Sample Files
The sample-files/ directory contains example PCAP files and generator
scripts to help you test and explore TracePcap’s features.
Included Files
File |
Description |
|---|---|
|
ATM network traffic sample. Useful for testing protocol parsing and multi-protocol support. |
|
5G core network (free5GC) traffic sample. Demonstrates TracePcap’s handling of GTP tunnelling and 5G control-plane protocols. |
|
Crafted PCAP that triggers all 17 custom signature demo rules defined
in |
|
Eight weekly captures from the Office Audit demo scenario. Used to demonstrate the Network Monitor, subnet detection, node role annotation, and AI-generated insights. See below for full details. |
Generating demo_all_rules.pcap
The generator script sample-files/gen_demo.py synthesises the demo PCAP
programmatically using Scapy. To regenerate it:
pip install scapy
python3 sample-files/gen_demo.py
The script produces sample-files/demo_all_rules.pcap.
Walkthrough: Custom Signature Demo
Copy
signatures.sample.ymlinto the TracePcap browser editor: Navigate to Custom Detection Rules → paste the file contents → Save.Upload
demo_all_rules.pcapwith nDPI Analysis enabled.Once analysis completes, open the Conversations tab. You should see all 17 custom signature badges firing across the conversations.
Open the Overview tab to see aggregate signature match counts.
Explore the Network Visualization to see risk indicators on relevant nodes.
Office Audit Demo Scenario
The monitor_large/ directory contains eight synthetic weekly captures that
model a realistic external audit engagement. The auditor receives one PCAP per
week from the client — no network documentation, no asset inventory. Everything
is pieced together from the traffic itself.
Over the eight-week audit period, a string of internal policy violations escalates and then subsides after an audit notice is issued.
Scenario Background
The network is a mid-sized office with four segments:
Subnet |
Range |
Purpose |
|---|---|---|
Staff workstations |
|
Employee desktops and laptops (corporate-managed) |
Servers |
|
File server (SMB), mail server (SMTP/IMAP), internal web server (HTTP) |
Printers / peripherals |
|
Floor printers (IPP/LPD) |
WiFi / BYOD |
|
Wireless access — both managed laptops and personal devices |
Named Devices
Device |
IP |
Role |
|---|---|---|
Gateway |
|
Corporate router / internet gateway |
File Server |
|
Internal file server (SMB :445) |
Mail Server |
|
Internal mail server (SMTP :25, IMAP :143) |
Web Server |
|
Internal intranet (HTTP :80) |
Printer A / B |
|
Floor printers (IPP :631) |
WS_ALICE |
|
Alice — compliant employee, normal traffic throughout |
WS_BOB |
|
Bob — FTP exfiltration to external IP (weeks 4–6) |
WS_CAROL |
|
Carol — joins week 3; Telnet to file server (cleartext credentials) |
WS_DAVE |
|
Dave — joins week 5; normal new employee |
LAPTOP_BOB |
|
Bob’s personal laptop on WiFi — WireGuard VPN bypass + BitTorrent (weeks 2–6) |
MOBILE_EVE |
|
Eve’s personal mobile — joins week 4; remains on network through week 8 |
SHADOW_DEV |
|
Unknown device (Raspberry Pi OUI); ARP-spoofs Bob’s IP; weeks 5–6 only |
Story Arc
Week |
File |
What happens |
|---|---|---|
1 |
|
Clean baseline — normal office day. HTTP/HTTPS to internet, SMB to file server, SMTP/IMAP to mail server, DNS, print jobs. ~170 hosts. |
2 |
|
Bob’s personal laptop ( |
3 |
|
Carol’s workstation joins. Carol uses Telnet to connect to the file server — cleartext credentials visible in payload. Bob’s laptop begins BitTorrent traffic. Signals: MAC_ADDED (Carol), PROTOCOL_ADDED (Telnet), APP_ADDED (BitTorrent). |
4 |
|
Bob’s workstation starts FTP transfers to |
5 |
|
An unknown device with a Raspberry Pi OUI ( |
6 |
|
Peak violation week. FTP exfiltration, BitTorrent, WireGuard VPN, Telnet, and the shadow device are all simultaneously active. Shadow device also uses Telnet to the file server. Signals: no new signals — all violations continue. |
7 |
|
Audit notice issued. FTP stops, BitTorrent stops, WireGuard stops, Telnet stops. Shadow device disappears. Gateway returns to the primary ISP. Bob’s personal laptop stays connected but is idle. Signals: GATEWAY_CHANGE (back to primary), VPN_DRIFT gone, MAC absent (shadow device), APP_ADDED gone (BitTorrent), Telnet gone. |
8 |
|
Near-baseline. All core violations resolved. Bob’s personal laptop and Eve’s mobile remain on the network — the personal-device policy has not been enforced. Signals: none — stable. |
Policy Violations Summary
Violation |
Weeks active |
Evidence in capture |
|---|---|---|
WireGuard VPN bypass (LAPTOP_BOB) |
2–6 |
UDP :51820 to |
BitTorrent P2P (LAPTOP_BOB) |
3–6 |
UDP :6881 BitTorrent DHT ping payloads |
Telnet to file server — cleartext (WS_CAROL) |
3–6 |
TCP :23 to |
FTP exfiltration to external IP (WS_BOB) |
4–6 |
TCP :21 to |
Unauthorised shadow device (SHADOW_DEV, RPi OUI) |
5–6 |
MAC |
ARP spoofing — shadow device claims Bob’s IP |
5 |
Gratuitous ARP: |
Personal devices on corporate WiFi (LAPTOP_BOB, MOBILE_EVE) |
2–8 |
Consumer-OUI MACs on |
Generating the Office Audit PCAPs
The generator requires Scapy. The monitor_large/ directory is pre-populated,
but you can regenerate the files at any time:
pip install scapy
cd sample-files
python3 gen_monitor_large.py
Walkthrough: Office Audit Demo
Step 1 — Upload and analyse all eight files
Upload each week*.pcap file via the standard upload flow with nDPI analysis
enabled. Wait for all eight to reach status Completed.
Step 2 — Create a Network Monitor session
Navigate to Monitor → Create Network → name it
Office Audit — Corp HQ (or similar).
Step 3 — Add snapshots
Click Add Snapshot and add all eight files. The Monitor orders them by capture time automatically. Change events appear as soon as the second snapshot is added.
Step 4 — Detect subnets
In the Subnet Definitions panel, select week1_baseline.pcap from the
dropdown and click Detect Subnets. The engine should propose four candidates:
10.0.1.0/24— staff workstations10.0.2.0/24— servers10.0.3.0/24— printers10.0.4.0/24— WiFi / BYOD
Save all four and add labels. The IP Addresses drift panel will now group all IPs by subnet.
Step 5 — Annotate key devices
Click IP badges in the drift panels to open the Entity Detail modal. Assign role labels to the named devices:
IP |
Suggested role label |
|---|---|
|
File Server (SMB) |
|
Mail Server (SMTP/IMAP) |
|
Internal Web Server |
|
Floor Printer A (IPP) |
|
Floor Printer B (IPP) |
|
Alice — Staff Workstation (compliant) |
|
Bob — Staff Workstation (FTP exfil weeks 4–6) |
|
Carol — Staff Workstation (Telnet weeks 3–6) |
|
Bob’s Personal Laptop (VPN bypass + BitTorrent) |
|
Unknown Device — Raspberry Pi OUI (shadow device) |
Use Suggest with AI on 10.0.4.50 to see how the LLM characterises the
device from its traffic behaviour alone (unusual OUI, ARP spoofing, SMB + Telnet
to internal servers, no hostname).
Step 6 — Add external events
In the External Events panel, log the audit milestone that explains the behavioural shift:
Date: start of week 7 — “Audit notice issued to staff — policy violations flagged for remediation”
Step 7 — Generate insights
Click Generate Insights. With device roles and the external event in context, the LLM should correlate the violation drop-off in week 7 with the audit notice, identify the shadow device as the highest-severity finding, and surface the lingering personal-device policy gap in week 8.
Adding Your Own PCAP Files
Place any .pcap, .pcapng, or .cap file in sample-files/ and
upload it via the TracePcap UI. There is no restriction on the content —
any valid capture file is accepted.