ETF IoT Botnet Dataset

Published: 26-01-2021| Version 1 | DOI: 10.17632/nbs66kvx6n.1


The data in this dataset represent recorded network traffic of specimens of IoT malware samples that were collected from the links found on URLHaus database website (, in the period from 2019 to 2021, at the University of Belgrade, School of Electric Engineering. These malware samples were run on RaspberryPi devices, with restricted local network access, and the network traffic was recorded using tcpdump tool. The benign network traffic ( represents all the network traffic recorded on a personal computer for the duration of several hours, split into two files. All local network addresses were anonymized in the process of making these pcap files. The csv file in the dataset contains description for each of the malware pcap files, consisting of: file name, UrlHaus URL, bot address, malware address, attack presence, attacked address, URLHaus tags, collection date (in the DD/MM/YYYY format), and comment.


Steps to reproduce

The following procedure can be used to reproduce malware samples of this dataset. First, the malware with the appropriate tag (such as elf, Mirai, Gafgyt) is downloaded from the URLHaus website, and stored on the RaspberryPi device. Then, using iptables tool, network access to the whole of the local network should be restricted, except for DNS servers, in order to protect the local network from infection. After that, run tcpdump tool for network capture, and lastly, the malware application.