The Ultimate PCAP

For the last couple of years, I captured many different network and upper-layer protocols and published the pcaps along with some information and Wireshark screenshot on this blog. However, it sometimes takes me some time to find the correct pcap when I am searching for a concrete protocol example. There are way too many pcaps out there.

This is supposed to change now:

I’m publishing a single pcap meant to be a single point of source for Wireshark samples. It is summarizing *all* previous ones from my blog and even adding some more protocols and details. I will constantly add more packets to this pcap if I have some. Currently, it has > 50 different protocols and hundreds of variants, such as IPv6 and legacy IP traffic, different DNS query types, ICMP error codes, and so on.

All previous pcaps can be found on my blog by following the pcap tag:, while all Wireshark related posts (showing screenshots and use-cases) are behind the Wireshark tag:

Download the Ultimate PCAP

Download it, 7zipped, 4 MB:

Side note: Since the packets are captured over many years (at least 2014-2020), your “time” and “delta time” columns will display odd values. ;) Side note 2: As I will add more packets to the pcap, the frame numbers will change in the future.

What’s in there?

Layer 2 Protocols

  • ARP (request, reply, gratuitous)
  • CDP
  • DTP
  • LACP
  • LLDP
  • LOOP
  • STP
  • UDLD
  • VTP

Layer 4 Protocols that are *not* TCP/UDP

  • 6in4 [Wireshark display filter: ip.proto == 41]
  • AH v6 (IPv6 extension header number 51, used by OSPFv3)
  • EIGRP v6/v4
  • ESP v6/v4 (IPv6 extension header number 50)
  • GRE v4 (tunneling v6 and v4)
  • ICMPv6 (RS, RA w/ RDNSS and DNSSL, NS, NA, DAD, MLD with hop-by-hop extension header (number 0), ping, destination unreachables, packet too big, time exceeded)
  • ICMPv4 (ping, timestamp, destination unreachable, time-to-live exceeded)
  • IGMP (v1, v3)
  • OSPFv2 for IPv4 (MD5 authentication)
  • OSPFv3 for IPv6 (plain & authentication via IPsec authentication header AH)

Upper Layer Protocols based on TCP/UDP

  • BGP v6/v4 (MD5 authentication)
  • DHCPv6 (stateful, stateless, prefix delegation)
  • DHCPv4 (DORA, NAK)
  • DNS v4/v6 (tons of RRs, UDP, TCP, fragmentation, DNSSEC validation, SERVFAIL, NXDOMAIN, ENDS(0) client subnet, EDNS(0) cookie, mDNS, dynamic update, zone change notification, IXFR, AXFR, TSIG)
  • HSRP v6/v4
  • HTTP v6/v4
  • HTTP-Proxy v4
  • HTTPS aka TLS v6/v4
  • IKEv1 v6/v4 (aggressive mode, main mode) [Wireshark display filter: isakmp]
  • IKEv2 v6 [Wireshark display filter: isakmp]
  • IMAP v6
  • IP SLA v4
  • NetFlow v6
  • NTP v6/v4 (basic client-server, symmetric, control, authentication w/ md5 and sha-1 and nak, NTS with TLS 1.3)
  • RIP for IPv4
  • RIPng for IPv6
  • RTP v4 (VoIP calls)
  • SIP v4 (VoIP calls)
  • SMTP v6/v4 (with and without STARTTLS)
  • SNMPv2c v6
  • SSDP v4
  • SSH v6/v4
  • Syslog v6/v4
  • Telnet v6
  • TFTP v4
  • WHOIS v6/v4


  • Apple AirPlay v4
  • IP fragments (sourced by DNS over UDP)
  • IPv6 fragments (aka fragment header (44), sourced by DNS over UDP)
  • TCP fragmented segments
  • Traceroute (aka TTL trick via echo-request & TCP port 25) v6/v4
  • TLS v6/v4 (1.2, 1.3)
  • VLAN tagging
  • VoIP Calls v4

What’s still missing?

The following protocols and packet types are still missing.

Am I missing some more? Please write a comment below! Appreciate it!
  • 4in6
  • ESP in UDP 4500 NAT traversal
  • GLBP
  • IPv6 extension headers: routing (43), destination options (60), mobility (135)
  • LDAP
  • MST
  • PAgP
  • SNMPv3
  • TCP details & flags
  • VRRP
  • Ethernet Jumbo Frames

God bless!

Photo by Greg Rakozy on Unsplash.

19 thoughts on “The Ultimate PCAP

  1. Hello, great work so far. For a future release, please consider modern data center traffic, which is VXLAN encapsulated. A simple HTTP or Telnet session would suffice, giving viewers an understanding on how application gets encapsulated before moving about a data center.

  2. Great work! This is really helpful as test set for a tool I’m writing. Something I’d like to see is MPLS and IS-IS

  3. NFS, HDFS are relatively popular protocols over TCP/UDP. CAN would be good, I think there’s even a wireshark dissector.

  4. Hi pcap experts. Could someone tell me how (tools) to capture traffic in a ppp interface in Windows 10?. I couldn’t with the last wireshark but perhaps is my fault. Thanks for your help.

  5. NBD, which has two variants in widespread use called “newstyle” and “oldstyle”. Here’s a simple command which will generate an NBD handshake over a TCP localhost socket, port 10809. For newstyle:

    nbdkit -n null –run ‘qemu-img info $nbd’

    and oldstyle:

    nbdkit -o null –run ‘qemu-img info $nbd’

    1. Let’s see if I can use pre to avoid the blog software screwing up the commands …

    1. Hi Bruno,

      well, the purpose of this single is to NOT have it in multiple files which tends to be unmanageable from my point of view. Now, when I want to have a quick glance at a certain protocol, I do not have to search for the specific file, but simply open this single one. ;)

      However, of course, it depends on your scenario. And as already noted above: all of my pcaps are in singles files (which lots of descriptions) on my blog as well:

      Stay healthy!

Leave a Reply

Your email address will not be published. Required fields are marked *