Trace Format
In order to preserve user privacy we have sanitized the trace data using modified
version of Vern Paxson's sanitize scripts. The sanitize
scripts strip packet contents and translate IP addresses into numbers
positionally (i.e. the first IP address seen will be translated into
number 1, etc.) so that reverse translation is not possible. The
modification we added preserves "address to number" mapping accross trace
files (i.e. IP address x will be mapped to same number n in all trace
files). Directory sanitize contains these
modified scripts.
We stored sanitized trace files in three directories:
- tcp
- tcp packet information
- udp
- udp packet information
- other
- information about packets that are not tcp, udp or encapsulated IP (IP-IP) and that are not local packets (such as ARP).
Each of these directories contains traces divided into several files whose size is no larger than 6.2MB for easy download. Here is the form of trace data for different packet types:
TCP packets:
Packet_TIME IP_from IP_to PORT_from PORT_to LENGTH FLAG SEQ_from SEQ_to ACK WIN
or
Packet_TIME IP_from IP_to PORT_from PORT_to LENGTH A ACK WIN
where:
- Packet_TIME
is time when packet was sent.
First packet in "file1" has time since the Epoch (00:00:00 UTC, January 1, 1970).
Subsequent packets have the time relative to this packet.
- IP_from
is number masking the IP address of packet source
- IP_to
is number masking the IP address of packet destination
- PORT_from
is the original source port
- PORT_to
is the original destination port
- LENGTH
is length of packet (without header) in Bytes
- FLAG
is TCP flag (as defined in tcpdump)
- SEQ_from
and SEQ_to are sequence numbers of first and last byte of packet data
- ACK
is the sequence number acknowledged by the packet
- WIN
is the window size
Packets whose flag is A are acknowldegment packets and thus have no SEQ_from nor SEQ_to information.
UDP packets:
Packet_TIME IP_from IP_to PORT_from PORT_to U LENGTH
where:
- Packet_TIME
is time when packet was sent.
First packet in "file1" has time since the Epoch (00:00:00 UTC, January 1, 1970).
Subsequent packets have the time relative to this packet.
- IP_from
is number masking the IP address of packet source
- IP_to
is number masking the IP address of packet destination
- PORT_from
is the original source port
- PORT_to
is the original destination port
- LENGTH
is length of packet (without header) in Bytes
OTHER packets:
Packet_TIME IP_from IP_to
where:
- Packet_TIME
is time when packet was sent.
First packet in "file1" has time since the Epoch (00:00:00 UTC, January 1, 1970).
Subsequent packets have the time relative to this packet.
- IP_from
is number masking the IP address of packet source
- IP_to
is number masking the IP address of packet destination
- LENGTH
is length of packet (without header) in Bytes
Some Generated
Attack Traces
TRACE SET 1
TRACE SET 2
These traces were generated by running tfn attack tool on our test machines, at
tacking another test machine. Simultaneously, some
legitimate traffic may exist. Traces were recorded on the link between the rout
er and the victim mechine.
UCLA Computer
Science Department Packet Traces
TRACE 1
TRACE 2
TRACE 3
TRACE 4
TRACE 5
TRACE 6
TRACE 7
TRACE 8
TRACE 9
TRACE 10
This distribution was obtained by Network
Research Lab and modified for public use by Laboratory for Advanced Systems Research.
It contains packet
traces collected during August 2001 at the border router of Computer
Science Department, University of California Los Angeles.
For all questions and comments please contact Jelena Mirkovic at sunshine@cs.ucla.edu.