WITS: Local ISP B-II

Trace Format ERF, captured using a DAG 3
Volume on Disk 364 GB
Number of Traces 108
Capture Start (Local) Thu Jun 9 16:53:50 2005
Capture End (Local) Fri Jun 10 19:45:00 2005
Total Duration 1 Days, 2 Hours, 51 Minutes and 11 Seconds
Packets Captured 8,149 million
Total Traffic 3,282 GB
Contiguity Totally contiguous
Snapping Method Packets truncated eight bytes after the end of the transport header, except for DNS.
Rotation Policy File is rotated every 15 minutes, based on the start of the hour
Anonymization None

This is a continuous packet header trace captured at a New Zealand ISP. Due to NDA requirements, we cannot disclose the name of the ISP, nor can we offer these traces for public download. The traces were captured using a single DAG 3 card and the WDCap trace capture software. The version of WDCap used was version 2.0.0 and the Libtrace version was 2.0.17.

The capture point was connected to a SPAN port on a switch that carried some, but not all, of the ISP's traffic. All the traffic that passed through that switch was captured. The location of the capture point allowed us to capture both incoming and outgoing traffic for a subset of customers. This means that bidirectional flow analysis is possible with these traces. Unlike the Waikato tracesets that were also captured using WDCap, packets were captured and written to disk using a single WDCap process - there was no network export involved.

Each trace file is named using the following format: yyyymmdd-HHMMSS-[code].gz. The time and date refers to the time in UTC when the first packet in the file was captured. The code refers to the event which caused the previous file to be closed and this new file to be created.

Codes of interest for this traceset are as follows:

  • 0 - Rotation boundary was reached

Regular file rotation (code 0) occurs 4 times every hour, starting at the beginning of the hour. All traces, aside from the very first and possibly the very last, are 15 minutes in length. The entire traceset is contiguous - there are no gaps in the capture whatsoever.

Packet records are truncated eight bytes after the end of the transport header except in the case of DNS traffic, which is snapped sixteen bytes after the end of the transport header. This means that many packets will contain a small amount of user payload - enough to perform some rudimentary layer 7 analysis without seriously threatening the privacy of the network users. ICMP packets which are truncated four bytes after any IP and transport headers that may be present in the packet payload. The snap lengths are four bytes more than those used in other tracesets captured using WDCap 2. This is because the version of WDCap used in this capture had a bug that was adding an extra four bytes to the snap length.

The recommended method for processing these traces is to use Libtrace, which we have developed. There are a number of tools included with libtrace such as a packet dumping utility, a trace format converter (for example, to convert to pcap), a trace splitting/filtering tool and a few statistic generators. We suggest you examine the Libtrace Wiki for more details on the Libtrace tools and the library itself.

Name Local Start Time Duration Total Packets Compressed Size
20050609-045350-0 Thu Jun 9 16:53:50 2005 0:06:11 35 million 1,630 MB
20050609-050000-0 Thu Jun 9 17:00:00 2005 0:15:00 86 million 3,957 MB
20050609-051500-0 Thu Jun 9 17:15:00 2005 0:15:00 87 million 4,003 MB
20050609-053000-0 Thu Jun 9 17:30:00 2005 0:15:00 87 million 3,972 MB
20050609-054500-0 Thu Jun 9 17:45:00 2005 0:15:00 86 million 3,935 MB
20050609-060000-0 Thu Jun 9 18:00:00 2005 0:15:00 85 million 3,922 MB
20050609-061500-0 Thu Jun 9 18:15:00 2005 0:15:00 86 million 3,980 MB
20050609-063000-0 Thu Jun 9 18:30:00 2005 0:15:00 88 million 4,038 MB
20050609-064500-0 Thu Jun 9 18:45:00 2005 0:15:00 88 million 4,034 MB
20050609-070000-0 Thu Jun 9 19:00:00 2005 0:15:00 89 million 4,106 MB
20050609-071500-0 Thu Jun 9 19:15:00 2005 0:15:00 92 million 4,243 MB
20050609-073000-0 Thu Jun 9 19:30:00 2005 0:15:00 93 million 4,277 MB
20050609-074500-0 Thu Jun 9 19:45:00 2005 0:15:00 94 million 4,312 MB
20050609-080000-0 Thu Jun 9 20:00:00 2005 0:15:00 95 million 4,362 MB
20050609-081500-0 Thu Jun 9 20:15:00 2005 0:15:00 95 million 4,351 MB
20050609-083000-0 Thu Jun 9 20:30:00 2005 0:15:00 94 million 4,305 MB
20050609-084500-0 Thu Jun 9 20:45:00 2005 0:15:00 94 million 4,318 MB
20050609-090000-0 Thu Jun 9 21:00:00 2005 0:15:00 94 million 4,324 MB
20050609-091500-0 Thu Jun 9 21:15:00 2005 0:15:00 94 million 4,320 MB
20050609-093000-0 Thu Jun 9 21:30:00 2005 0:15:00 93 million 4,296 MB
20050609-094500-0 Thu Jun 9 21:45:00 2005 0:15:00 91 million 4,194 MB
20050609-100000-0 Thu Jun 9 22:00:00 2005 0:15:00 90 million 4,131 MB
20050609-101500-0 Thu Jun 9 22:15:00 2005 0:15:00 88 million 4,073 MB
20050609-103000-0 Thu Jun 9 22:30:00 2005 0:15:00 87 million 4,018 MB
20050609-104500-0 Thu Jun 9 22:45:00 2005 0:15:00 85 million 3,928 MB
20050609-110000-0 Thu Jun 9 23:00:00 2005 0:15:00 83 million 3,855 MB
20050609-111500-0 Thu Jun 9 23:15:00 2005 0:15:00 81 million 3,753 MB
20050609-113000-0 Thu Jun 9 23:30:00 2005 0:15:00 79 million 3,683 MB
20050609-114500-0 Thu Jun 9 23:45:00 2005 0:15:00 78 million 3,624 MB
20050609-120000-0 Fri Jun 10 00:00:00 2005 0:15:00 77 million 3,567 MB
20050609-121500-0 Fri Jun 10 00:15:00 2005 0:15:00 75 million 3,463 MB
20050609-123000-0 Fri Jun 10 00:30:00 2005 0:15:00 71 million 3,315 MB
20050609-124500-0 Fri Jun 10 00:45:00 2005 0:15:00 71 million 3,276 MB
20050609-130000-0 Fri Jun 10 01:00:00 2005 0:15:00 69 million 3,202 MB
20050609-131500-0 Fri Jun 10 01:15:00 2005 0:15:00 68 million 3,175 MB
20050609-133000-0 Fri Jun 10 01:30:00 2005 0:15:00 67 million 3,112 MB
20050609-134500-0 Fri Jun 10 01:45:00 2005 0:15:00 66 million 3,072 MB
20050609-140000-0 Fri Jun 10 02:00:00 2005 0:15:00 66 million 3,065 MB
20050609-141500-0 Fri Jun 10 02:15:00 2005 0:15:00 64 million 2,972 MB
20050609-143000-0 Fri Jun 10 02:30:00 2005 0:15:00 62 million 2,891 MB
20050609-144500-0 Fri Jun 10 02:45:00 2005 0:15:00 62 million 2,882 MB
20050609-150000-0 Fri Jun 10 03:00:00 2005 0:15:00 61 million 2,834 MB
20050609-151500-0 Fri Jun 10 03:15:00 2005 0:15:00 60 million 2,773 MB
20050609-153000-0 Fri Jun 10 03:30:00 2005 0:15:00 59 million 2,766 MB
20050609-154500-0 Fri Jun 10 03:45:00 2005 0:15:00 59 million 2,739 MB
20050609-160000-0 Fri Jun 10 04:00:00 2005 0:15:00 58 million 2,681 MB
20050609-161500-0 Fri Jun 10 04:15:00 2005 0:15:00 56 million 2,625 MB
20050609-163000-0 Fri Jun 10 04:30:00 2005 0:15:00 56 million 2,618 MB
20050609-164500-0 Fri Jun 10 04:45:00 2005 0:15:00 55 million 2,591 MB
20050609-170000-0 Fri Jun 10 05:00:00 2005 0:15:00 55 million 2,560 MB
20050609-171500-0 Fri Jun 10 05:15:00 2005 0:15:00 55 million 2,574 MB
20050609-173000-0 Fri Jun 10 05:30:00 2005 0:15:00 55 million 2,567 MB
20050609-174500-0 Fri Jun 10 05:45:00 2005 0:15:00 55 million 2,575 MB
20050609-180000-0 Fri Jun 10 06:00:00 2005 0:15:00 56 million 2,610 MB
20050609-181500-0 Fri Jun 10 06:15:00 2005 0:15:00 55 million 2,566 MB
20050609-183000-0 Fri Jun 10 06:30:00 2005 0:15:00 55 million 2,552 MB
20050609-184500-0 Fri Jun 10 06:45:00 2005 0:15:00 55 million 2,581 MB
20050609-190000-0 Fri Jun 10 07:00:00 2005 0:15:00 56 million 2,604 MB
20050609-191500-0 Fri Jun 10 07:15:00 2005 0:15:00 57 million 2,671 MB
20050609-193000-0 Fri Jun 10 07:30:00 2005 0:15:00 59 million 2,726 MB
20050609-194500-0 Fri Jun 10 07:45:00 2005 0:15:00 60 million 2,807 MB
20050609-200000-0 Fri Jun 10 08:00:00 2005 0:15:00 62 million 2,864 MB
20050609-201500-0 Fri Jun 10 08:15:00 2005 0:15:00 62 million 2,884 MB
20050609-203000-0 Fri Jun 10 08:30:00 2005 0:15:00 63 million 2,928 MB
20050609-204500-0 Fri Jun 10 08:45:00 2005 0:15:00 65 million 3,002 MB
20050609-210000-0 Fri Jun 10 09:00:00 2005 0:15:00 67 million 3,115 MB
20050609-211500-0 Fri Jun 10 09:15:00 2005 0:15:00 69 million 3,192 MB
20050609-213000-0 Fri Jun 10 09:30:00 2005 0:15:00 71 million 3,263 MB
20050609-214500-0 Fri Jun 10 09:45:00 2005 0:15:00 72 million 3,299 MB
20050609-220000-0 Fri Jun 10 10:00:00 2005 0:15:00 72 million 3,304 MB
20050609-221500-0 Fri Jun 10 10:15:00 2005 0:15:00 72 million 3,313 MB
20050609-223000-0 Fri Jun 10 10:30:00 2005 0:15:00 72 million 3,295 MB
20050609-224500-0 Fri Jun 10 10:45:00 2005 0:15:00 72 million 3,296 MB
20050609-230000-0 Fri Jun 10 11:00:00 2005 0:15:00 72 million 3,318 MB
20050609-231500-0 Fri Jun 10 11:15:00 2005 0:15:00 74 million 3,426 MB
20050609-233000-0 Fri Jun 10 11:30:00 2005 0:15:00 74 million 3,409 MB
20050609-234500-0 Fri Jun 10 11:45:00 2005 0:15:00 75 million 3,481 MB
20050610-000000-0 Fri Jun 10 12:00:00 2005 0:15:00 75 million 2,253 MB
20050610-001500-0 Fri Jun 10 12:15:00 2005 0:15:00 75 million 3,464 MB
20050610-003000-0 Fri Jun 10 12:30:00 2005 0:15:00 75 million 3,475 MB
20050610-004500-0 Fri Jun 10 12:45:00 2005 0:15:00 75 million 3,485 MB
20050610-010000-0 Fri Jun 10 13:00:00 2005 0:15:00 76 million 3,518 MB
20050610-011500-0 Fri Jun 10 13:15:00 2005 0:15:00 76 million 3,496 MB
20050610-013000-0 Fri Jun 10 13:30:00 2005 0:15:00 76 million 3,517 MB
20050610-014500-0 Fri Jun 10 13:45:00 2005 0:15:00 77 million 3,557 MB
20050610-020000-0 Fri Jun 10 14:00:00 2005 0:15:00 78 million 3,587 MB
20050610-021500-0 Fri Jun 10 14:15:00 2005 0:15:00 78 million 3,578 MB
20050610-023000-0 Fri Jun 10 14:30:00 2005 0:15:00 78 million 3,600 MB
20050610-024500-0 Fri Jun 10 14:45:00 2005 0:15:00 79 million 3,648 MB
20050610-030000-0 Fri Jun 10 15:00:00 2005 0:15:00 79 million 3,629 MB
20050610-031500-0 Fri Jun 10 15:15:00 2005 0:15:00 78 million 3,607 MB
20050610-033000-0 Fri Jun 10 15:30:00 2005 0:15:00 80 million 3,675 MB
20050610-034500-0 Fri Jun 10 15:45:00 2005 0:15:00 83 million 3,812 MB
20050610-040000-0 Fri Jun 10 16:00:00 2005 0:15:00 84 million 3,864 MB
20050610-041500-0 Fri Jun 10 16:15:00 2005 0:15:00 85 million 3,923 MB
20050610-043000-0 Fri Jun 10 16:30:00 2005 0:15:00 86 million 3,963 MB
20050610-044500-0 Fri Jun 10 16:45:00 2005 0:15:00 87 million 3,977 MB
20050610-050000-0 Fri Jun 10 17:00:00 2005 0:15:00 85 million 3,931 MB
20050610-051500-0 Fri Jun 10 17:15:00 2005 0:15:00 84 million 3,871 MB
20050610-053000-0 Fri Jun 10 17:30:00 2005 0:15:00 84 million 3,858 MB
20050610-054500-0 Fri Jun 10 17:45:00 2005 0:15:00 85 million 3,918 MB
20050610-060000-0 Fri Jun 10 18:00:00 2005 0:15:00 84 million 3,888 MB
20050610-061500-0 Fri Jun 10 18:15:00 2005 0:15:00 84 million 3,898 MB
20050610-063000-0 Fri Jun 10 18:30:00 2005 0:15:00 84 million 3,873 MB
20050610-064500-0 Fri Jun 10 18:45:00 2005 0:15:00 84 million 3,888 MB
20050610-070000-0 Fri Jun 10 19:00:00 2005 0:15:00 84 million 3,911 MB
20050610-071500-0 Fri Jun 10 19:15:00 2005 0:15:00 84 million 3,870 MB
20050610-073000-0 Fri Jun 10 19:30:00 2005 0:15:00 85 million 3,924 MB