Trace Format

In order to preserve user privacy we have sanitized the trace data using modified version of Vern Paxson's sanitize scripts. The sanitize scripts strip packet contents and translate IP addresses into numbers positionally (i.e. the first IP address seen will be translated into number 1, etc.) so that reverse translation is not possible. The modification we added preserves "address to number" mapping accross trace files (i.e. IP address x will be mapped to same number n in all trace files). Directory sanitize contains these modified scripts.

We stored sanitized trace files in three directories:

Each of these directories contains traces divided into several files whose size is no larger than 6.2MB for easy download. Here is the form of trace data for different packet types:

TCP packets:

Packet_TIME IP_from IP_to PORT_from PORT_to LENGTH FLAG SEQ_from SEQ_to ACK WIN

or

Packet_TIME IP_from IP_to PORT_from PORT_to LENGTH A ACK WIN

where:

Packets whose flag is A are acknowldegment packets and thus have no SEQ_from nor SEQ_to information.

UDP packets:

Packet_TIME IP_from IP_to PORT_from PORT_to U LENGTH

where:

OTHER packets:

Packet_TIME IP_from IP_to

where:

Some Generated Attack Traces

TRACE SET 1

TRACE SET 2

These traces were generated by running tfn attack tool on our test machines, at tacking another test machine. Simultaneously, some legitimate traffic may exist. Traces were recorded on the link between the rout er and the victim mechine.

UCLA Computer Science Department Packet Traces

TRACE 1

TRACE 2

TRACE 3

TRACE 4

TRACE 5

TRACE 6

TRACE 7

TRACE 8

TRACE 9

TRACE 10

This distribution was obtained by Network Research Lab and modified for public use by Laboratory for Advanced Systems Research. It contains packet traces collected during August 2001 at the border router of Computer Science Department, University of California Los Angeles.

For all questions and comments please contact Jelena Mirkovic at sunshine@cs.ucla.edu.