WITS: Leipzig II

Trace Format Some traces are Legacy POS, others are ERF.
Volume on Disk 45 GB
Number of Traces 18
Capture Start (Local) Fri Feb 21 12:13:59 2003
Capture End (Local) Sat Feb 22 21:00:00 2003
Total Duration 1 Days, 8 Hours, 46 Minutes and 1 Seconds
Packets Captured 2,115 million
Total Traffic 907 GB
Contiguity Entirely contiguous
Snapping Method Fixed length capture: 64 bytes for Legacy POS traces, 54 bytes for ERF.
Rotation Policy Trace files were rotated on 6 hourly boundaries, based on the start of the day.
Anonymization IP addresses replaced using one-to-one mapping into 10.0.0.0/8 address space. Any payload beyond the transport header has been replaced with zeroes.
Download Link
Download Link (RIPE repository)

This is a continuous short capture taken from the University of Leipzig Internet access link. A pair of DAG 3 cards were used to monitor the OC3 Packet-over-Sonet connection to the German research network (G-WiN). Also, a DAG 4.2GE card was used to monitor the 1000BaseSX link to the central campus switch. A diagram of the capture configuration can be found here.

Each trace file is named using the following format: yyyymmdd-HHMMSS-[source].gz. The time and date refers to the local time when the capture was started. The source refers to the interface that was used to capture the traffic. A source of 0 or 1 indicates that the trace is a legacy POS trace. Each legacy POS trace only contains either incoming or outgoing traffic for the University; both traces must be combined to create a bidirectional trace. If the source is 'e', then the trace was captured via an Ethernet interface and is in the ERF format. The ERF traces are bidirectional.

All non-IP traffic has been discarded and only TCP, UDP and ICMP traffic is present in each trace. Any user payload within the capture record has been zeroed.

The IP addresses in the traces have been replaced using a one-to-one mapping into the 10.0.0.0/8 address space. Each anonymised address was assigned sequentially so the first real-world address observed is mapped to 10.0.0.1, the next new address is 10.0.0.2 and so on. The mapping database was preserved across the entire trace set.

The recommended method for processing these traces is to use Libtrace, which we have developed. There are a number of tools included with libtrace such as a packet dumping utility, a trace format converter (for example, to convert to pcap), a trace splitting/filtering tool and a few statistic generators. We suggest you examine the Libtrace Wiki for more details on the Libtrace tools and the library itself.

Acknowledgements: Some of the information presented on this page has been sourced from the NLANR page about this trace, which no longer exists.

Name Local Start Time Duration Total Packets Compressed Size
20030221-121359-0 Fri Feb 21 12:13:59 2003 2:46:01 68 million 1,399 MB
20030221-121359-1 Fri Feb 21 12:13:59 2003 2:46:01 60 million 1,181 MB
20030221-121359-e Fri Feb 21 12:13:59 2003 2:46:00 129 million 3,102 MB
20030221-150000-0 Fri Feb 21 15:00:00 2003 6:00:00 138 million 2,830 MB
20030221-150000-1 Fri Feb 21 15:00:00 2003 6:00:00 122 million 2,390 MB
20030221-150000-e Fri Feb 21 15:00:00 2003 6:00:00 261 million 6,299 MB
20030221-210000-0 Fri Feb 21 21:00:00 2003 6:00:00 96 million 1,928 MB
20030221-210000-1 Fri Feb 21 21:00:00 2003 6:00:00 85 million 1,660 MB
20030221-210000-e Fri Feb 21 21:00:00 2003 6:00:00 184 million 4,393 MB
20030222-030000-0 Sat Feb 22 03:00:00 2003 6:00:00 49 million 1,038 MB
20030222-030000-1 Sat Feb 22 03:00:00 2003 6:00:00 47 million 928 MB
20030222-030000-e Sat Feb 22 03:00:00 2003 6:00:00 97 million 2,376 MB
20030222-090000-0 Sat Feb 22 09:00:00 2003 6:00:00 88 million 1,808 MB
20030222-090000-1 Sat Feb 22 09:00:00 2003 6:00:00 80 million 1,564 MB
20030222-090000-e Sat Feb 22 09:00:00 2003 6:00:00 171 million 4,101 MB
20030222-150000-0 Sat Feb 22 15:00:00 2003 6:00:00 113 million 2,314 MB
20030222-150000-1 Sat Feb 22 15:00:00 2003 6:00:00 100 million 1,977 MB
20030222-150000-e Sat Feb 22 15:00:00 2003 6:00:00 217 million 5,204 MB