WITS: Auckland IX
|Trace Format||ERF, captured using a DAG 4.3 card.|
|Volume on Disk||0 MB|
|Number of Traces||56|
|Capture Start (Local)||Thu Mar 27 15:36:18 2008|
|Capture End (Local)||Sat Mar 29 22:40:31 2008|
|Total Duration||2 Days, 6 Hours, 4 Minutes and 12 Seconds|
|Packets Captured||2,249 million|
|Total Traffic||1,427 GB|
|Contiguity||One gap early in the trace set. Another trace appears to be missing.|
|Snapping Method||Packets truncated four bytes after the end of the transport header, except for DNS which retains 12 bytes of payload.|
|Rotation Policy||Hourly rotation at the beginning of each hour.|
|Anonymization||IP addresses anonymised using Crypto-Pan AES encryption.|
NOTE: There is a major bug in this trace set. Due to a libtrace bug, WDCap was incorrectly truncating some TCP packets prior to the TCP header. In particular, packets that contained TCP options but no payload, e.g. SYN packets, are affected. Obviously, this will severely inhibit any TCP-related analysis using these traces. We apologise for this error.
This is a mostly contiguous packet header trace captured from a passive monitor located within the University of Auckland network. The traces were captured using a single DAG 4.3 card and the WDCap trace capture software. The version of WDCap used was version 3.0.9 and the Libtrace version was 3.0.3.
The passive monitor was located near the edge of the University network and captured all traffic that was coming into existing the University. However, internal traffic that did not pass near the edge would not have been observed at the capture point. The passive monitor performed all of the capture tasks itself, including packet truncation and writing the capture to disk.
There is no useful direction tagging in this traceset as both directions were captured using the same DAG interface. This is in contrast to some other ERF captures, e.g. Waikato, where each direction has a dedicated interface.
The traces have been subsequently anonymised using the traceanon tool included with Libtrace, using the prefix-preserving Crypto-Pan encryption algorithm. The checksums for each packet have also been replaced with zero.
Each trace file is named using the following format: yyyymmdd-HHMMSS-[code].gz. The time and date refers to the time in UTC when the first packet in the file was captured. The code refers to the event which caused the previous file to be closed and this new file to be created.
Codes of interest for this traceset are as follows:
- 0 - Rotation boundary was reached
- 2 - DAG dropped packets
Regular file rotation (code 0) occured at the beginning of each hour.
There was one file rotation (20080327-040051-2) that occured due to the DAG packet buffer overflowing and therefore some packets were not successfully captured between that trace and the end of the previous one.
There is also a trace that appears to be missing from the set between 20080327-220000-0 and 20080328-000000-0. Unfortunately, we have no idea what happened to the missing trace.
Packet records are truncated four bytes after the end of the transport header except in the case of DNS traffic, which is snapped twelve bytes after the end of the transport header. This means that many packets will contain a small amount of user payload - enough to perform some rudimentary layer 7 analysis without seriously threatening the privacy of the network users. ICMP packets which are truncated after any IP and transport headers that may be present in the packet payload.
The recommended method for processing these traces is to use Libtrace, which we have developed. There are a number of tools included with libtrace such as a packet dumping utility, a trace format converter (for example, to convert to pcap), a trace splitting/filtering tool and a few statistic generators. We suggest you examine the Libtrace Wiki for more details on the Libtrace tools and the library itself.
|Name||Local Start Time||Duration||Total Packets||Compressed Size|
|20080327-023618-0||Thu Mar 27 15:36:18 2008||0:23:42||38 million|
|20080327-030000-0||Thu Mar 27 16:00:01 2008||1:00:00||94 million|
|20080327-040000-0||Thu Mar 27 17:00:01 2008||0:00:50||1 million|
|20080327-040051-2||Thu Mar 27 17:00:51 2008||0:59:09||78 million|
|20080327-050000-0||Thu Mar 27 18:00:01 2008||1:00:00||52 million|
|20080327-060000-0||Thu Mar 27 19:00:01 2008||1:00:00||51 million|
|20080327-070000-0||Thu Mar 27 20:00:01 2008||1:00:00||50 million|
|20080327-080000-0||Thu Mar 27 21:00:01 2008||1:00:00||48 million|
|20080327-090000-0||Thu Mar 27 22:00:01 2008||1:00:00||36 million|
|20080327-100000-0||Thu Mar 27 23:00:01 2008||1:00:00||29 million|
|20080327-110000-0||Fri Mar 28 00:00:01 2008||1:00:00||19 million|
|20080327-120000-0||Fri Mar 28 01:00:01 2008||1:00:00||17 million|
|20080327-130000-0||Fri Mar 28 02:00:01 2008||1:00:00||17 million|
|20080327-140000-0||Fri Mar 28 03:00:01 2008||1:00:00||16 million|
|20080327-150000-0||Fri Mar 28 04:00:01 2008||1:00:00||18 million|
|20080327-160000-0||Fri Mar 28 05:00:01 2008||1:00:00||12 million|
|20080327-170000-0||Fri Mar 28 06:00:01 2008||1:00:00||19 million|
|20080327-180000-0||Fri Mar 28 07:00:01 2008||1:00:00||28 million|
|20080327-190000-0||Fri Mar 28 08:00:01 2008||1:00:00||48 million|
|20080327-200000-0||Fri Mar 28 09:00:01 2008||1:00:00||68 million|
|20080327-210000-0||Fri Mar 28 10:00:01 2008||1:00:00||74 million|
|20080327-220000-0||Fri Mar 28 11:00:01 2008||1:00:00||89 million|
|20080328-000000-0||Fri Mar 28 13:00:01 2008||1:00:00||105 million|
|20080328-010000-0||Fri Mar 28 14:00:01 2008||1:00:00||102 million|
|20080328-020000-0||Fri Mar 28 15:00:01 2008||1:00:00||94 million|
|20080328-030000-0||Fri Mar 28 16:00:01 2008||1:00:00||69 million|
|20080328-040000-0||Fri Mar 28 17:00:01 2008||1:00:00||60 million|
|20080328-050000-0||Fri Mar 28 18:00:01 2008||1:00:00||51 million|
|20080328-060000-0||Fri Mar 28 19:00:01 2008||1:00:00||40 million|
|20080328-070000-0||Fri Mar 28 20:00:01 2008||1:00:00||38 million|
|20080328-080000-0||Fri Mar 28 21:00:01 2008||1:00:00||36 million|
|20080328-090000-0||Fri Mar 28 22:00:01 2008||1:00:00||27 million|
|20080328-100000-0||Fri Mar 28 23:00:01 2008||1:00:00||24 million|
|20080328-110000-0||Sat Mar 29 00:00:01 2008||1:00:00||21 million|
|20080328-120000-0||Sat Mar 29 01:00:01 2008||1:00:00||17 million|
|20080328-130000-0||Sat Mar 29 02:00:01 2008||1:00:00||22 million|
|20080328-140000-0||Sat Mar 29 03:00:01 2008||1:00:00||24 million|
|20080328-150000-0||Sat Mar 29 04:00:01 2008||1:00:00||18 million|
|20080328-160000-0||Sat Mar 29 05:00:01 2008||1:00:00||9 million|
|20080328-170000-0||Sat Mar 29 06:00:01 2008||1:00:00||10 million|
|20080328-180000-0||Sat Mar 29 07:00:01 2008||1:00:00||14 million|
|20080328-190000-0||Sat Mar 29 08:00:01 2008||1:00:00||14 million|
|20080328-200000-0||Sat Mar 29 09:00:01 2008||1:00:00||19 million|
|20080328-210000-0||Sat Mar 29 10:00:01 2008||1:00:00||30 million|
|20080328-220000-0||Sat Mar 29 11:00:01 2008||1:00:00||38 million|
|20080328-230000-0||Sat Mar 29 12:00:01 2008||1:00:00||41 million|
|20080329-000000-0||Sat Mar 29 13:00:01 2008||1:00:00||47 million|
|20080329-010000-0||Sat Mar 29 14:00:01 2008||1:00:00||48 million|
|20080329-020000-0||Sat Mar 29 15:00:01 2008||1:00:00||43 million|
|20080329-030000-0||Sat Mar 29 16:00:01 2008||1:00:00||44 million|
|20080329-040000-0||Sat Mar 29 17:00:01 2008||1:00:00||50 million|
|20080329-050000-0||Sat Mar 29 18:00:01 2008||1:00:00||37 million|
|20080329-060000-0||Sat Mar 29 19:00:01 2008||1:00:00||33 million|
|20080329-070000-0||Sat Mar 29 20:00:01 2008||1:00:00||36 million|
|20080329-080000-0||Sat Mar 29 21:00:01 2008||1:00:00||34 million|
|20080329-090000-0||Sat Mar 29 22:00:01 2008||0:40:31||24 million|