WITS: Auckland X

Trace Format ERF, captured using a DAG 4.3 card.
Volume on Disk 869 GB
Number of Traces 10
Capture Start (Local) Tue Oct 20 15:09:45 2009
Capture End (Local) Thu Oct 29 15:08:16 2009
Total Duration 8 Days, 23 Hours, 58 Minutes and 30 Seconds
Packets Captured 35,965 million
Total Traffic 26,447 GB
Contiguity One trace was truncated very slightly for an unknown reason.
Snapping Method Packets truncated four bytes after the end of the transport header, except for DNS which retains 12 bytes of payload.
Rotation Policy Daily rotation at midnight UTC.
Anonymization No anonymisation has been performed on these traces, hence they are unavailable for download.

This is a contiguous packet header trace captured from a passive monitor located within the University of Auckland network. The traces were captured using a single DAG 4.3 card and the WDCap trace capture software. The version of WDCap used was version 3.1.1 and the Libtrace version was 3.0.6.

The passive monitor was located near the edge of the University network and captured all traffic that was coming into existing the University. However, internal traffic that did not pass near the edge would not have been observed at the capture point. The passive monitor performed all of the capture tasks itself, including packet truncation and writing the capture to disk.

Each trace file is named using the following format: yyyymmdd-HHMMSS-[code].gz. The time and date refers to the time in UTC when the first packet in the file was captured. The code refers to the event which caused the previous file to be closed and this new file to be created.

Codes of interest for this traceset are as follows:

  • 0 - Rotation boundary was reached

Regular file rotation (code 0) occured daily at Midnight (UTC).

One of the trace files (20091024-000000-0) appeared to have been truncated slightly prematurely, meaning that at least one packet was not correctly written to disk. This means that the trace set is not entirely contiguous and there may be a small number of packets missing between the end of that trace and the start of the next one. We do not know what caused this, but have repaired the trace file to remove the partial packet that was written at the end of the trace file.

Packet records are truncated four bytes after the end of the transport header except in the case of DNS traffic, which is snapped twelve bytes after the end of the transport header. This means that many packets will contain a small amount of user payload - enough to perform some rudimentary layer 7 analysis without seriously threatening the privacy of the network users. ICMP packets which are truncated after any IP and transport headers that may be present in the packet payload.

The IP addresses contained within the packets have not been anonymised. We hope to release an anonymised version of the trace set at some point in the future.

The recommended method for processing these traces is to use Libtrace, which we have developed. There are a number of tools included with libtrace such as a packet dumping utility, a trace format converter (for example, to convert to pcap), a trace splitting/filtering tool and a few statistic generators. We suggest you examine the Libtrace Wiki for more details on the Libtrace tools and the library itself.

Name Local Start Time Duration Total Packets Compressed Size
20091020-020945-0 Tue Oct 20 15:09:45 2009 21:50:15 3,814 million 94,786 MB
20091021-000000-0 Wed Oct 21 13:00:01 2009 24:00:00 4,464 million 111,601 MB
20091022-000000-0 Thu Oct 22 13:00:01 2009 24:00:00 4,471 million 112,229 MB
20091023-000000-0 Fri Oct 23 13:00:01 2009 24:00:00 3,589 million 88,441 MB
20091024-000000-0 Sat Oct 24 13:00:01 2009 24:00:00 3,036 million 71,630 MB
20091025-000000-0 Sun Oct 25 13:00:01 2009 24:00:00 3,327 million 79,789 MB
20091026-000000-0 Mon Oct 26 13:00:01 2009 24:00:00 3,714 million 92,045 MB
20091027-000000-0 Tue Oct 27 13:00:01 2009 24:00:00 4,495 million 112,963 MB
20091028-000000-0 Wed Oct 28 13:00:01 2009 24:00:00 4,394 million 109,552 MB
20091029-000000-0 Thu Oct 29 13:00:01 2009 2:08:15 656 million 16,900 MB