So you're at home tonight, having just discovered the Ethereal project.
You downloaded the ethereal source code, compiled it, and want to
take the program for a test drive. But your home LAN doesn't have any
interesing or exotic packets on it? Here's some goodies to try. Please
note that if for some reason you disabled zlib support in Ethereal,
you'll have to gunzip any of the following files that are gzipped.
Sample Traces
- dualhome.iptrace: (AIX iptrace)
Shows ethernet and token-ring packets
captured in the same file.
- v6.pcap: (libpcap)
Shows IPv6 and ICMPv6 packets.
- genbroad.snoop: (Solaris snoop)
Netware, Appletalk, and other broadcasts on an ethernet network.
- ipv6-ripng.gz: (libpcap)
RIPng packets (IPv6)
- ascend.trace.gz: (Ascend WAN router)
Shows how Ethereal parses special Ascend data
- pim-reg.cap: (libpcap)
Protocol Independent Multicast, with IPv6 tunnelled within IPv6
- toshiba.general.gz: (Toshiba)
Just some general usage of a Toshiba ISDN router. There are three link
types in this trace: PPP, Ethernet, and LAPD.
- afs.cap.gz: (libpcap)
Andrew File System, based on RX protocol. Various operations.
- vlan.cap.gz: (libpcap)
Lots of different protocols, all running over 802.1Q virtual lans.
- imap.cap.gz: (libpcap)
A short IMAP session using Mutt against an MSX server.
- bootparams.cap.gz: (libpcap)
A couple of rpc.bootparamsd 'getfile' and 'whoami' requests.
- mapi.cap.gz: (libpcap)
MAPI session w/ Outlook and MSX server, not currently decoded by Ethereal.
- nfsv2.pcap.gz: (libpcap)
Fairly complete trace of all NFS v2 packet types.
- nfsv3.pcap.gz: (libpcap)
Fairly complete trace of all NFS v2 packet types.
- mpls-te.cap: (libpcap)
MPLS Traffic Engineering sniffs. Includes RSVP
messages with MPLS/TE extensions and OSPF link updates with MPLS
LSAs.
- mpls-basic.cap: (libpcap)
A basic sniff of MPLS-encapsulated IP packets over Ethernet.
- mpls-exp.cap: (libpcap)
IP packets with EXP bits set.
- mpls-twolevel.cap: (libpcap)
An IP packet with two-level tagging.
- bgp.pcap.gz: (libpcap)
BGP packets, including AS path attributes.
- gryphon.cap: (libpcap)
A trace of Gryphon packets. This is useful for testing the Gryphon plug-in.
- atm_capture1.cap: (libpcap)
A trace of ATM Classical IP packets.
- rtp_example.raw.gz: (libpcap)
A VoIP sample capture.
- rpl_sample.cap.gz: (libpcap)
A RIPL sample capture.
- nfs_bad_stalls.cap: (libpcap)
An NFS capture containing long stalls (about 38ms) in the middle of the
responses to many read requests. This is useful for seeing the staircase
effect in TCP Time Sequence Analysis.
- netbench_1.cap: (libpcap)
A capture of a reasonable amount of NetBench traffic. It is useful to see
some of the traffic a NetBench run generates.
- telnet-cooked.pcap: (libpcap)
A telnet session in "cooked" (per-line) mode.
- telnet-raw.pcap: (libpcap)
A telnet session in "raw" (per-character) mode.
Crack Traces
- teardrop.cap:
Packets 8 and 9 show the overlapping IP fragments in a Teardrop attack.
- zlip-1.pcap:
DNS exploit, endless, pointing to itself message decompression flaw.
- zlip-2.pcap:
DNS exploit, endless cross referencing at message decompression.
- zlip-3.pcap:
DNS exploit, creating a very long domain through multiple decompression
of the same hostname, again and again.
- Captures of traffic generated by the
PROTOS test
suite developed at the University of Oulu:
If you have any interesting packet captures that you would like to share with the world,
feel free to e-mail them to
Gilbert. Just make sure that you didn't capture any passwords in your file!