WITS: Wireless I

Trace Format PCAP, captured using tcpdump.
Volume on Disk 871 MB
Number of Traces 1
Capture Start (Local) Fri Mar 7 22:52:16 2008
Capture End (Local) Sun Mar 9 13:28:50 2008
Total Duration 1 Days, 14 Hours, 36 Minutes and 34 Seconds
Packets Captured 38 million
Total Traffic 6 GB
Contiguity A passive wireless trace, so there will likely be gaps where packets were not received.
Snapping Method Full packets (no snapping), but with user payload replaced with zeros.
Rotation Policy N/A
Anonymization IP addresses anonymised using Crypto-Pan AES encryption, user payloads replaced with zeros.

This is a 38 hour passive wireless trace captured at a busy site on CRCnet. The trace was captured using a Soekris net5501 single-board computer using an Atheros 5212 IEEE 802.11bg wireless NIC connected to a 10 dBi omni-directional antenna. The trace was captured using MadWiFi version 0.9.4, tcpdump 3.8.3 and libpcap 0.8.3.

The capture point was situated next to a busy site on CRCnet which houses an AP and is the end point of several point-to-point links. The MadWiFi driver was set to monitor mode and was set to capture all frames, including those which failed their IEEE 802.11 frame check sequence. Due to the nature of passive wireless capture, there may be gaps in the trace where packets were not received by the capture point but were received by the intended receiver. Additionally, frames may be truncated or received off-channel.

Each packet in the trace is pre-pended with a Radiotap wireless monitoring header which includes information such as signal, noise and bitrate. The IEEE 802.11 MAC header is also captured, followed by the entire packet payload (IP, TCP, etc). The final four bytes of each packet make up the IEEE 802.11 Frame Check Sequence (FCS) field.

Anonymisation of this trace is as follows: For frames that failed their FCS, all data past the length of a standard 802.11 3-address data header is zeroed, but the final four bytes are left as is. Note that for frames that failed their FCS, these bytes may be four contiguous bytes from the user payload due to truncation.

For frames that passed their FCS, non-data 802.11 frames (control and management) are left as-is. Data frames are anonymised by zeroing all user payload after the IP, ICMP, TCP or UDP headers. The final four bytes are left intact and represent the IEEE 802.11 Frame Check Sequence field. Additionally, IP addresses are anonymised using Crypto-Pan AES encryption, which is a prefix-preserving anonymisation method.

The recommended method for processing these traces is to use Libtrace, which we have developed. There are a number of tools included with libtrace such as a packet dumping utility, a trace format converter (for example, to convert to pcap), a trace splitting/filtering tool and a few statistic generators. We suggest you examine the Libtrace Wiki for more details on the Libtrace tools and the library itself.

Name Local Start Time Duration Total Packets Compressed Size
wireless-i Fri Mar 7 22:52:16 2008 38:36:34 38 million 871 MB