For the last couple of years, I captured many different network and upper-layer protocols and published the pcaps along with some information and Wireshark screenshots on this blog. However, it sometimes takes me some time to find the correct pcap when I am searching for a concrete protocol example. There are way too many pcaps out there.
This is supposed to change now:
All previous pcaps can be found on my blog by following the pcap tag: https://weberblog.net/tag/pcap/, while all Wireshark-related posts (showing screenshots and use-cases) are behind the Wireshark tag: https://weberblog.net/tag/wireshark/.
Download the Ultimate PCAP
Download it, 7zipped, 5 MB (latest update: v20221220):
Side note: Since the packets are captured over many years (at least 2009-2021 – LOL), your “time” and “delta time” columns will display odd values. ;) Side note 2: As I will add more packets to the pcap, the frame numbers will change in the future.
What’s in there?
Layer 2 Protocols
That is: not ip and not ipv6. Referenced by the EtherType.
- ARP (request, reply, gratuitous)
- DEC DNA Remote Console
- HDLC (to be precise: Cisco HDLC)
- HomePlug AV
- PPP (PPPoED, LCP, IPCP, IPV6CP)
Layer 4 Protocols that are *not* TCP/UDP
That is (almost): (ip or ipv6) and not (tcp or udp). Referenced by the IP Protocol Number, which is the “Next Header” field in IPv6 respectively the “Protocol” field in IP.
- 4in6 [Wireshark display filter: ipv6.nxt == 4]
- 6in4 [Wireshark display filter: ip.proto == 41]
- AH v6 (IPv6 extension header number 51, used by OSPFv3)
- EIGRP v6/v4
- ESP v6/v4 (IPv6 extension header number 50)
- GRE v4 (tunneling v6 and v4)
- ICMPv6 (RS, RA w/ RDNSS and DNSSL, NS, NA, DAD, MLD with hop-by-hop extension header (number 0), ping, destination unreachables,
packet too big, time exceeded)
- ICMPv4 (ping, timestamp, destination unreachable, time-to-live exceeded)
- IGMP (v1, v3)
- OSPFv2 for IPv4 (MD5 authentication)
- OSPFv3 for IPv6 (plain & authentication via IPsec authentication header AH)
- VRRP for IPv4
Upper Layer Protocols based on TCP/UDP
That is: tcp or udp. Referenced by the classical transport protocol port number.
- BFD v4 (control & echo)
- BGP v6/v4 (MD5 authentication)
- CAPWAP v4
- Chargen v6/v4
- Daytime v6/v4
- DHCPv6 (
stateful, stateless, prefix delegation)
- DHCPv4 (DORA, NAK)
- Discard v6/v4 [Wireshark display filter: udp.port eq 9 or tcp.port eq 9]
- DNS v4/v6 (tons of RRs, UDP, TCP, fragmentation, DNSSEC validation, SERVFAIL, NXDOMAIN, ENDS(0) client subnet, EDNS(0) cookie, mDNS, dynamic update, zone change notification, IXFR, AXFR, TSIG)
- Echo v6/v4
- FTP v6/v4 (with and without AUTH TLS)
- GLBP v6/v4
- HKP v4
- HSRP (version 1, version 2) v6/v4
- HTTP v6/v4
- HTTP-Proxy v4
- HTTPS aka TLS v6/v4
- HTTPS-Proxy v4
- IKEv1 v6/v4 (aggressive mode, main mode) [Wireshark display filter: isakmp]
- IKEv2 v6 [Wireshark display filter: isakmp]
- IMAP v6
- IP SLA v4
- IPP v6 (used by Apple AirPrint)
- LDP v4
- LPD/LPR v4
- mDNS v6/v4 (sourced by Apple devices)
- NetFlow (v9) v6 [Wireshark display filter: cflow]
- NTP v6/v4 (basic client-server, symmetric, control, authentication w/ md5 and sha-1 and nak, NTS with TLS 1.3)
- OCSP v6/v4 (request-response and stapling)
- RADIUS v6/v4 (PAP, CHAP, MS-CHAP, MS-CHAPv2, PEAP-MSCHAPv2, PEAP with GTC, EAP-TTLS with PAP; shared secret: “iNJ72r0uPXP5qhAX”)
- Raw printing via TCP port 9100 v4
- RIP for IPv4
- RIPng for IPv6
- RTP v4 (VoIP calls)
- SIP v4 (VoIP calls)
- SMTP v6/v4 (with and without STARTTLS)
- SNMP (standard query/response, trap, version 2c) v6/v4
- SSDP v4
- SSH v6/v4
- Syslog (UDP, TCP, TLS) v6/v4
- TACACS+ v4 (encryption key: “John3.16”)
- Telnet v6
- TFTP v4
- Time v6/v4
- WHOIS v6/v4
- ACME challenge type HTTP-01 v6
- Apple AirPlay v4
- Apple AirPrint v6 link-local
- HTTPS Reconnect / Session Resumption
- IP fragments (sourced by DNS over UDP)
- IPv6 fragments (aka fragment header (44), sourced by DNS over UDP)
- NAT46 client & server comparison (though no own protocols)
- Pile of Poo (can you find it? ;))
- SNAP header (at some ARP packets)
- TCP fragmented segments
- TCP RSTs from real server vs. “spoofed” from the firewall
- Traceroute (aka hop limit/TTL trick via Linux (UDP destination ports ≥ 33434), Windows (echo-requests), and Layer-4 Traceroute LFT (TCP port 25)) v6/v4
- TLS v6/v4 (1.2, 1.3)
- VLAN tagging
- VoIP Calls v4
- Zabbix v4 (thanks to Markku Leiniö) [Wireshark display filter: tcp.port eq 10051]
What’s still missing?
The following protocols and packet types are still missing.
- EAPOL (IEEE 802.1X aka NAC)
- ESP in UDP 4500 NAT traversal
- IPv6 extension headers: routing (43), destination options (60), mobility (135)
- TCP details & flags
- Ethernet Jumbo Frames
31 thoughts on “The Ultimate PCAP”
Hello, great work so far. For a future release, please consider modern data center traffic, which is VXLAN encapsulated. A simple HTTP or Telnet session would suffice, giving viewers an understanding on how application gets encapsulated before moving about a data center.
SMB? RDP? Also, maybe put it on Github so people could watch for new versions? Thanks!
Great work! This is really helpful as test set for a tool I’m writing. Something I’d like to see is MPLS and IS-IS
CAPWAP Control and CAPWAP encapsulated data could be helpful as well
NFS, HDFS are relatively popular protocols over TCP/UDP. CAN would be good, I think there’s even a wireshark dissector.
Hi pcap experts. Could someone tell me how (tools) to capture traffic in a ppp interface in Windows 10?. I couldn’t with the last wireshark but perhaps is my fault. Thanks for your help.
NBD, which has two variants in widespread use called “newstyle” and “oldstyle”. Here’s a simple command which will generate an NBD handshake over a TCP localhost socket, port 10809. For newstyle:
nbdkit -n null –run ‘qemu-img info $nbd’
nbdkit -o null –run ‘qemu-img info $nbd’
Let’s see if I can use pre to avoid the blog software screwing up the commands …
yes, you can. ;)
Xmodem, ymodem, zmodem, zmodem-leech, kermit
DNP, our standard for electrical utility SCADA
“HRSP v6/v4” typo for HSRP (Hot Standby Router Protocol)?
Uh yep. Thx. Fixed it.
Awesome pcap! What about some BFD packets? ;)
Yup, added in the 20201117 update. ;)
Wouldn’t it be more manageable if all protocol were in their own file, like in
and also like already mentioned in GitHub or GitLab.
I always search pcap of real life scenario to illustrate Network classes. Thanks!!
well, the purpose of this single is to NOT have it in multiple files which tends to be unmanageable from my point of view. Now, when I want to have a quick glance at a certain protocol, I do not have to search for the specific file, but simply open this single one. ;)
However, of course, it depends on your scenario. And as already noted above: all of my pcaps are in singles files (which lots of descriptions) on my blog as well: https://weberblog.net/tag/pcap/
Thanks a lot johannes
Thank you so much for providing such a valuable asset for teaching. Students are happy with this pcap dump :)
Good work and thanks!
Thank you. Your IGMPv3 messages include an IHL of 6 and an IPv4 header option. I needed an example for a class. Thank you!
Nice. You are welcome. (I have no idea what an IHL of 6 is. ;) To be honest, I have no idea of IGMPv3 at all. For some reason, it appeared in the trace. Hahaha.)
I’m looking for relayed DHCP (with option 82 and various suboptions)
It’s true: There is no relayed DHCP traffic in there yet. (Though some unicast DHCP traffic at least.) I’ll put that on the list. Shouldn’t be that hard.
One question though: The differences are not that big at all. The DHCP packets look the same (though different source/destinations) and there are already different options in the PCAP. Wherefore do you need those details? Just curious.
Maybe not of interest for the general populace – but in terms of adding to your ‘missing’ list; maybe BACnet/IP (?).
Were the Netscreen syslog message modified to delete the timestamp?
There should be one between the PRI and MSG.
ssg: NetScreen device_id=0185082008001541 [Root]system-notification-00257(traffic): start_time=”2019-05-09 14:50:08″ duration=59 policy_id=1 service=dns proto=17 src zone=Trust dst zone=Untrust action=Permit sent=136 rcvd=0 src=22.214.171.124 dst=126.96.36.199 src_port=41443 dst_port=53 src-xlated ip=188.8.131.52 port=41443 dst-xlated ip=184.108.40.206 port=53 session_id=48046 reason=Close – AGE OUT