The sustainable development of smart grids requires the massive deployment of renewable energy, in a highly distributed manner, introducing new challenges for the system operation. Therefore, the integration of information and communication technologies in sites with Distributed Energy Resources (DERs) is needed to monitor and control the DERs operation. In this scheme, a local controller is installed at each DER site to interact with the centralized applications at the grid level and the power equipment at the site level. This local controller uses client–server protocols (e.g., Modbus TCP/IP and IEC 61850 Manufacturing Message Specification (MMS)) to communicate with different power equipment in the Private Area Network (PAN) of the site. Such protocols often lack information confidentiality and integrity mechanisms. As a result, the smart grids become vulnerable to cyber-attacks. This repository contains datasets created to evaluate the detection and classification of man-in-the-middle attacks, operating in eavesdropping mode, targeting MMS and Modbus TCP/IP protocols in the PAN of the smart grid. Five Flow-based features were used to create these datasets, as shown in Table 1, in addition to the ARP poisoning indicator feature: Table 1 Feature Description IRTT Time for establishing one connection TTOC Time for receiving all responses in one connection MITR Minimum time between requests in one connection MATR Maximum time between requests in one connection NROC Number of requests in one connection **NOTE** If you use this dataset in your research/publication please cite us using the following: Mohamed Faisal Elrawy, Lenos Hadjidemetriou, Christos Laoudias, Maria K. Michael, Detecting and classifying man-in-the-middle attacks in the private area network of smart grids, Sustainable Energy, Grids and Networks,2023,pp.1-13, https://doi.org/10.1016/j.segan.2023.101167