WITS: Auckland X
| Trace Format | ERF, captured using a DAG 4.3 card. |
| Volume on Disk | 869 GB |
| Number of Traces | 10 |
| Capture Start (Local) | Tue Oct 20 15:09:45 2009 |
| Capture End (Local) | Thu Oct 29 15:08:16 2009 |
| Total Duration | 8 Days, 23 Hours, 58 Minutes and 30 Seconds |
| Packets Captured | 35,965 million |
| Total Traffic | 26,447 GB |
| Contiguity | One trace was truncated very slightly for an unknown reason. |
| Snapping Method | Packets truncated four bytes after the end of the transport header, except for DNS which retains 12 bytes of payload. |
| Rotation Policy | Daily rotation at midnight UTC. |
| Anonymization | No anonymisation has been performed on these traces, hence they are unavailable for download. |
This is a contiguous packet header trace captured from a passive monitor located within the University of Auckland network. The traces were captured using a single DAG 4.3 card and the WDCap trace capture software. The version of WDCap used was version 3.1.1 and the Libtrace version was 3.0.6.
The passive monitor was located near the edge of the University network and captured all traffic that was coming into existing the University. However, internal traffic that did not pass near the edge would not have been observed at the capture point. The passive monitor performed all of the capture tasks itself, including packet truncation and writing the capture to disk.
Each trace file is named using the following format: yyyymmdd-HHMMSS-[code].gz. The time and date refers to the time in UTC when the first packet in the file was captured. The code refers to the event which caused the previous file to be closed and this new file to be created.
Codes of interest for this traceset are as follows:
- 0 - Rotation boundary was reached
Regular file rotation (code 0) occured daily at Midnight (UTC).
One of the trace files (20091024-000000-0) appeared to have been truncated slightly prematurely, meaning that at least one packet was not correctly written to disk. This means that the trace set is not entirely contiguous and there may be a small number of packets missing between the end of that trace and the start of the next one. We do not know what caused this, but have repaired the trace file to remove the partial packet that was written at the end of the trace file.
Packet records are truncated four bytes after the end of the transport header except in the case of DNS traffic, which is snapped twelve bytes after the end of the transport header. This means that many packets will contain a small amount of user payload - enough to perform some rudimentary layer 7 analysis without seriously threatening the privacy of the network users. ICMP packets which are truncated after any IP and transport headers that may be present in the packet payload.
The IP addresses contained within the packets have not been anonymised. We hope to release an anonymised version of the trace set at some point in the future.
The recommended method for processing these traces is to use Libtrace, which we have developed. There are a number of tools included with libtrace such as a packet dumping utility, a trace format converter (for example, to convert to pcap), a trace splitting/filtering tool and a few statistic generators. We suggest you examine the Libtrace Wiki for more details on the Libtrace tools and the library itself.
| Name | Local Start Time | Duration | Total Packets | Compressed Size |
|---|---|---|---|---|
| 20091020-020945-0 | Tue Oct 20 15:09:45 2009 | 21:50:15 | 3,814 million | 94,786 MB |
| 20091021-000000-0 | Wed Oct 21 13:00:01 2009 | 24:00:00 | 4,464 million | 111,601 MB |
| 20091022-000000-0 | Thu Oct 22 13:00:01 2009 | 24:00:00 | 4,471 million | 112,229 MB |
| 20091023-000000-0 | Fri Oct 23 13:00:01 2009 | 24:00:00 | 3,589 million | 88,441 MB |
| 20091024-000000-0 | Sat Oct 24 13:00:01 2009 | 24:00:00 | 3,036 million | 71,630 MB |
| 20091025-000000-0 | Sun Oct 25 13:00:01 2009 | 24:00:00 | 3,327 million | 79,789 MB |
| 20091026-000000-0 | Mon Oct 26 13:00:01 2009 | 24:00:00 | 3,714 million | 92,045 MB |
| 20091027-000000-0 | Tue Oct 27 13:00:01 2009 | 24:00:00 | 4,495 million | 112,963 MB |
| 20091028-000000-0 | Wed Oct 28 13:00:01 2009 | 24:00:00 | 4,394 million | 109,552 MB |
| 20091029-000000-0 | Thu Oct 29 13:00:01 2009 | 2:08:15 | 656 million | 16,900 MB |