User login

WAND Group

WAND is a research group at the University of Waikato Computer Science Department. The group is involved with a range of computer networks projects mostly focused around network measurement. The group has a strong international reputation and has close links, including collaborative research, with several other network measurement groups. These include CAIDA, Sprint and Agilent.

Our work includes collection of very long trace sets, network analysis and software to support this, active measurement systems, wireless networks for rural communities, rapid deployment networks, OS code based network simulation and network visualisation. Spinoffs from our work include Endace and Rural Link.

WAND Interesting Blogs




Libtrace 3.0.18 has been released.

This release fixes several bugs that have been reported in 3.0.17. In particular, this release fixes several crash bugs in the libtrace tools that were reported by the Mayhem team at Carnegie Mellon University. It also addresses a rare bug where the compression auto-detection could trigger a false positive on uncompressed ERF traces by including a new format URI (rawerf:) that can be used to force libtrace to treat the traces as uncompressed. We have also tightened up the compression auto-detection somewhat to reduce the likelihood of the bug occurring.

It is highly recommended that you explicitly use the rawerf: format if you are working with large numbers of uncompressed ERF traces.

The full list of changes in this release can be found in the libtrace ChangeLog.

You can download the new version of libtrace from the libtrace website.




Libtrace 3.0.17 has finally been released.

This release adds some new convenience functions to the libtrace API and fixes a number of bugs, many of which have been reported by users.

The major changes in this release are:
* Added API functions for getting the IP address from a packet as a string.
* Added API functions for calculating packet checksums at the IP and transport layers.
* Fixed major bug where the event API was not working with int: inputs.
* Fixed broken checksum calculations in tracereplay.
* Fixed bug where IP headers embedded inside ICMP messages were not being anonymised by traceanon.
* Added API support for working with ICMPv6 headers.

The full list of changes in this release can be found in the libtrace ChangeLog.

You can download the new version of libtrace from the libtrace website.




Libtrace 3.0.16 has been released.

This release includes the new ring: format which is a much more efficient version of the existing int: format. More details on how ring: works and how much better it is than int: can be found here.

People currently using int: are encouraged to give ring: a try - at best, there should be no obvious difference between the two aside from your program using a lot less CPU time. If there are problems, bugs or strange behaviour, please let us know (email contact at so we can fix it in the next release.

This release also fixes the problems that occur when trying to capture packets using 'pcapint:any' as input and write them to disk using a different (i.e. non pcap) format and the double free bug that would occur when calling trace_destroy after using trace_event to read packets from a trace file.

The full list of changes in this release can be found in the libtrace ChangeLog.

You can download the new version of libtrace from the libtrace website.




L7 Filter is used as a source of ground truth in the traffic classification field because it has been around for a long time and is widely known. However, my experiences with L7 Filter had raised a few questions in my mind with regard to its accuracy. After looking online, I did not find any evidence that L7 Filter is actually an accurate or reliable traffic classifier. In this blog post, I present some preliminary results from my own investigation into the correctness (or lack thereof) of L7 Filter's classifications using packet traces containing traffic for only a single known application.




Libprotoident 2.0.6 has been released today.

This release adds support for 17 new protocols including Spotify, Runescape, Cryptic and Apple Facetime. The rules for a further 7 protocols have been improved.

This release also fixes a couple of bugs - in particular one where lpi_live would report erroneously high packet or byte counts.

We've also deprecated the P2P_Structure category as it was no longer serving the intended purpose due to the rise in BitTorrent file transfers over UDP that are indistinguishable from DHT traffic. All protocols that used to be P2P_Structure are now placed in the P2P category.

The full list of changes can be found in the libprotoident ChangeLog.

Download libprotoident 2.0.6 here!




Updated on October 26, 2012 to reflect that the P2P_Structure category was not entirely reliable.


Earlier this year, we managed to generate a bit of interest by studying changes in application protocol usage at one New Zealand ISP after the Copyright Amendment Act came into effect. This eventually led to a publication at IMC 2012, which can be accessed here.

One outstanding question from this work was whether the changes that we observed would persist, particularly given that there have been no notable instances of people being brought before the Copyright Tribunal and punished. Would people eventually revert back to their old methods of file-sharing or would they continue to use more obfuscated methods? Would those people that stopped file sharing return once they felt more secure in not being caught out?

With this in mind, we have updated our results with data captured from the same New Zealand ISP during September 2012, one year on from the CAA coming into force. Again, we have looked at the traffic for a subset of the ISP's DSL subscribers only. Unfortunately, we do not have detailed information about the number of subscribers using each protocol, but we do have statistics about the number of flows and bytes for each protocol (both incoming and outgoing) which we can make use of. In this blog post, I'll be comparing the most recent measurements with our earlier results to determine if anything has changed in the past few months.

Syndicate content