Developed as a community asset
- CapSan - Packet capture sanitizer/anonymizer for Jon Siwek at University of Illinois.
- Malcolm - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
- Jason Smith's Organized ICS PCAP repo - A comprehensive collection of ICS/SCADA PCAPs organized by protocol. Make sure to have git lfs support and do a git lfs clone of the linked repo to get the actual files.
- Bro-IDS DNP3 & Modbus Captures - Test captures from the parser testing tree.
- OpenICS test data - Test captures from the OpenICS effort.
- Profinet Captures - Random profinet captures from the wild
- QuickDraw test data - PCAPs from the quickdraw initiative to test the sensor filters.
- Various DNP3 captures - This covers a variety of DNP3 captures broken out by function types. Includes some very obscure functionality and were designed for firewall testing.
- Various Siemens S7 captures - Covers a subset of the S7 protocol, includes a few security critical functions such as authentication and firmware update.
- More S7 Captures - Some more S7 captures
- Various C37.118 Captures - Example C37.118 captures and spec details
- DLMS-COSEM Security Review - third party security review of DLMS-COSEM
- Various EthernetIP Captures - Various EthernetIP captures
- Various IEC 60870-5-104 Captures - Various IEC 60870-5-104 captures
- Various IEC 61850 Captures - Various IEC 61850 captures
- Various ModBus TCP Captures - Various Modbus TCP captures
- Various OPC Specifications - Various OPC specifications
- Various Zigbee Captures - Various Zigbee captures
- Netresec PCAP collection - This is a list of public packet capture repositories, which are freely available on the Internet. Most of the sites listed below share Full Packet Capture (FPC) files, but some do unfortunately only have truncated frames.
- Coimbra PCAPs - ICS Cybersecurity PCAP repository from the Univ. of Coimbra CyberSec team
- OpenDNP3 3.0 - OpenDNP 3.0 Conformance Captures and Report. Original Source.
- iTrust Secure Water Treatment Testbed (SWaT/SUTD) Dataset - The SWaT Dataset was systematically generated from the Secure Water Treatment Testbed (SUTD) to address this need. The data collected from the testbed consists of 11 days of continuous operation. 7 days’ worth of data was collected under normal operation while 4 days’ worth of data was collected with attack scenarios. During the data collection, all network traffic, sensor and actuator data were collected [available by request]
- iTrust WADI Dataset - Similar to the SWaT dataset, the data collected from the Water Distribution testbed consists of 16 days of continuous operation, of which 14 days’ worth of data was collected under normal operation and 2 days with attack scenarios. During the data collection, all network traffic, sensor and actuator data were collected. [available by request]
- iTrust EPIC Dataset - Blaq_0 Hackathon was first organised in January 2018 for SUTD undergraduate students. Independent attack teams design and launch attacks on EPIC. Attack teams are scored according to how successful they are in performing attacks based on specific intents. [available by request]
- Illinois ADSC 61850 Dataset - This repository contains network traces that describe GOOSE communications in a mock substation that consists of 4-buses and 18 IEDs. The IEDs communicate with each other using the IEC 61850 GOOSE protocol. These are traces that represent normal, disturbance, and attack scenarios.
- HAI Dataset - The HAI dataset was collected from a realistic industrial control system (ICS) testbed augmented with a Hardware-In-the-Loop (HIL) simulator that emulates steam-turbine power generation and pumped-storage hydropower generation.
(creative commons license)