WITS: Auckland IX

Trace Format ERF, captured using a DAG 4.3 card.
Volume on Disk 0 MB
Number of Traces 56
Capture Start (Local) Thu Mar 27 15:36:18 2008
Capture End (Local) Sat Mar 29 22:40:31 2008
Total Duration 2 Days, 6 Hours, 4 Minutes and 12 Seconds
Packets Captured 2,249 million
Total Traffic 1,427 GB
Contiguity One gap early in the trace set. Another trace appears to be missing.
Snapping Method Packets truncated four bytes after the end of the transport header, except for DNS which retains 12 bytes of payload.
Rotation Policy Hourly rotation at the beginning of each hour.
Anonymization IP addresses anonymised using Crypto-Pan AES encryption.
Download Link

NOTE: There is a major bug in this trace set. Due to a libtrace bug, WDCap was incorrectly truncating some TCP packets prior to the TCP header. In particular, packets that contained TCP options but no payload, e.g. SYN packets, are affected. Obviously, this will severely inhibit any TCP-related analysis using these traces. We apologise for this error.

This is a mostly contiguous packet header trace captured from a passive monitor located within the University of Auckland network. The traces were captured using a single DAG 4.3 card and the WDCap trace capture software. The version of WDCap used was version 3.0.9 and the Libtrace version was 3.0.3.

The passive monitor was located near the edge of the University network and captured all traffic that was coming into existing the University. However, internal traffic that did not pass near the edge would not have been observed at the capture point. The passive monitor performed all of the capture tasks itself, including packet truncation and writing the capture to disk.

There is no useful direction tagging in this traceset as both directions were captured using the same DAG interface. This is in contrast to some other ERF captures, e.g. Waikato, where each direction has a dedicated interface.

The traces have been subsequently anonymised using the traceanon tool included with Libtrace, using the prefix-preserving Crypto-Pan encryption algorithm. The checksums for each packet have also been replaced with zero.

Each trace file is named using the following format: yyyymmdd-HHMMSS-[code].gz. The time and date refers to the time in UTC when the first packet in the file was captured. The code refers to the event which caused the previous file to be closed and this new file to be created.

Codes of interest for this traceset are as follows:

  • 0 - Rotation boundary was reached
  • 2 - DAG dropped packets

Regular file rotation (code 0) occured at the beginning of each hour.

There was one file rotation (20080327-040051-2) that occured due to the DAG packet buffer overflowing and therefore some packets were not successfully captured between that trace and the end of the previous one.

There is also a trace that appears to be missing from the set between 20080327-220000-0 and 20080328-000000-0. Unfortunately, we have no idea what happened to the missing trace.

Packet records are truncated four bytes after the end of the transport header except in the case of DNS traffic, which is snapped twelve bytes after the end of the transport header. This means that many packets will contain a small amount of user payload - enough to perform some rudimentary layer 7 analysis without seriously threatening the privacy of the network users. ICMP packets which are truncated after any IP and transport headers that may be present in the packet payload.

The recommended method for processing these traces is to use Libtrace, which we have developed. There are a number of tools included with libtrace such as a packet dumping utility, a trace format converter (for example, to convert to pcap), a trace splitting/filtering tool and a few statistic generators. We suggest you examine the Libtrace Wiki for more details on the Libtrace tools and the library itself.

Name Local Start Time Duration Total Packets Compressed Size
20080327-023618-0 Thu Mar 27 15:36:18 2008 0:23:42 38 million  
20080327-030000-0 Thu Mar 27 16:00:01 2008 1:00:00 94 million  
20080327-040000-0 Thu Mar 27 17:00:01 2008 0:00:50 1 million  
20080327-040051-2 Thu Mar 27 17:00:51 2008 0:59:09 78 million  
20080327-050000-0 Thu Mar 27 18:00:01 2008 1:00:00 52 million  
20080327-060000-0 Thu Mar 27 19:00:01 2008 1:00:00 51 million  
20080327-070000-0 Thu Mar 27 20:00:01 2008 1:00:00 50 million  
20080327-080000-0 Thu Mar 27 21:00:01 2008 1:00:00 48 million  
20080327-090000-0 Thu Mar 27 22:00:01 2008 1:00:00 36 million  
20080327-100000-0 Thu Mar 27 23:00:01 2008 1:00:00 29 million  
20080327-110000-0 Fri Mar 28 00:00:01 2008 1:00:00 19 million  
20080327-120000-0 Fri Mar 28 01:00:01 2008 1:00:00 17 million  
20080327-130000-0 Fri Mar 28 02:00:01 2008 1:00:00 17 million  
20080327-140000-0 Fri Mar 28 03:00:01 2008 1:00:00 16 million  
20080327-150000-0 Fri Mar 28 04:00:01 2008 1:00:00 18 million  
20080327-160000-0 Fri Mar 28 05:00:01 2008 1:00:00 12 million  
20080327-170000-0 Fri Mar 28 06:00:01 2008 1:00:00 19 million  
20080327-180000-0 Fri Mar 28 07:00:01 2008 1:00:00 28 million  
20080327-190000-0 Fri Mar 28 08:00:01 2008 1:00:00 48 million  
20080327-200000-0 Fri Mar 28 09:00:01 2008 1:00:00 68 million  
20080327-210000-0 Fri Mar 28 10:00:01 2008 1:00:00 74 million  
20080327-220000-0 Fri Mar 28 11:00:01 2008 1:00:00 89 million  
20080328-000000-0 Fri Mar 28 13:00:01 2008 1:00:00 105 million  
20080328-010000-0 Fri Mar 28 14:00:01 2008 1:00:00 102 million  
20080328-020000-0 Fri Mar 28 15:00:01 2008 1:00:00 94 million  
20080328-030000-0 Fri Mar 28 16:00:01 2008 1:00:00 69 million  
20080328-040000-0 Fri Mar 28 17:00:01 2008 1:00:00 60 million  
20080328-050000-0 Fri Mar 28 18:00:01 2008 1:00:00 51 million  
20080328-060000-0 Fri Mar 28 19:00:01 2008 1:00:00 40 million  
20080328-070000-0 Fri Mar 28 20:00:01 2008 1:00:00 38 million  
20080328-080000-0 Fri Mar 28 21:00:01 2008 1:00:00 36 million  
20080328-090000-0 Fri Mar 28 22:00:01 2008 1:00:00 27 million  
20080328-100000-0 Fri Mar 28 23:00:01 2008 1:00:00 24 million  
20080328-110000-0 Sat Mar 29 00:00:01 2008 1:00:00 21 million  
20080328-120000-0 Sat Mar 29 01:00:01 2008 1:00:00 17 million  
20080328-130000-0 Sat Mar 29 02:00:01 2008 1:00:00 22 million  
20080328-140000-0 Sat Mar 29 03:00:01 2008 1:00:00 24 million  
20080328-150000-0 Sat Mar 29 04:00:01 2008 1:00:00 18 million  
20080328-160000-0 Sat Mar 29 05:00:01 2008 1:00:00 9 million  
20080328-170000-0 Sat Mar 29 06:00:01 2008 1:00:00 10 million  
20080328-180000-0 Sat Mar 29 07:00:01 2008 1:00:00 14 million  
20080328-190000-0 Sat Mar 29 08:00:01 2008 1:00:00 14 million  
20080328-200000-0 Sat Mar 29 09:00:01 2008 1:00:00 19 million  
20080328-210000-0 Sat Mar 29 10:00:01 2008 1:00:00 30 million  
20080328-220000-0 Sat Mar 29 11:00:01 2008 1:00:00 38 million  
20080328-230000-0 Sat Mar 29 12:00:01 2008 1:00:00 41 million  
20080329-000000-0 Sat Mar 29 13:00:01 2008 1:00:00 47 million  
20080329-010000-0 Sat Mar 29 14:00:01 2008 1:00:00 48 million  
20080329-020000-0 Sat Mar 29 15:00:01 2008 1:00:00 43 million  
20080329-030000-0 Sat Mar 29 16:00:01 2008 1:00:00 44 million  
20080329-040000-0 Sat Mar 29 17:00:01 2008 1:00:00 50 million  
20080329-050000-0 Sat Mar 29 18:00:01 2008 1:00:00 37 million  
20080329-060000-0 Sat Mar 29 19:00:01 2008 1:00:00 33 million  
20080329-070000-0 Sat Mar 29 20:00:01 2008 1:00:00 36 million  
20080329-080000-0 Sat Mar 29 21:00:01 2008 1:00:00 34 million  
20080329-090000-0 Sat Mar 29 22:00:01 2008 0:40:31 24 million