Malware Capture Facility Project

This is a research project to capture, monitor, analyze and publish long-lived real malware network traffic. The malware is executed with only two restrictions on the output traffic: a limit on the bandwith and the interception of spam. The most important characteristic of this project is the execution of malware during long periods of time, that can go up to several months. The traffic is stored in pcap files, pre-process, analyzed, labeled and made public for the research comunity. The preprocessing includes RRD files with the history of traffic shape, bidirectional Argus flows (both the binary file and the text file), web logs for all the web traffic and a dns report among others. The labels are manually generated by a group of security experts and added to both Argus files and to the weblogs.

The datasets created in this facility are used in the research projects of botnet behavior analysis and anomaly detection. 

If you use these dataset for your own research please reference it accordingly. Also consider a colaboration with the project to make the dataset better.

The researcher in charge of this project is PhD student Sebastian Garcia.

sebastian.garcia at 

Project WebPage

The most updated and current web page of the project is :


  • Capture malware traffic.

  • Execute the malware for long periods of time.

  • Monitor the traffic during execution.

  • Analyze the traffic with different tools and algorithms.

  • Publish the results. 

How to Cite the Dataset

This dataset should be cited like this:

Screen shots of some of the tools used

Cacti RRD file of a botnet

The complete dataset can be found in the project web page.