz]] (libpcap) Common Image Generator Interface (CIGI) version 3 packets.

[[attachment:ciscowl.pcap.gz]] (libpcap) Cisco Wireless LAN Context Control Protocol ([[WLCCP]]) version 0x0

[[attachment:ciscowl_version_0xc1.pcap.gz]] (libpcap) Cisco Wireless LAN Context Control Protocol ([[WLCCP]]) version 0xc1. Includes following base message types: SCM Advertisements, EAP Auth., Path Init, Registration

[[attachment:configuration_test_protocol_aka_loop.pcap]] (libpcap) Example of an Ethernet loopback with a 'third party assist'

[[attachment:cops-pr.cap.gz]] (libpcap) A sample of COPS traffic.

[[attachment:dct2000_test.out]] (dct2000) A sample [[DCT2000]] file with examples of most supported link types

[[attachment:dhcp.pcap]] (libpcap) A sample of DHCP traffic.

[[attachment:dhcp-and-dyndns.pcap.gz]] (libpcap) A sample session of a host doing dhcp first and then dyndns.

[[attachment:dhcp-auth.pcap.gz]] (libpcap) A sample packet with dhcp authentication information.

[[attachment:dccp_trace.pcap.gz]] (libpcap) A trace of [[DCCP]] packet types.

[[attachment:dns.cap]] (libpcap) Various DNS lookups.

[[attachment:dualhome.iptrace]] (AIX iptrace) Shows Ethernet and Token Ring packets captured in the same file.

[[attachment:dvmrp-conv.cap]] Shows Distance Vector Multicast Routing Protocol packets.

[[attachment:epmd.pcap]] Two Erlang Port Mapper Daemon ([[EPMD]]) messages.

[[attachment:Ethernet_Pause_Frame.cap]] Ethernet Pause Frame packets.

[[attachment:exec-sample.pcap]] The [[Exec|exec]] (rexec) protocol

[[attachment:genbroad.snoop]] (Solaris snoop) Netware, Appletalk, and other broadcasts on an ethernet network.

[[attachment:Mixed1.cap]] (MS NetMon) Some Various, Mixed Packets.

[[attachment:gryphon.cap]] (libpcap) A trace of Gryphon packets. This is useful for testing the Gryphon plug-in.

[[attachment:hsrp.pcap]] (libpcap) Some Cisco HSRP packets, including some with Opcode 3 (Advertise)

[[attachment:hsrp-and-ospf-in-LAN]] (libpcap) HSRP state changes and OSPF LSAs sent during link up/down/up

[[attachment:ipv4_cipso_option.pcap]] (libpcap) A few IP packets with CIPSO option.

[[attachment:imap.cap.gz]] (libpcap) A short IMAP session using Mutt against an MSX server.

[[attachment:RawPacketIPv6Tunnel-UK6x.cap]] (libpcap) - Some IPv6 packets captured from the 'sit1' interface on Linux. The IPv6 packets are carried over the UK's UK6x network, but what makes this special, is the fact that it has a Link-Layer type of "Raw packet data" - which is something that you don't see everyday.

[[attachment:iseries.cap]] (IBM iSeries communications trace) FTP and Telnet traffic between two AS/400 LPARS.

[[attachment:FTPv6-1.cap]] (Microsoft Network Monitor) FTP packets (IPv6)

[[attachment:FTPv6-2.cap]] (Microsoft Network Monitor) Some more FTP packets (IPv6)

[[attachment:isl-2-dot1q.cap]] (libpcap) A trace including both ISL and 802.1q-tagged Ethernet frames. Frames 1 through 381 represent traffic encapsulated using Cisco's ISL, frames 382-745 show traffic sent by the same switch after it had been reconfigured to support 802.1Q trunking.

[[attachment:lacp1.pcap.gz]] (libpcap) Link Aggregation Control Protocol (LACP, IEEE 802.3ad) traffic.

[[attachment:linx-setup-pingpong-shutdown.pcap]] (libpcap) Successive setup of LINX on two hosts, exchange of packets and shutdown.

[[attachment:lldp.minimal.pcap]] (libpcap) Simple LLDP packets.

[[attachment:lldp.detailed.pcap]] (libpcap) LLDP packets with more details.

[[attachment:lldpmed_civicloc.pcap]] (libpcap) LLDP-MED packet with TLV entries, including civic address location ID, network policy and extended power-via-MDI.

[[attachment:llrp.cap]] EPCglobal [[LLRP|Low-Level Reader Protocol (LLRP)]]

[[attachment:llt-sample.pcap]] Veritas [[LLT|Low Latency Transport (LLT)]] frames

[[attachment:mapi.cap.gz]] (libpcap) MAPI session w/ Outlook and MSX server, not currently decoded by Wireshark.

[[attachment:messenger.pcap]] (libpcap) a few messenger example packets.

[[attachment:mms.pcap.gz]] (libpcap) Manufacturing Message Specification traffic.

[[attachment:SITA-Protocols.cap]] (libpcap) Some SITA WAN (Societe Internationale de Telecommunications Aeronautiques sample packets (contains X.25, International Passenger Airline Reservation System, Unisys Transmittal System and Frame Relay packets)

[[attachment:msnms.pcap]] (libpcap) MSN Messenger packets.

[[attachment:MSN_CAP.xlsx]] (xlsx) MSN Messenger packets in xlsx format.

[[attachment:monotone-netsync.cap.gz]] (libpcap) Some fragments (the full trace is > 100MB gzipped) of a checkout of the monotone sources.

[[attachment:mpeg2_mp2t_with_cc_drop01.pcap]] (libpcap) MPEG2 (RFC 2250) Transport Stream example with a dropped CC packet (anonymized with tcpurify).

[[attachment:mpls-basic.cap]] (libpcap) A basic sniff of MPLS-encapsulated IP packets over Ethernet.

[[attachment:mpls-exp.cap]] (libpcap) IP packets with EXP bits set.

[[attachment:mpls-te.cap]] (libpcap) MPLS Traffic Engineering sniffs. Includes RSVP messages with MPLS/TE extensions and OSPF link updates with MPLS LSAs.

[[attachment:mpls-twolevel.cap]] (libpcap) An IP packet with two-level tagging.

[[attachment:netbench_1.cap]] (libpcap) A capture of a reasonable amount of !NetBench traffic. It is useful to see some of the traffic a !NetBench run generates.

[[attachment:omron-test.pcap]] (libpcap) SCADA - OMRON-FINS protocol traffic

[[attachment:pana.cap]] (libpcap) PANA authentication session (pre-draft-15a so Wireshark 0.99.5 or before is required to view it correctly).

[[attachment:pana-draft18.cap]] (libpcap) PANA authentication session (draft-18 so Wireshark 0.99.7 or later is required to view it correctly).

[[attachment:pim-reg.cap]] (libpcap) Protocol Independent Multicast, with IPv6 tunnelled within IPv6

[[attachment:ptpv2.pcap]] (libpcap) various Precision Time Protocol (IEEE 1588) version 2 packets.

[[attachment:Public_nic]] (libpcap) A bunch of SSDP (Universal Plug and Play protocol) announcements.

[[attachment:rpl_sample.cap.gz]] (libpcap) A RIPL sample capture.

[[attachment:rtp_example.raw.gz]] (libpcap) A VoIP sample capture of a [[H323]] call (including [[H225]], [[H245]], [[RTP]] and [[RTCP]]).

[[attachment:sbus.pcap]] (libpcap) An EtherSBus (sbus) sample capture showing some traffic between the programming tool (PG5) and a PCD (Process Control Device, a PLC; Programmable Logic Controller).

[[attachment:SIMULCRYPT.pcap|simulcrypt.pcap]] (libpcap) A SIMULCRYPT sample capture, [[SIMULCRYPT]] over [[TCP]]) on ports 8600, 8601, and 8602.

[[attachment:TeamSpeak2.pcap]] (libpcap) A TeamSpeak2 capture

[[attachment:tipc-publication-payload-withdrawal.pcap]] (libpcap) TIPC port name publication, payload messages and port name withdrawal.

[[attachment:tipc-bundler-messages.pcap]] (libpcap) TIPCv2 Bundler Messages

[[attachment:tipc_v2_fragmenter_messages.pcap.gz]] (libpcap) TIPCv2 Fragmenter Messages

[[attachment:TIPC-over-TCP_disc-publ-inventory_sim-withd.pcap.gz]] (libpcap) TIPCv2 over TCP (port 666) traffic generated by the inventory simulation of the TIPC demo package.

[[attachment:TIPC-over-TCP_MTU-discovery.pcap.gz]] (libpcap) TIPCv2 over TCP (port 666) - Link State messages with filler bytes for MTU discovery.

[[attachment:toshiba.general.gz]] (Toshiba) Just some general usage of a Toshiba ISDN router. There are three link types in this trace: PPP, Ethernet, and LAPD.

[[attachment:uma_ho_req_bug.cap]] (libpcap) A "UMA URR HANDOVER REQUIRED" packet.

[[attachment:unistim_phone_startup.pcap]] (libpcap) Shows a phone booting up, requesting ip address and establishing connection with cs2k server.

[[attachment:unistim-call.pcap]] (libpcap) Shows one phone calling another via cs2k server over unistim

[[attachment:v6.pcap]] (libpcap) Shows IPv6 (6-Bone) and ICMPv6 packets.

[[attachment:v6-http.cap]] (libpcap) Shows IPv6 (SixXS) HTTP.

[[attachment:vlan.cap.gz]] (libpcap) Lots of different protocols, all running over 802.1Q virtual lans.

[[attachment:vms_tcptrace.txt]] (VMS TCPtrace) Sample output from VMS TCPtrace. Mostly NFS packets.

[[attachment:vms_tcptrace-full.txt]] (VMS TCPtrace) Sample output from VMS TCPtrace/full. Mostly NFS packets.

[[attachment:vnc-sample.pcap]] Virtual Networking Computing (VNC) session trace

[[attachment:WINS-Replication-01.cap.gz]] (libpcap) WINS replication trace.

[[attachment:WINS-Replication-02.cap.gz]] (libpcap) WINS replication trace.

[[attachment:WINS-Replication-03.cap.gz]] (libpcap) WINS replication trace.

[[attachment:wpsdata.cap]] (libpcap) WPS expanded EAP trace.

[[attachment:drda_db2_sample.tgz]] (libpcap) DRDA trace from DB2.

[[attachment:starteam_sample.tgz]] (libpcap) StarTeam trace.

[[attachment:rtmp_sample.tgz]] (libpcap) RTMP (Real Time Messaging Protocol) trace.

[[attachment:sample-imf.pcap.gz]] (libpcap) [[SMTP]] and [[IMF]] capture. Also shows some [[MIME_multipart]].

[[attachment:sample-TNEF.pcap.gz]] (libpcap) [[TNEF]] trace containing two attachments as well as message properties. Also shows some [[SMTP]], [[IMF]] and [[MIME_multipart]] trace.

[[attachment:wol.pcap]] (libpcap) [[WakeOnLAN]] sample packets generated from both ether-wake and a Windows-based utility.

[[attachment:zigbee-join-authenticate.pcap.gz]] (libpcap) Two devices join a ZigBee network and authenticate with the trust center. Network is encrypted using network keys and trust center link keys.

[[attachment:IGMP dataset.pcap]] (igmp) igmp version 2 dataset

== Viruses and worms ==
[[attachment:slammer.pcap]] Slammer worm sending a DCE RPC packet. bnb

[[attachment:dns-remoteshell.pcap]] Watch frame 22 Ethereal detecting DNS Anomaly caused by remoteshell riding on DNS port - DNS Anomaly detection made easy by ethereal .. Anith Anand

== Crack Traces ==
[[attachment:teardrop.cap]] Packets 8 and 9 show the overlapping IP fragments in a Teardrop attack.

[[attachment:zlip-1.pcap]] DNS exploit, endless, pointing to itself message decompression flaw.

[[attachment:zlip-2.pcap]] DNS exploit, endless cross referencing at message decompression.

[[attachment:zlip-3.pcap]] DNS exploit, creating a very long domain through multiple decompression of the same hostname, again and again.

[[attachment:can-2003-0003.pcap]] Attack for [[http://www.cert.org/advisories/CA-2003-03.html|CERT advisory CA-2003-03]]

== PROTOS Test Suite Traffic ==
The files below are captures of traffic generated by the [[http://www.ee.oulu.fi/research/ouspg/protos/|PROTOS]] test suite developed at the University of Oulu. They contain malformed traffic used to test the robustness of protocol implementations; they also test the robustness of protocol analyzers such as Wireshark.

[[attachment:c04-wap-r1.pcap.gz]] Output from c04-wap-r1.jar

[[attachment:c05-http-reply-r1.pcap.gz]] Output from c05-http-reply-r1.jar

[[attachment:c06-ldapv3-app-r1.pcap.gz]] Output from c06-ldapv3-app-r1.jar

[[attachment:c06-ldapv3-enc-r1.pcap.gz]] Output from c06-ldapv3-enc-r1.jar

[[attachment:c06-snmpv1-req-app-r1.pcap.gz]] Output from c06-snmpv1-req-app-r1.jar

[[attachment:c06-snmpv1-req-enc-r1.pcap.gz]] Output from c06-snmpv1-req-enc-r1.jar

[[attachment:c06-snmpv1-trap-app-r1.pcap.gz]] Output from c06-snmpv1-trap-app-r1.jar

[[attachment:c06-snmpv1-trap-enc-r1.pcap.gz]] Output from c06-snmpv1-trap-enc-r1.jar

[[attachment:c07-sip-r2.cap]] Output from c07-sip-r2.jar

== Specific Protocols and Protocol Families ==
'''3GPP''' [[attachment:3gpp_mc.cap]] (libpcap) 3gpp cn mc interface capture file, include megaco and ranap packet

=== ARP/RARP ===
[[attachment:arp-storm.pcap]] (libpcap) More than 20 ARP requests per second, observed on a cable modem connection.

[[attachment:rarp_request.cap]] (libpcap) A reverse ARP request.

=== Spanning Tree Protocol ===
[[attachment:stp.pcap]] (libpcap)

=== Bluetooth ===
[[attachment:l2ping.cap]] (Linux BlueZ hcidump) Contains some [[Bluetooth]] packets captured using hcidump, the packets were from the l2ping command that's included with the Linux BlueZ stack.

[[attachment:Bluetooth1.cap]] (Linux BlueZ hcidump) Contains some [[Bluetooth]] packets captured using hcidump.

=== UDP-Lite ===
Several [[UDP-Lite]] packets, some correct, some wrong.

[[attachment:udp_lite_full_coverage_0.pcap]] If coverage=0, the full packet is checksummed over.

[[attachment:udp_lite_illegal_1-7.pcap]] Coverage values between 1..7 (illegal).

[[attachment:udp_lite_normal_coverage_8-20.pcap]] Normal ones with correct checksums (legal).

[[attachment:udp_lite_illegal_large-coverage.pcap]] Three traces with coverage lengths greater than the packet length.

[[attachment:udp_lite_checksum_0.pcap]] checksum 0 is illegal.

=== NFS Protocol Family ===
[[attachment:nfs_bad_stalls.cap]] (libpcap) An NFS capture containing long stalls (about 38ms) in the middle of the responses to many read requests. This is useful for seeing the staircase effect in TCP Time Sequence Analysis.

[[attachment:nfsv2.pcap.gz]] (libpcap) Fairly complete trace of all [[NFS]] v2 packet types.

[[attachment:nfsv3.pcap.gz]] (libpcap) Fairly complete trace of all [[NFS]] v3 packet types.

[[attachment:mount-de.pcap.gz]] (libpcap) [[MOUNT]] protocol: DUMP and EXPORT calls.

[[attachment:klm.pcap.gz]] (libpcap) A "fake" trace containing all [[KLM]] functions.

[[attachment:rquota.pcap.gz]] (libpcap) A "fake" trace containing all [[RQUOTA]] functions.

[[attachment:nsm.pcap.gz]] (libpcap) A "fake" trace containing all [[NSM]] functions.

=== Server Message Block (SMB)/Common Internet File System (CIFS) ===
[[attachment:smbtorture.cap.gz]] (libpcap) Capture showing a wide range of SMB features. The capture was made using the Samba4 smbtorture suite, against a Windows Vista beta2 server.

=== Parallel Virtual File System (PVFS) ===
[[attachment:pvfs2-sample.pcap]] (libpcap) PVFS2 copy operation (local file to PVFS2 file system)

=== HyperText Transport Protocol (HTTP) ===
[[attachment:http.cap]] A simple HTTP request and response.

[[attachment:http_gzip.cap]] A simple HTTP request with a one packet gzip Content-Encoded response.

[[attachment:http_with_jpegs.cap.gz]] A simple capture containing a few JPEG pictures one can reassemble and save to a file.

[[attachment:wireshark.org.pcap.gz]] Fetching the Wireshark home page.

[[attachment:tcp-wireshark-file1.trace]] (libpcap) A large POST request, taking many TCP segments.

=== Telnet ===
[[attachment:telnet-cooked.pcap]] (libpcap) A telnet session in "cooked" (per-line) mode.

[[attachment:telnet-raw.pcap]] (libpcap) A telnet session in "raw" (per-character) mode.

=== Routing Protocols ===
[[attachment:bgp.pcap.gz]] (libpcap) BGP packets, including AS path attributes.

[[attachment:EIGRP_Neighbors.cap]] Two Cisco EIGRP peers forming an adjacency.

[[attachment:eigrp-for-ipv6-auth.pcap]] Cisco EIGRP packets, including Authentication TLVs

[[attachment:eigrp-for-ipv6-stub.pcap]] Cisco EIGRP packets, including Stub routing TLVs

[[attachment:eigrp-for-ipv6-updates.pcap]] Cisco EIGRP packets, including IPv6 internal and external route updates

[[attachment:ipv6-ripng.gz]] (libpcap) RIPng packets (IPv6)

[[attachment:ospf.cap]] (libpcap) Simple OSPF initialization.

[[attachment:ospf-md5.cap]] (libpcap) Simple OSPF-MD5 Authentication.

[[attachment:RIP_v1]] A basic route exchange between two RIP v1 routers.

=== SNMP ===
[[attachment:b6300a.cap]] A collection of SNMP GETs and RESPONSEs

[[attachment:snmp_usm.pcap]] A series of authenticated and some encrypted SNMPv3 PDUS

 * the authPassword for all users is pippoxxx and the privPassword is PIPPOxxx.
 * pippo uses MD5 and DES
 * pippo2 uses SHA1 and DES
 * pippo3 uses SHA1 and AES
 * pippo4 uses MD5 and AES
Line 4: Line 372:

'''File:''' attachment:NTP_sync.pcap [[BR]]
'''Contributor:''' Gerald Combs[[BR]]
'''Description:''' After reading about the round robin DNS records set up by the folks at [http://www.pool.ntp.org pool.ntp.org], I decided to use their service to sync my laptop's clock. The attached file contains the result of running
 net time /setsntp:us.pool.ntp.org[[BR]]
 net stop w32time[[BR]]
 net start w32time
 
'''File:''' [[attachment:NTP_sync.pcap]] (4KB, showing the NetworkTimeProtocol) <<BR>> '''Contributor:''' Gerald Combs<<BR>> '''Description:''' After reading about the round robin [[DNS]] records set up by the folks at [[http://www.pool.ntp.org|pool.ntp.org]], I decided to use their service to sync my laptop's clock. The attached file contains the result of running

 . net time /setsntp:us.pool.ntp.org<<BR>> net stop w32time<<BR>> net start w32time

at the command prompt. Something to note is that each pool.ntp.org DNS record contains multiple addresses. The Windows time client appears to query all of them.

[[attachment:MicrosoftNTP.cap]] (Microsoft Network Monitor) 2 Packets containing a synchronisation to the Microsoft NTP server.

=== PostgreSQL v3 Frontend/Backend Protocol ===
'''File:''' [[attachment:pgsql.cap.gz]] (2KB, showing a brief PostgresProtocol session) <<BR>> '''Contributor:''' Abhijit Menon-Sen<<BR>>

'''File:''' [[attachment:pgsql-jdbc.pcap.gz]] (584KB, showing a PostgreSQL JDBC test session) <<BR>> '''Contributors:''' Kris Jurka and Abhijit Menon-Sen<<BR>>

=== MySQL protocol ===
'''File:''' [[attachment:mysql_complete.pcap]] (6 KB, from bug 2691)

=== VendorLanProtocolFamily ===
Extreme Networks

[[attachment:edp.trace.gz]] General EDP traffic

[[attachment:edp1.trace.gz]]

[[attachment:edp.esrp.gz]] EDP/ESRP traffic

[[attachment:edp.eaps.mirror1.trace.gz]]

[[attachment:edp.eaps.mirror2.trace.gz]]

Cisco

[[attachment:cdp-BCM1100.cap]]

=== DECT ===
[[attachment:dump_2009-02-02_23_17_18_RFPI_00_4e_b4_bd_50.pcap.gz]] A trace of an unencrypted DECT phonecall with the original Ethernet pseudoheader (see README.DECT). Called number 0800-1507090 (DTMF only?)

=== Sigtran Protocol Family ===
Captures of protocols belonging to the [[SIGTRAN]] family.

[[attachment:isup.cap]] A single call's signalling sequence using ISUP/MTP3/M3UA/SCTP/IP. NOTE: The M3UA version preference must be set to "Draft 6" to successfully view this file (Edit->Preferences->Protocols->M3UA->M3UA Version->Internet Draft version 6).

[[attachment:bicc.pcap]] Sample [[BICC]] PDUs.

[[attachment:camel.pcap]] A single call using CAMEL/TCAP/SCCP/MTP3/M2UA/SCTP/IP. This "capture" has been generated using [[http://www.wireshark.org/docs/man-pages/text2pcap.1.html|text2pcap]] tool, from MTP3 raw data trace. The capture contains the following Camel operations: InitialDP, RequestReportBCSMEvent, !ApplyCharging, Continue, EventReportBCSM, !ApplyChargingReport, !ReleaseCall.

[[attachment:camel2.pcap]] Same as camel.pcap capture, except that the it is using another Camel phase. The other difference is that the call is rejected. The capture contains the following Camel operations: InitialDP, RequestReportBCSMEvent, Connect, ReleaseCall.

[[attachment:gsm_map_with_ussd_string.pcap]] This "capture" has been generated using [[http://www.wireshark.org/docs/man-pages/text2pcap.1.html|text2pcap]] tool, from MTP3 raw data trace. It contains a GSM MAP processUnstructuredSS-Request MAP operation with a USSD String (GSM 7 bit encoded).

[[attachment:ansi_map_ota.pcap]] ANSI MAP OTA trace.

[[attachment:ansi_map_win.pcap]] ANSI MAP over ANSI MTP3 with WIN messages.

[[attachment:packlog-example.cap]] Example capture of Cisco ITP's Packet Logging Facility packets (SS7 MSU encapsulated in syslog messages). It contains a few random MSUs: MTP3MG, TCAP and GSM_MAP. There aren't any complete dialogs in the capture.

[[attachment:japan_tcap_over_m2pa.pcap]] Example of TCAP over Japan SCCP/MTP over M2PA (RFC version).

[[attachment:ansi_tcap_over_itu_sccp_over_mtp3_over_mtp2.pcap]] Example of ANSI TCAP carried over ITU SCCP/MTP3/MTP2. Really this should be in an "SS7" section of the SampleCaptures page.

=== Stream Control Transmission Protocol (SCTP) ===
[[attachment:sctp.cap]] Sample [[SCTP]] PDUs.

[[attachment:sctp-test.cap]] Sample [[SCTP]] handshaking and DATA/SACK chunks.

[[attachment:sctp-addip.cap]] Sample [[SCTP]] ASCONF/ASCONF-ACK Chunks that perform Vertical Handover.

[[attachment:sctp-www.cap]] Sample [[SCTP]] DATA Chunks that carry HTTP messages between Apache2 HTTP Server and Mozilla.

=== IPMI ===
[[attachment:ipmi.SDR.FRU.SEL.pcap]] Opens and closes a session and retrieves the SDR, SEL and FRU. This "capture" has been generated using [[http://www.wireshark.org/docs/man-pages/text2pcap.1.html|text2pcap]] tool, from RMCP raw data trace.

[[attachment:ipmi.sensor.event.RR.pcap]] Opens and closes a session and does different Sensor/Event requests and responses. This "capture" has been generated using [[http://www.wireshark.org/docs/man-pages/text2pcap.1.html|text2pcap]] tool, from RMCP raw data trace.

=== IPMB ===
[[attachment:ipmb.multi.packets.pcap]] (libpcap) (IPMB plugin is coming soon (not available in Wireshark 0.99.6). IPMB interface capture file, include multiple request and response packets.

=== SIP and RTP ===
[[attachment:aaa.pcap]] Sample SIP and RTP traffic.

[[attachment:SIP_CALL_RTP_G711]] Sample SIP call with RTP in G711.

[[attachment:SIP_DTMF2.cap]] Sample SIP call with RFC 2833 DTMF

[[attachment:h223-over-rtp.pcap.gz]] (libpcap) A sample of H.223 running over RTP, following negotiation over SIP.

[[attachment:h263-over-rtp.pcap]] (libpcap) A sample of RFC 2190 H.263 over RTP, following negotiation over SIP.

[[attachment:metasploit-sip-invite-spoof.pcap]] Metasploit 3.0 SIP Invite spoof capture.

=== RTSP Protocol ===
Here's a few RTSP packets in Microsoft Network Monitor format: [[attachment:RTSPPACKETS1.cap]]

[[attachment:rtsp_with_data_over_tcp.cap]] (libpcap) An RTSP reply packet.

=== H.223 ===
[[attachment:h223-over-iax.pcap.gz]] (libpcap) A sample of H.223 running over IAX, including H.263 and AMR payloads.

[[attachment:h223-over-tcp.pcap.gz]] (libpcap) A sample of H.223 running over TCP. You'll need to select 'Decode as... H.223'.

[[attachment:h223-over-rtp.pcap.gz]] (libpcap) A sample of H.223 running over RTP, following negotiation over SIP.

=== USB Raw (dlt 186) ===
[[attachment:VariousUSBDevices.pcap]] (libpcap) Various USB devices on a number of busses

Usb packets exchanged while unpluggin and replugging a mouse: [[attachment:mouse_replug2.pcap]]

[[attachment:usbstick3.pcap.gz]] (libpcap) Plug in a USB2.0 stick, mount it, list the contents.

[[attachment:usbhub.pcap.gz]] (libpcap) Plug in a usb2.0 4-port hub without external powersupply, plugin a logitech presenter into one of the ports, press a button, unplug presenter, unplug hub. Repeat with externally powered hub.

=== USB with Linux encapsulation (dlt 189) ===
[[attachment:usb_memory_stick.pcap]] Plug in an usb stick and mount it

[[attachment:usb_memory_stick_create_file.pcap]] Create a new file in a previusly mounted memory stick and write some text into it

[[attachment:usb_memory_stick_delete_file.pcap]] Delete the file previusly created from the memory stick.

[[attachment:Bluetooth_HCI_and_OBEX_Transaction_over_USB.ntar.gz]] contains a Bluetooth session (including connecting the USB adaptor used, pairing with a mobile phone, receiving a file over RFCOMM/L2CAP/OBEX, and finally removing the USB Bluetooth adaptor) over USB

=== WAP Protocol Family ===
[[attachment:WAP_WBXML_Provisioning_Push.pcap]] contains a [[WSP]] Push PDU with a Client Provisioning document encoded in [[WBXML]]. This example comes from the WAP Provisioning specifications.

[[attachment:wap_google.pcap]] contains two [[WSP]] request-response dialogs.

=== X.509 Digital Certificates ===
[[attachment:x509-with-logo.cap]] contains (packet 18) an X.509 digital certificate containing RFC3709 Logotype{{{}}}Certificate{{{}}}Extensions.

=== Lightweight Directory Access Protocol (LDAP) ===
[[attachment:ldap-controls-dirsync-01.cap]] Sample [[LDAP]] PDU with DIRSYNC CONTROLS

[[attachment:ldap-krb5-sign-seal-01.cap]] Sample [[GSSAPI]]-[[KRB5]] signed and sealed [[LDAP]] PDU

[[attachment:ldap-and-search.pcap]] Sample search filter with AND filter, filter

[[attachment:lda

Sample Capture

So you're at home tonight, having just installed Wireshark. You want to take the program for a test drive. But your home LAN doesn't have any interesting or exotic packets on it? Here's some goodies to try. Please note that if for some reason your version of Wireshark doesn't have zlib support, you'll have to gunzip any file with a .gz extension.

How to add a new Capture File

If you want to include a new example capture file, you should attach it to this page (click 'attachments' in header above). In the corresponding text, you might explain what this file is doing and what protocols, mechanisms or events it explains. Links from here to the related protocol pages are also welcome.

Please don't just attach your capture file to the page without putting an attachment link in the page, in the format attachment:attachment.ext; if you don't put an attachment link in the page, it's not obvious that the capture file is available.

It's also a very good idea to put links at the related protocol pages pointing to your file. Referring to an attachment on this page from another Wiki page requires a link on that other Wiki page in the format attachment:SampleCaptures/attachment.ext. For an example of this, see the NetworkTimeProtocol page.

Other Sources of Capture Files

If you don't find what you're looking for, you may also try:

General / Unsorted

Obsolete_Packets.cap (libpcap) Contains various obscure/no longer in common use protocols, including Banyan VINES, AppleTalk and DECnet.

Apple_IP-over-IEEE_1394_Packet.pcap (libpcap) An ICMP packet encapsulated in Apple's IP-over-1394 (ap1394) protocol

SkypeIRC.cap (libpcap) Some Skype, IRC and DNS traffic.

ipp.pcap (libpcap) CUPS printing via IPP (test page)

IrDA_Traffic.ntar (pcap-ng) Various IrDA packets, use Wireshark 1.3.0 (SVN revision 28866 or higher) to view

9p.cap (libpcap) Plan 9 9P protocol, various message types.

EmergeSync.cap (libpcap) rsync packets, containing the result of an "emerge sync" operation on a Gentoo system

afs.cap.gz (libpcap) Andrew File System, based on RX protocol. Various operations.

ascend.trace.gz (Ascend WAN router) Shows how Wireshark parses special Ascend data

atm_capture1.cap (libpcap) A trace of ATM Classical IP packets.

bacnet-arcnet.cap (libpcap) Some BACnet packets encapsulated in ARCnet framing

bfd-raw-auth-simple.pcap (libpcap) BFD packets using simple password authentication.

bfd-raw-auth-md5.pcap (libpcap) BFD packets using md5 authentication.

bfd-raw-auth-sha1.pcap (libpcap) BFD packets using SHA1 authentication.

BT_USB_LinCooked_Eth_80211_RT.ntar.gz (pcap-ng) A selection of Bluetooth, Linux mmapped USB, Linux Cooked, Ethernet, IEEE 802.11, and IEEE 802.11 RadioTap packets in a pcap-ng file, to showcase the power of the file format, and Wireshark's support for it. SVN revision 28436 of Wireshark 1.1.4 or later is required to fully utilise the content in this file.

bootparams.cap.gz (libpcap) A couple of rpc.bootparamsd 'getfile' and 'whoami' requests.

cmp-trace.pcap.gz (libpcap) Certificate Management Protocol (CMP) certificate requests.

cmp-in-http-with-errors-in-cmp-protocol.pcap.gz (libpcap) Certificate Management Protocol (CMP) version 2 encapsulated in HTTP. Full "Initialization Request" and rejected "Key Update Request". There are some errors in the CMP packages.

cmp_in_http_with_pkixcmp-poll_content_type.pcap.gz (libpcap) Certificate Management Protocol (CMP) version 2 encapsulated in HTTP. The CMP messages are of the deprecated but used content-type "pkixcmp-poll", so they are using the TCP transport style. In two of the four CMP messages, the content type is not explicitly set, thus they cannot be dissected correctly.

cigi2.pcap.gz (libpcap) Common Image Generator Interface (CIGI) version 2 packets.

cigi3.pcap.gz (libpcap) Common Image Generator Interface (CIGI) version 3 packets.

ciscowl.pcap.gz (libpcap) Cisco Wireless LAN Context Control Protocol (WLCCP) version 0x0

ciscowl_version_0xc1.pcap.gz (libpcap) Cisco Wireless LAN Context Control Protocol (WLCCP) version 0xc1. Includes following base message types: SCM Advertisements, EAP Auth., Path Init, Registration

configuration_test_protocol_aka_loop.pcap (libpcap) Example of an Ethernet loopback with a 'third party assist'

cops-pr.cap.gz (libpcap) A sample of COPS traffic.

dct2000_test.out (dct2000) A sample DCT2000 file with examples of most supported link types

dhcp.pcap (libpcap) A sample of DHCP traffic.

dhcp-and-dyndns.pcap.gz (libpcap) A sample session of a host doing dhcp first and then dyndns.

dhcp-auth.pcap.gz (libpcap) A sample packet with dhcp authentication information.

dccp_trace.pcap.gz (libpcap) A trace of DCCP packet types.

dns.cap (libpcap) Various DNS lookups.

dualhome.iptrace (AIX iptrace) Shows Ethernet and Token Ring packets captured in the same file.

dvmrp-conv.cap Shows Distance Vector Multicast Routing Protocol packets.

epmd.pcap Two Erlang Port Mapper Daemon (EPMD) messages.

Ethernet_Pause_Frame.cap Ethernet Pause Frame packets.

exec-sample.pcap The exec (rexec) protocol

genbroad.snoop (Solaris snoop) Netware, Appletalk, and other broadcasts on an ethernet network.

Mixed1.cap (MS NetMon) Some Various, Mixed Packets.

gryphon.cap (libpcap) A trace of Gryphon packets. This is useful for testing the Gryphon plug-in.

hsrp.pcap (libpcap) Some Cisco HSRP packets, including some with Opcode 3 (Advertise)

hsrp-and-ospf-in-LAN (libpcap) HSRP state changes and OSPF LSAs sent during link up/down/up

ipv4_cipso_option.pcap (libpcap) A few IP packets with CIPSO option.

imap.cap.gz (libpcap) A short IMAP session using Mutt against an MSX server.

RawPacketIPv6Tunnel-UK6x.cap (libpcap) - Some IPv6 packets captured from the 'sit1' interface on Linux. The IPv6 packets are carried over the UK's UK6x network, but what makes this special, is the fact that it has a Link-Layer type of "Raw packet data" - which is something that you don't see everyday.

iseries.cap (IBM iSeries communications trace) FTP and Telnet traffic between two AS/400 LPARS.

FTPv6-1.cap (Microsoft Network Monitor) FTP packets (IPv6)

FTPv6-2.cap (Microsoft Network Monitor) Some more FTP packets (IPv6)

isl-2-dot1q.cap (libpcap) A trace including both ISL and 802.1q-tagged Ethernet frames. Frames 1 through 381 represent traffic encapsulated using Cisco's ISL, frames 382-745 show traffic sent by the same switch after it had been reconfigured to support 802.1Q trunking.

lacp1.pcap.gz (libpcap) Link Aggregation Control Protocol (LACP, IEEE 802.3ad) traffic.

linx-setup-pingpong-shutdown.pcap (libpcap) Successive setup of LINX on two hosts, exchange of packets and shutdown.

lldp.minimal.pcap (libpcap) Simple LLDP packets.

lldp.detailed.pcap (libpcap) LLDP packets with more details.

lldpmed_civicloc.pcap (libpcap) LLDP-MED packet with TLV entries, including civic address location ID, network policy and extended power-via-MDI.

llrp.cap EPCglobal Low-Level Reader Protocol (LLRP)

llt-sample.pcap Veritas Low Latency Transport (LLT) frames

mapi.cap.gz (libpcap) MAPI session w/ Outlook and MSX server, not currently decoded by Wireshark.

messenger.pcap (libpcap) a few messenger example packets.

mms.pcap.gz (libpcap) Manufacturing Message Specification traffic.

SITA-Protocols.cap (libpcap) Some SITA WAN (Societe Internationale de Telecommunications Aeronautiques sample packets (contains X.25, International Passenger Airline Reservation System, Unisys Transmittal System and Frame Relay packets)

msnms.pcap (libpcap) MSN Messenger packets.

MSN_CAP.xlsx (xlsx) MSN Messenger packets in xlsx format.

monotone-netsync.cap.gz (libpcap) Some fragments (the full trace is > 100MB gzipped) of a checkout of the monotone sources.

mpeg2_mp2t_with_cc_drop01.pcap (libpcap) MPEG2 (RFC 2250) Transport Stream example with a dropped CC packet (anonymized with tcpurify).

mpls-basic.cap (libpcap) A basic sniff of MPLS-encapsulated IP packets over Ethernet.

mpls-exp.cap (libpcap) IP packets with EXP bits set.

mpls-te.cap (libpcap) MPLS Traffic Engineering sniffs. Includes RSVP messages with MPLS/TE extensions and OSPF link updates with MPLS LSAs.

mpls-twolevel.cap (libpcap) An IP packet with two-level tagging.

netbench_1.cap (libpcap) A capture of a reasonable amount of NetBench traffic. It is useful to see some of the traffic a NetBench run generates.

omron-test.pcap (libpcap) SCADA - OMRON-FINS protocol traffic

pana.cap (libpcap) PANA authentication session (pre-draft-15a so Wireshark 0.99.5 or before is required to view it correctly).

pana-draft18.cap (libpcap) PANA authentication session (draft-18 so Wireshark 0.99.7 or later is required to view it correctly).

pim-reg.cap (libpcap) Protocol Independent Multicast, with IPv6 tunnelled within IPv6

ptpv2.pcap (libpcap) various Precision Time Protocol (IEEE 1588) version 2 packets.

Public_nic (libpcap) A bunch of SSDP (Universal Plug and Play protocol) announcements.

rpl_sample.cap.gz (libpcap) A RIPL sample capture.

rtp_example.raw.gz (libpcap) A VoIP sample capture of a H323 call (including H225, H245, RTP and RTCP).

sbus.pcap (libpcap) An EtherSBus (sbus) sample capture showing some traffic between the programming tool (PG5) and a PCD (Process Control Device, a PLC; Programmable Logic Controller).

simulcrypt.pcap (libpcap) A SIMULCRYPT sample capture, SIMULCRYPT over TCP) on ports 8600, 8601, and 8602.

TeamSpeak2.pcap (libpcap) A TeamSpeak2 capture

tipc-publication-payload-withdrawal.pcap (libpcap) TIPC port name publication, payload messages and port name withdrawal.

tipc-bundler-messages.pcap (libpcap) TIPCv2 Bundler Messages

tipc_v2_fragmenter_messages.pcap.gz (libpcap) TIPCv2 Fragmenter Messages

TIPC-over-TCP_disc-publ-inventory_sim-withd.pcap.gz (libpcap) TIPCv2 over TCP (port 666) traffic generated by the inventory simulation of the TIPC demo package.

TIPC-over-TCP_MTU-discovery.pcap.gz (libpcap) TIPCv2 over TCP (port 666) - Link State messages with filler bytes for MTU discovery.

toshiba.general.gz (Toshiba) Just some general usage of a Toshiba ISDN router. There are three link types in this trace: PPP, Ethernet, and LAPD.

uma_ho_req_bug.cap (libpcap) A "UMA URR HANDOVER REQUIRED" packet.

unistim_phone_startup.pcap (libpcap) Shows a phone booting up, requesting ip address and establishing connection with cs2k server.

unistim-call.pcap (libpcap) Shows one phone calling another via cs2k server over unistim

v6.pcap (libpcap) Shows IPv6 (6-Bone) and ICMPv6 packets.

v6-http.cap (libpcap) Shows IPv6 (SixXS) HTTP.

vlan.cap.gz (libpcap) Lots of different protocols, all running over 802.1Q virtual lans.

vms_tcptrace.txt (VMS TCPtrace) Sample output from VMS TCPtrace. Mostly NFS packets.

vms_tcptrace-full.txt (VMS TCPtrace) Sample output from VMS TCPtrace/full. Mostly NFS packets.

vnc-sample.pcap Virtual Networking Computing (VNC) session trace

WINS-Replication-01.cap.gz (libpcap) WINS replication trace.

WINS-Replication-02.cap.gz (libpcap) WINS replication trace.

WINS-Replication-03.cap.gz (libpcap) WINS replication trace.

wpsdata.cap (libpcap) WPS expanded EAP trace.

drda_db2_sample.tgz (libpcap) DRDA trace from DB2.

starteam_sample.tgz (libpcap) StarTeam trace.

rtmp_sample.tgz (libpcap) RTMP (Real Time Messaging Protocol) trace.

sample-imf.pcap.gz (libpcap) SMTP and IMF capture. Also shows some MIME_multipart.

sample-TNEF.pcap.gz (libpcap) TNEF trace containing two attachments as well as message properties. Also shows some SMTP, IMF and MIME_multipart trace.

wol.pcap (libpcap) WakeOnLAN sample packets generated from both ether-wake and a Windows-based utility.

zigbee-join-authenticate.pcap.gz (libpcap) Two devices join a ZigBee network and authenticate with the trust center. Network is encrypted using network keys and trust center link keys.

IGMP dataset.pcap (igmp) igmp version 2 dataset

Viruses and worms

slammer.pcap Slammer worm sending a DCE RPC packet. bnb

dns-remoteshell.pcap Watch frame 22 Ethereal detecting DNS Anomaly caused by remoteshell riding on DNS port - DNS Anomaly detection made easy by ethereal .. Anith Anand

Crack Traces

teardrop.cap Packets 8 and 9 show the overlapping IP fragments in a Teardrop attack.

zlip-1.pcap DNS exploit, endless, pointing to itself message decompression flaw.

zlip-2.pcap DNS exploit, endless cross referencing at message decompression.

zlip-3.pcap DNS exploit, creating a very long domain through multiple decompression of the same hostname, again and again.

can-2003-0003.pcap Attack for CERT advisory CA-2003-03

PROTOS Test Suite Traffic

The files below are captures of traffic generated by the PROTOS test suite developed at the University of Oulu. They contain malformed traffic used to test the robustness of protocol implementations; they also test the robustness of protocol analyzers such as Wireshark.

c04-wap-r1.pcap.gz Output from c04-wap-r1.jar

c05-http-reply-r1.pcap.gz Output from c05-http-reply-r1.jar

c06-ldapv3-app-r1.pcap.gz Output from c06-ldapv3-app-r1.jar

c06-ldapv3-enc-r1.pcap.gz Output from c06-ldapv3-enc-r1.jar

c06-snmpv1-req-app-r1.pcap.gz Output from c06-snmpv1-req-app-r1.jar

c06-snmpv1-req-enc-r1.pcap.gz Output from c06-snmpv1-req-enc-r1.jar

c06-snmpv1-trap-app-r1.pcap.gz Output from c06-snmpv1-trap-app-r1.jar

c06-snmpv1-trap-enc-r1.pcap.gz Output from c06-snmpv1-trap-enc-r1.jar

c07-sip-r2.cap Output from c07-sip-r2.jar

Specific Protocols and Protocol Families

3GPP 3gpp_mc.cap (libpcap) 3gpp cn mc interface capture file, include megaco and ranap packet

ARP/RARP

arp-storm.pcap (libpcap) More than 20 ARP requests per second, observed on a cable modem connection.

rarp_request.cap (libpcap) A reverse ARP request.

Spanning Tree Protocol

stp.pcap (libpcap)

Bluetooth

l2ping.cap (Linux BlueZ hcidump) Contains some Bluetooth packets captured using hcidump, the packets were from the l2ping command that's included with the Linux BlueZ stack.

Bluetooth1.cap (Linux BlueZ hcidump) Contains some Bluetooth packets captured using hcidump.

UDP-Lite

Several UDP-Lite packets, some correct, some wrong.

udp_lite_full_coverage_0.pcap If coverage=0, the full packet is checksummed over.

udp_lite_illegal_1-7.pcap Coverage values between 1..7 (illegal).

udp_lite_normal_coverage_8-20.pcap Normal ones with correct checksums (legal).

udp_lite_illegal_large-coverage.pcap Three traces with coverage lengths greater than the packet length.

udp_lite_checksum_0.pcap checksum 0 is illegal.

NFS Protocol Family

nfs_bad_stalls.cap (libpcap) An NFS capture containing long stalls (about 38ms) in the middle of the responses to many read requests. This is useful for seeing the staircase effect in TCP Time Sequence Analysis.

nfsv2.pcap.gz (libpcap) Fairly complete trace of all NFS v2 packet types.

nfsv3.pcap.gz (libpcap) Fairly complete trace of all NFS v3 packet types.

mount-de.pcap.gz (libpcap) MOUNT protocol: DUMP and EXPORT calls.

klm.pcap.gz (libpcap) A "fake" trace containing all KLM functions.

rquota.pcap.gz (libpcap) A "fake" trace containing all RQUOTA functions.

nsm.pcap.gz (libpcap) A "fake" trace containing all NSM functions.

Server Message Block (SMB)/Common Internet File System (CIFS)

smbtorture.cap.gz (libpcap) Capture showing a wide range of SMB features. The capture was made using the Samba4 smbtorture suite, against a Windows Vista beta2 server.

Parallel Virtual File System (PVFS)

pvfs2-sample.pcap (libpcap) PVFS2 copy operation (local file to PVFS2 file system)

HyperText Transport Protocol (HTTP)

http.cap A simple HTTP request and response.

http_gzip.cap A simple HTTP request with a one packet gzip Content-Encoded response.

http_with_jpegs.cap.gz A simple capture containing a few JPEG pictures one can reassemble and save to a file.

wireshark.org.pcap.gz Fetching the Wireshark home page.

tcp-wireshark-file1.trace (libpcap) A large POST request, taking many TCP segments.

Telnet

telnet-cooked.pcap (libpcap) A telnet session in "cooked" (per-line) mode.

telnet-raw.pcap (libpcap) A telnet session in "raw" (per-character) mode.

Routing Protocols

bgp.pcap.gz (libpcap) BGP packets, including AS path attributes.

EIGRP_Neighbors.cap Two Cisco EIGRP peers forming an adjacency.

eigrp-for-ipv6-auth.pcap Cisco EIGRP packets, including Authentication TLVs

eigrp-for-ipv6-stub.pcap Cisco EIGRP packets, including Stub routing TLVs

eigrp-for-ipv6-updates.pcap Cisco EIGRP packets, including IPv6 internal and external route updates

ipv6-ripng.gz (libpcap) RIPng packets (IPv6)

ospf.cap (libpcap) Simple OSPF initialization.

ospf-md5.cap (libpcap) Simple OSPF-MD5 Authentication.

RIP_v1 A basic route exchange between two RIP v1 routers.

SNMP

b6300a.cap A collection of SNMP GETs and RESPONSEs

snmp_usm.pcap A series of authenticated and some encrypted SNMPv3 PDUS

  • the authPassword for all users is pippoxxx and the privPassword is PIPPOxxx.
  • pippo uses MD5 and DES
  • pippo2 uses SHA1 and DES
  • pippo3 uses SHA1 and AES
  • pippo4 uses MD5 and AES

Network Time Protocol

File: NTP_sync.pcap (4KB, showing the NetworkTimeProtocol)
Contributor: Gerald Combs
Description: After reading about the round robin DNS records set up by the folks at pool.ntp.org, I decided to use their service to sync my laptop's clock. The attached file contains the result of running

  • net time /setsntp:us.pool.ntp.org
    net stop w32time
    net start w32time

at the command prompt. Something to note is that each pool.ntp.org DNS record contains multiple addresses. The Windows time client appears to query all of them.

MicrosoftNTP.cap (Microsoft Network Monitor) 2 Packets containing a synchronisation to the Microsoft NTP server.

PostgreSQL v3 Frontend/Backend Protocol

File: pgsql.cap.gz (2KB, showing a brief PostgresProtocol session)
Contributor: Abhijit Menon-Sen

File: pgsql-jdbc.pcap.gz (584KB, showing a PostgreSQL JDBC test session)
Contributors: Kris Jurka and Abhijit Menon-Sen

MySQL protocol

File: mysql_complete.pcap (6 KB, from bug 2691)

VendorLanProtocolFamily

Extreme Networks

edp.trace.gz General EDP traffic

edp1.trace.gz

edp.esrp.gz EDP/ESRP traffic

edp.eaps.mirror1.trace.gz

edp.eaps.mirror2.trace.gz

Cisco

cdp-BCM1100.cap

DECT

dump_2009-02-02_23_17_18_RFPI_00_4e_b4_bd_50.pcap.gz A trace of an unencrypted DECT phonecall with the original Ethernet pseudoheader (see README.DECT). Called number 0800-1507090 (DTMF only?)

Sigtran Protocol Family

Captures of protocols belonging to the SIGTRAN family.

isup.cap A single call's signalling sequence using ISUP/MTP3/M3UA/SCTP/IP. NOTE: The M3UA version preference must be set to "Draft 6" to successfully view this file (Edit->Preferences->Protocols->M3UA->M3UA Version->Internet Draft version 6).

bicc.pcap Sample BICC PDUs.

camel.pcap A single call using CAMEL/TCAP/SCCP/MTP3/M2UA/SCTP/IP. This "capture" has been generated using text2pcap tool, from MTP3 raw data trace. The capture contains the following Camel operations: InitialDP, RequestReportBCSMEvent, ApplyCharging, Continue, EventReportBCSM, ApplyChargingReport, ReleaseCall.

camel2.pcap Same as camel.pcap capture, except that the it is using another Camel phase. The other difference is that the call is rejected. The capture contains the following Camel operations: InitialDP, RequestReportBCSMEvent, Connect, ReleaseCall.

gsm_map_with_ussd_string.pcap This "capture" has been generated using text2pcap tool, from MTP3 raw data trace. It contains a GSM MAP processUnstructuredSS-Request MAP operation with a USSD String (GSM 7 bit encoded).

ansi_map_ota.pcap ANSI MAP OTA trace.

ansi_map_win.pcap ANSI MAP over ANSI MTP3 with WIN messages.

packlog-example.cap Example capture of Cisco ITP's Packet Logging Facility packets (SS7 MSU encapsulated in syslog messages). It contains a few random MSUs: MTP3MG, TCAP and GSM_MAP. There aren't any complete dialogs in the capture.

japan_tcap_over_m2pa.pcap Example of TCAP over Japan SCCP/MTP over M2PA (RFC version).

ansi_tcap_over_itu_sccp_over_mtp3_over_mtp2.pcap Example of ANSI TCAP carried over ITU SCCP/MTP3/MTP2. Really this should be in an "SS7" section of the SampleCaptures page.

Stream Control Transmission Protocol (SCTP)

sctp.cap Sample SCTP PDUs.

sctp-test.cap Sample SCTP handshaking and DATA/SACK chunks.

sctp-addip.cap Sample SCTP ASCONF/ASCONF-ACK Chunks that perform Vertical Handover.

sctp-www.cap Sample SCTP DATA Chunks that carry HTTP messages between Apache2 HTTP Server and Mozilla.

IPMI

ipmi.SDR.FRU.SEL.pcap Opens and closes a session and retrieves the SDR, SEL and FRU. This "capture" has been generated using text2pcap tool, from RMCP raw data trace.

ipmi.sensor.event.RR.pcap Opens and closes a session and does different Sensor/Event requests and responses. This "capture" has been generated using text2pcap tool, from RMCP raw data trace.

IPMB

ipmb.multi.packets.pcap (libpcap) (IPMB plugin is coming soon (not available in Wireshark 0.99.6). IPMB interface capture file, include multiple request and response packets.

SIP and RTP

aaa.pcap Sample SIP and RTP traffic.

SIP_CALL_RTP_G711 Sample SIP call with RTP in G711.

SIP_DTMF2.cap Sample SIP call with RFC 2833 DTMF

h223-over-rtp.pcap.gz (libpcap) A sample of H.223 running over RTP, following negotiation over SIP.

h263-over-rtp.pcap (libpcap) A sample of RFC 2190 H.263 over RTP, following negotiation over SIP.

metasploit-sip-invite-spoof.pcap Metasploit 3.0 SIP Invite spoof capture.

RTSP Protocol

Here's a few RTSP packets in Microsoft Network Monitor format: RTSPPACKETS1.cap

rtsp_with_data_over_tcp.cap (libpcap) An RTSP reply packet.

H.223

h223-over-iax.pcap.gz (libpcap) A sample of H.223 running over IAX, including H.263 and AMR payloads.

h223-over-tcp.pcap.gz (libpcap) A sample of H.223 running over TCP. You'll need to select 'Decode as... H.223'.

h223-over-rtp.pcap.gz (libpcap) A sample of H.223 running over RTP, following negotiation over SIP.

USB Raw (dlt 186)

VariousUSBDevices.pcap (libpcap) Various USB devices on a number of busses

Usb packets exchanged while unpluggin and replugging a mouse: mouse_replug2.pcap

usbstick3.pcap.gz (libpcap) Plug in a USB2.0 stick, mount it, list the contents.

usbhub.pcap.gz (libpcap) Plug in a usb2.0 4-port hub without external powersupply, plugin a logitech presenter into one of the ports, press a button, unplug presenter, unplug hub. Repeat with externally powered hub.

USB with Linux encapsulation (dlt 189)

usb_memory_stick.pcap Plug in an usb stick and mount it

usb_memory_stick_create_file.pcap Create a new file in a previusly mounted memory stick and write some text into it

usb_memory_stick_delete_file.pcap Delete the file previusly created from the memory stick.

Bluetooth_HCI_and_OBEX_Transaction_over_USB.ntar.gz contains a Bluetooth session (including connecting the USB adaptor used, pairing with a mobile phone, receiving a file over RFCOMM/L2CAP/OBEX, and finally removing the USB Bluetooth adaptor) over USB

WAP Protocol Family

WAP_WBXML_Provisioning_Push.pcap contains a WSP Push PDU with a Client Provisioning document encoded in WBXML. This example comes from the WAP Provisioning specifications.

wap_google.pcap contains two WSP request-response dialogs.

X.509 Digital Certificates

x509-with-logo.cap contains (packet 18) an X.509 digital certificate containing RFC3709 LogotypeCertificateExtensions.

Lightweight Directory Access Protocol (LDAP)

ldap-controls-dirsync-01.cap Sample LDAP PDU with DIRSYNC CONTROLS

ldap-krb5-sign-seal-01.cap Sample GSSAPI-KRB5 signed and sealed LDAP PDU

ldap-and-search.pcap Sample search filter with AND filter, filter

[[attachment:lda

SampleCaptures (last edited 2020-07-23 02:16:49 by ChuckCraft)