The Ultimate PCAP

For the last couple of years, I captured many different network and upper-layer protocols and published the pcaps along with some information and Wireshark screenshots on this blog. However, it always takes me some time to find the correct pcap when I am searching for a concrete protocol example. There are way too many pcaps out there.

This is supposed to change now:

I’m publishing a single pcap meant to be a single point of source for Wireshark samples. It summarises *all* previous ones from my blog and even adds some more protocols and details. I will constantly add more packets to this pcap if I have some. Currently, it has 80+ different protocols and hundreds of variants, such as IPv6 and legacy IP traffic, different DNS query types, ICMP error codes, and so on.

All previous pcaps can be found on my blog by following the pcap tag: https://weberblog.net/tag/pcap/, while all Wireshark-related posts (showing screenshots and use-cases) are behind the Wireshark tag: https://weberblog.net/tag/wireshark/.

Download the Ultimate PCAP

Download it, 7zipped, 5 MB (latest update: v20231218):

Side note: Since the packets are captured over many years (at least 2009-2023 – LOL), your “time” and “delta time” columns will go crazy. ;) Side note 2: As I will add more packets to the pcap, the frame numbers will change in the future.

What’s in there?

Layer 2 Protocols

That is: not ip and not ipv6. Referenced by the EtherType.

  • ARP (request, reply, gratuitous)
  • CDP
  • DEC DNA Remote Console
  • DTP
  • HDLC (to be precise: Cisco HDLC)
  • HomePlug AV
  • IS-IS
  • LACP
  • LLDP
  • LOOP
  • MPLS
  • PPP (PPPoED, LCP, IPCP, IPV6CP)
  • RARP
  • STP
  • UDLD
  • VTP

Layer 4 Protocols that are *not* TCP/UDP

That is (almost): (ip or ipv6) and not (tcp or udp). Referenced by the IP Protocol Number, which is the “Next Header” field in IPv6 respectively the “Protocol” field in IP.

  • 4in6 [Wireshark display filter: ipv6.nxt == 4]
  • 6in4 [Wireshark display filter: ip.proto == 41]
  • AH v6 (IPv6 extension header number 51, used by OSPFv3)
  • EIGRP v6/v4
  • ESP v6/v4 (IPv6 extension header number 50)
  • GRE v4 (tunneling v6 and v4)
  • ICMPv6 (RS, RA w/ RDNSS and DNSSL, NS, NA, DAD, MLD with hop-by-hop extension header (number 0), ping, destination unreachables, packet too big, time exceeded)
  • ICMPv4 (ping, timestamp, destination unreachable, time-to-live exceeded)
  • IGMP (v1, v3)
  • L2TP
  • OSPFv2 for IPv4 (MD5 authentication)
  • OSPFv3 for IPv6 (plain & authentication via IPsec authentication header AH)
  • VRRP for IPv4

Upper Layer Protocols based on TCP/UDP

That is: tcp or udp. Referenced by the classical transport protocol port number.

  • BFD v4 (control & echo)
  • BGP v6/v4 (MD5 authentication)
  • CAPWAP v4
  • Chargen v6/v4
  • Daytime v6/v4
  • DHCPv6 (stateful, stateless, prefix delegation)
  • DHCPv4 (DORA, NAK)
  • Discard v6/v4 [Wireshark display filter: udp.port eq 9 or tcp.port eq 9]
  • DNS v4/v6 (tons of RRs, UDP, TCP, fragmentation, DNSSEC validation, SERVFAIL, NXDOMAIN, REFUSED, ENDS(0) client subnet, EDNS(0) cookie, mDNS, dynamic update, zone change notification, IXFR, AXFR, TSIG)
  • Echo v6/v4
  • FTP v6/v4 (with and without AUTH TLS)
  • GLBP v6/v4
  • HKP v4
  • HSRP (version 1, version 2) v6/v4
  • HTTP v6/v4
  • HTTP-Proxy v4
  • HTTPS aka TLS v6/v4
  • HTTPS-Proxy v4
  • IKEv1 v6/v4 (aggressive mode, main mode) [Wireshark display filter: isakmp]
  • IKEv2 v6 [Wireshark display filter: isakmp]
  • IMAP v6
  • IP SLA v4
  • IPMI/RMCP+ v6/v4
  • IPP v6 (used by Apple AirPrint)
  • LDP v4
  • LPD/LPR v4
  • mDNS v6/v4 (sourced by Apple devices)
  • NetFlow (v9) v6 [Wireshark display filter: cflow]
  • NTP v6/v4 (basic client-server, symmetric, control, authentication w/ md5 and sha-1 and nak, NTS with TLS 1.3)
  • OCSP v6/v4 (request-response and stapling)
  • RADIUS v6/v4 (PAP, CHAP, MS-CHAP, MS-CHAPv2, PEAP-MSCHAPv2, PEAP with GTC, EAP-TTLS with PAP; shared secret: “iNJ72r0uPXP5qhAX”)
  • Raw printing via TCP port 9100 v4
  • RIP for IPv4
  • RIPng for IPv6
  • RTP v4 (VoIP calls)
  • SIP v4 (VoIP calls)
  • SMTP v6/v4 (with and without STARTTLS)
  • SNMP (query/response, trap, version 2c, version 3 with AuthPriv) v6/v4
  • SSDP v4
  • SSH v6/v4
  • Syslog (UDP, TCP, TLS) v6/v4
  • TACACS+ v4 (encryption key: “John3.16”)
  • Telnet v6
  • TFTP v4
  • Time v6/v4
  • WHOIS v6/v4

Miscellaneous

  • ACME challenge type HTTP-01 v6
  • Apple AirPlay v4
  • Apple AirPrint v6 link-local
  • HTTPS Reconnect / Session Resumption
  • IP fragments (sourced by DNS over UDP)
  • IPv6 fragments (aka fragment header (44), sourced by DNS over UDP)
  • NAT46 client & server comparison (though no own protocols)
  • Packet Comments [display filter: pkt_comment]
  • Pile of Poo 💩 (can you find it? ;))
  • SNAP header (at some ARP packets)
  • TCP fragmented segments
  • TCP RSTs from real server vs. “spoofed” from the firewall
  • Traceroute (aka hop limit/TTL trick via Linux (UDP destination ports ≥ 33434), Windows (echo-requests), and Layer-4 Traceroute LFT (TCP port 25)) v6/v4
  • TLS v6/v4 (1.2, 1.3)
  • VLAN tagging
  • VoIP Calls v4
  • Wake-on-LAN WoL magic packets, type 1 (Ethertype 0x0842) and type 2 (UDP port 9)
  • Zabbix v4 (thanks to Markku Leiniö) [Wireshark display filter: tcp.port eq 10051]

What’s still missing?

The following protocols and packet types are still missing.

Am I missing some more? Please write a comment below! Appreciate it!
  • DNS-over-HTTPS (DoH)
  • DNS-over-TLS (DoT)
  • DNS-over-QUIC (DoQ)
  • DTLS
  • EAPOL (IEEE 802.1X aka NAC)
  • ERSPAN
  • ESP in UDP 4500 NAT traversal
  • IPv6 extension headers: routing (43), destination options (60), mobility (135)
  • ISL
  • Kerberos
  • LDAP
  • MPTCP
  • MST
  • NetBIOS
  • NFS
  • PAgP
  • PIM
  • POP3
  • PTP
  • QUIC
  • RDP
  • SMB
  • TCP details & flags
  • VXLAN
  • Ethernet Jumbo Frames

God bless!

Photo by Greg Rakozy on Unsplash.

35 thoughts on “The Ultimate PCAP

  1. Hello, great work so far. For a future release, please consider modern data center traffic, which is VXLAN encapsulated. A simple HTTP or Telnet session would suffice, giving viewers an understanding on how application gets encapsulated before moving about a data center.

  2. Great work! This is really helpful as test set for a tool I’m writing. Something I’d like to see is MPLS and IS-IS

  3. NFS, HDFS are relatively popular protocols over TCP/UDP. CAN would be good, I think there’s even a wireshark dissector.

  4. Hi pcap experts. Could someone tell me how (tools) to capture traffic in a ppp interface in Windows 10?. I couldn’t with the last wireshark but perhaps is my fault. Thanks for your help.

  5. NBD, which has two variants in widespread use called “newstyle” and “oldstyle”. Here’s a simple command which will generate an NBD handshake over a TCP localhost socket, port 10809. For newstyle:

    nbdkit -n null –run ‘qemu-img info $nbd’

    and oldstyle:

    nbdkit -o null –run ‘qemu-img info $nbd’

    1. Let’s see if I can use pre to avoid the blog software screwing up the commands …

    1. Hi Bruno,

      well, the purpose of this single is to NOT have it in multiple files which tends to be unmanageable from my point of view. Now, when I want to have a quick glance at a certain protocol, I do not have to search for the specific file, but simply open this single one. ;)

      However, of course, it depends on your scenario. And as already noted above: all of my pcaps are in singles files (which lots of descriptions) on my blog as well: https://weberblog.net/tag/pcap/

      Stay healthy!
      Johannes

  6. Thank you so much for providing such a valuable asset for teaching. Students are happy with this pcap dump :)

  7. Thank you. Your IGMPv3 messages include an IHL of 6 and an IPv4 header option. I needed an example for a class. Thank you!

    1. Nice. You are welcome. (I have no idea what an IHL of 6 is. ;) To be honest, I have no idea of IGMPv3 at all. For some reason, it appeared in the trace. Hahaha.)

  8. Hi,
    I’m looking for relayed DHCP (with option 82 and various suboptions)
    Thanks!

    1. It’s true: There is no relayed DHCP traffic in there yet. (Though some unicast DHCP traffic at least.) I’ll put that on the list. Shouldn’t be that hard.

      One question though: The differences are not that big at all. The DHCP packets look the same (though different source/destinations) and there are already different options in the PCAP. Wherefore do you need those details? Just curious.

  9. Maybe not of interest for the general populace – but in terms of adding to your ‘missing’ list; maybe BACnet/IP (?).

    1. Also in terms of adding to your ‘missing’ list; maybe ‘KNX’ (and ‘MQTT’) as well.

  10. Were the Netscreen syslog message modified to delete the timestamp?
    There should be one between the PRI and MSG.

    ssg: NetScreen device_id=0185082008001541 [Root]system-notification-00257(traffic): start_time=”2019-05-09 14:50:08″ duration=59 policy_id=1 service=dns proto=17 src zone=Trust dst zone=Untrust action=Permit sent=136 rcvd=0 src=193.24.227.196 dst=9.9.9.9 src_port=41443 dst_port=53 src-xlated ip=193.24.227.196 port=41443 dst-xlated ip=9.9.9.9 port=53 session_id=48046 reason=Close – AGE OUT

  11. 1. I am looking for Carrier Ethernet PCAP files. Specifically, I would like to analyze one that shows PBB (Provider Backbone Bridging) IEEE 802.1ah. This is also referred to as MAC-in-MAC. I would also a better example than the one I have of IEEE 802.1ad, which shows the S-VLAN (Service Provider) and C-VLAN (Customer) tags.

    2. If anyone has some good mobile cellular captures of 4G LTE and/or 5G System, that would be great.

    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *