These are the trace files that are used by the Zeek test suite.

Note to maintainers: please take care when modifying/removing files from here.
We install these traces with the Zeek distribution and external packages might
depend on them for tests.

Trace Index/Sources:

- modbus/modbus-eit.trace:
  Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/.
  The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file.
- [ldap/simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap)
- ldap/simpleauth-diff-port.pcap: made with
  `tcprewrite -r 3268:32681 -i simpleauth.pcap -o simpleauth-diff-port.pcap`
- ldap/krb5-sign-seal-01.pcap: trace is derived from
  <https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/ldap-krb5-sign-seal-01.cap>
  - the LDAP flow selected (filtered out the Kerberos packets)
  - truncated to 10 packets (where packet 10 contains the SASL encrypted LDAP message)
  - one `\x30` byte in the ciphertext changed to `\x00`
- ldap/issue-32.pcapng: Provided by GH user martinvanhensbergen,
  <https://github.com/zeek/spicy-ldap/issues/23>
- ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap: Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 389 and port 50041.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- ldap/ldap_invalid_credentials.pcap
  Provided by Martin van Hensbergen in issue #3919.
- dns/tkey.pcap: Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- dns/dynamic-update.pcap: : Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- pop3/POP3.pcap: Picked up from POP tutorial on tranalyzer.com
  https://tranalyzer.com/tutorial/pop
  https://tranalyzer.com/download/data/pop3.pcap
- http/cooper-grill-dvwa.pcapng
  Provided by cooper-grill on #3995
  https://github.com/zeek/zeek/pull/3995
- http/docker-http-upgrade.pcap
  Provided by blightzero on #4068
  https://github.com/zeek/zeek/issues/4068
- quic/merlinc2_Zeek_example.pcapng
  Provided by Faan Rossouw on #4198
  https://github.com/zeek/zeek/issues/4198
- pe/pe.trace
  VirusTotal reports that this file contains malware. The PE analyzer was originally added
  to decode info for malware, so this is expected. See
  https://zeekorg.slack.com/archives/CSZBXF6TH/p1738261449655049
- tunnels/geneve-tagged-udp-packet.pcap
  Provided by Eldon Koyle Corelight for testing.
- cdp-v1.pcap
  From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures.
- ldap/adduser1.pcap ldap/adduser1-ntlm.pcap
  Provided by Mohan-Dhawan on #4275
  https://github.com/zeek/zeek/issues/4275
- smb_v2_only_non_zero_reserved1.pcap
  Provided by @predator89090 on #4730
  https://github.com/zeek/zeek/issues/4730
- tcp/one-sided-2745.pcap
  Extracted from short.trace.gz (port 2745 and port 281) or (port 2745 and port 1433)
  and used tcprewrite to remove mac/ip. No actual payload in the packets.
- tcp/ctu-64702-888.pcap
  Extracted from CTU-SME-11 after observing ConnSize differences when
  fixing is_orig behavior (port 64702 and port 888).
- http/ctu-62604-80.pcap
  Extracted from CTU-SME-11 after observing http.log differences when
  fixing MIME entity behavior (port 64702 and port 80).
- http/m57-long-49525-80.pcap http/m57-long-49600-80.pcap
  Extracted from m57-long test after observing http.log and files.log differences.
- postgresql/greenhouse-app.pcap
  Captured via tcpdump and port 5432 while running the greenhouse app
  and inserting a user and a plant.
  https://github.com/grafana/loki-fundamentals?tab=readme-ov-file#deploying-the-sample-application
- ldap/asn1-max-recursion.pcap
  Generated by Phuong Cao (@pmcao) as part of a security report. Used to test
  limitations on recursion when parsing ASN.1.
- ldap/ldap-max-recursion.pcap
  Generated by Phuong Cao (@pmcao) as part of a security report. Used to test
  limitations on recursion when parsing LDAP search filters.
- tcp/window-scale-range.pcap
  Generated by dxbjavid in #5495 with the SYN packet containing 255 as scale. Very likely AI assisted.
- dce-rpc/bind-ack-no-inband-null.pcap
  Generated by corresponding scapy script dce-rpc/bind-ack-no-inband-null.pcap.py
- tunnels/ayiya-large-identity.pcap
  Generated by Scapy script tunnels/ayiya-large-identity.pcap.py. AYIYA packet
  with an identity-length nibble of 8 (256 octet identity field) wrapping an
  inner IPv6/UDP packet.
- tunnels/geneve-ipv6.pcap
  Generated by corresponding scapy script tunnels/geneve-ipv6.pcap.py. IPv6/UDP
  inside Geneve.
- nflog-bad-tlv-len.pcap
  Generated by corresponding scapy script nflog-bad-tlv-len.pcap.py
- tunnels/vxlan-inner-tcp-bad-checksum.pcap
  Generated by corresponding scapy script tunnels/vxlan-inner-tcp-bad-checksum.pcap.py.
  Single VXLAN packet encapsulating an Ethernet/IP/TCP SYN with a bad TCP checksum.
- tunnels/geneve-inner-tcp-bad-checksum.pcap
  Generated by corresponding scapy script tunnels/geneve-inner-tcp-bad-checksum.pcap.py.
  Single Geneve packet encapsulating an Ethernet/IP/TCP SYN with a bad TCP checksum.
- ntp/ntp-no-extensions-mac.pcap
  Generated from a reproducer for an OSS-Fuzz finding. This is an NTP packet with no extensions
  but with a trailing key ID and message authentication code.
- icmp/icmp6-nd-short-options.pcap
  Generated by a scapy script created by Claude Opus 4.6. See icmp/icmp6-nd-short-options.pcap.py.
- unknown-ip-short-payload.pcap
  Generated by a scapy script created by Claude Opus 4.6. See unknown-ip-short-payload.py.
- trunc/ip-discarder-truncated-tcp-oob.pcapng
  Generated a scapy script created by GPT-5.5. See trunc/ip-discarder-truncated-tcp-oob.pcapng.py.
- gnutella/max-line.pcapng
  Generated by corresponding GPT-generated scapy script gnutella/buffer-growth-generator.py
  Used with key length 200, 1 line.
- gnutella/max-header.pcapng
  Generated by corresponding GPT-generated scapy script gnutella/buffer-growth-generator.py
  Used with key length 50, 5 lines.
- http/261:
  Generated by Justice Bovee using an agent/LLM setup to find potential
  evasion tactics that Zeek doesn't report as weirds. Not real traffic.
- contentline/rlogin-long-client-user-no-nul.pcapng.gz
  Generated from corresponding Scapy script, generated by GPT-5.5. Compressed for testing.
- contentline/rsh-long-client-user-no-nul.pcapng.gz
  Generated from corresponding Scapy script, generated by GPT-5.5. Compressed for testing.
- contentline/telnet-long-line-no-eol.pcapng.gz
  Generated from corresponding Scapy script, generated by GPT-5.5. Compressed for testing.
- contentline/telnet-unclosed-suboption.pcapng.gz
  Generated from corresponding Scapy script, generated by GPT-5.5. Compressed for testing.
- websocket/oversized-close-frame.pcapng
  Generated by corresponding GPT-5.5 generated scapy script
  websocket/oversized-close-frame.pcapng.py. Contains a CLOSE frame with over 125 bytes.
- finger/long-reply-line-no-newline.pcapng
  Generated by corresponding GPT-generated scapy script finger/long-reply-line.pcapng.py.
  Longer-than-allowed Finger reply.
- finger/long-request.pcapng
  Generated by corresponding GPT-generated scapy script finger/long-request.pcapng.py.
  Longer-than-allowed Finger request.
- krb/error-preauth-padata.pcap
  Generated from Claude-generated scapy script error-preauth-padata.pcap.py. Based on
  a hand-rolled pcap from security report. KRB_ERROR with PA-DATA inside that caused a
  nullptr derefenence.
- mount/mount-unmount.pcap and -bad-status.pcap and -bad-auth-flavor.pcap
  Created by setting up a NFSv3 server on a Ubuntu VM and added the
  Python script mount-unmount-scramble.py to override the status fields
  using scapy.
- nfs/nfs_fileop.pcap Created by setting up a NFSv3 server on a Ubuntu VM
  and creating a single file and deleting it again. Used with scramble.py
  to produce some invalid values.
- http/query-method.pcap http/query-method-non-standard-port.pcap
  Scapy-generated (query-method.pcap.py creates both files). HTTP QUERY method
  (RFC 10008) on port 80 and port 4711 respectively.
- portmapper-many-unanswered-calls.pcapng.gz: Generated via portmapper-many-unanswered-calls.py
  produced by ChatGPT 5.5. Script slightly adapted to use deterministic packet timestamps,
  then gzip compressed.
