CRAWDAD umd/sigcomm2008

We collected a trace of wireless network activity at SIGCOMM 2008. The subjects of the traced network chose to participate by joining the traced SSID. The release contains 3 types of anonymized traces: 802.11a, Ethernet and Syslog from the Access Point. We anonymized the trace data using a modified version (http://www.cs.umd.edu/projects/wifidelity/sigcomm08_traces/sigcomm08-tcpmkpub.tar.gz) of the tcpmkpub tool (http://www.icir.org/enterprise-tracing/tcpmkpub.html) The packet traces include anonymized DHCP and DNS headers.last modified : 2009-03-25release date : 2009-03-02date/time of measurement start : 2008-08-17date/time of measurement end : 2008-08-21collection environment : We collected a trace of wireless network activity at SIGCOMM 2008. The subjects of the traced network chose to participate by joining the traced SSID. Our goal is to gather a detailed trace of network activity at SIGCOMM 2008 to improve 802.11 tracing techniques as part of the Wifidelity project and enable analysis of the behavior of a wireless LAN that is (presumably) heavily used.network configuration : We used four BSSIDs on four channels with one NAT (Network Address Translation) router. To collect the traces, we deployed eight 802.11a monitors so 2 monitors are assigned to each channel. A Xirrus Wi-Fi Array (http://www.xirrus.com/products/arrays-80211abg.php) provided the traced 802.11a network (SSID:SIGCOMM-ONLY-Traced). The WiFi Array consisted of four BSSIDs that were broadcast on four 802.11a channels. After anonymization, the DHCP assigned IP addresses for clients are in the following subnets: 26.12.0.0/16 and 26.2.0.0/16.data collection methodology : We recorded network protocol information from all wired and wireless packets sent on the wireless network of SSID:SIGCOMM-ONLY-Traced. Each packet includes physical layer information (in the Prism header) such as the wireless signal strength as well as the 802.11, IP, TCP, UDP, and ICMP headers, depending on the packet type. We did not record packet payloads above the transport layer except for DHCP and DNS payloads. However, we anonymized or deleted potentially sensitive information such as MAC and IP addresses, and DHCP and DNS headers.sanitization : The user chose to participate in the trace by associating with the SIGCOMM-ONLY-Traced SSID. Otherwise, the users joined the "Untraced" SSID: SIGCOMM-ONLY-Untraced. The traces do not contain any data from the "Untraced" SSID. We anonymized the traces to protect the identity and activity of users who opted to be traced during SIGCOMM 2008. - Filtering 802.11a traces Each packet in the wireless traces meets one or both of the following criteria: 1. BSSID address matches the "traced" BSSID. 2. Packet is a probe request for the "SIGCOMM-ONLY-Traced" SSID. - Filtering Ethernet traces The AP was set up with a monitor VLAN for the "SIGCOMM-ONLY-Traced" network. - Filtering Syslog traces The syslog trace only contains information about users associated with the "traced" network. The method to filter out syslog messages about "Untraced" users is as follows: Include all syslog messages while a client is associated to the "traced" network. The syslog messages indicate when a client associates to, and disassociates from the "traced" network.Tracesetumd/sigcomm2008/pcapPCAP traceset of wireless network measurement in SIGCOMM 2008 conference.file: sigcomm08_traces.tar.gzdescription: We collected pcap traces of wireless network activity at SIGCOMM 2008. The subjects of the traced network chose to participate by joining the traced SSID.measurement purpose: Network Diagnosismethodology: 1. 802.11a During most of the conference approximately two 802.11a monitors were placed at the four corners of the main conference hall. We did not record the exact location of each monitor. However, we tried to capture each channel with two monitors placed at opposite corners of the room. 2. Ethernet Packets sent from the NAT to the AP and from the AP to the NAT were captured using an Ethernet trace collector attached to the packet dump port on the WiFi Array.sanitization: The packets are anonymized using a modified version of the tcpmkpub tool. The tool is available from the download link of [sigcomm08-tcpmkpub.tar.gz]. Metadata about the trace anonymization is provided in the file tcpmkpub.log.export. In the description below, [new] indicates new functionality added to tcpmkpub, and [tcpmkpub] indicates the functionality of the original tcpmkpub tool, described in the following reference: R. Pang, M. Allman, V. Paxson, and J. Lee. The Devil and Packet Trace Anonymization SIGCOMM Computer Communication Review, 2006. [Crypto-PAn] indicates the functionality of the original tcpmkpub tool, described in the following reference: Xu, J. Fan, M. H. Ammar, and S. B. Moon. Prefix-preserving IP address anonymization: measurement-based security evaluation and a new cryptography-based scheme. In Proceedings of the IEEE International Conference on Network Protocols (ICNP), pages 280–289, Nov. 2002. 1. Checksums (IP/UDP/TCP) [tcpmkpub] The anonymization code recomputes checksums. The anonymization meta-data (tcpmkpub.log.export) holds information about packets in the traces with bad checksums. Bad checksums are indicated in the anonymized traces by a 1 in the checksum field, or 2 if the checksum was 1, A UDP checksum of 0 is not changed. 2. Link Layer A. Ethernet [tcpmkpub] MAC Addresses: - The 3 high and low-order bytes are hashed separately. - The high-order 3 bytes are hashed to retain vendor information. - Addresses containing all 1's or all 0's are not changed. - The Multicast bit is retained. B.VLAN [new] The vlan header did not need to be anonymized. C. 802.11 [new] - MAC addresses are anonymized using the same method as the Ethernet MAC addresses. - If the packet is fragmented (fragment bit == 1 or fragment # > 0), skip the rest of the packet. 3. Network Layer A. IP [tcpmkpub] - External addresses hashed using prefix preserving scheme [Crypto-PAn]. - Internal addresses hashed to unused prefix by the external addresses and the subnet and host portions of the address are transformed. - Multicast addresses are not anonymized. - The [tcpmkpub] paper recommends removing packets from network scanners. We did not determine this was a threat to our network as the identity tied to a local address was dynamic. B. ARP [tcpmkpub] - If the ARP packet contains a partial IP packet, use the IP anonymization above. - IP addresses anonymized using the IP anonymization procedure above. 4. Transport Layer A. TCP [tcpmkpub] - The TCP timestamp options are transformed into separate monotonically increasing counters with no relationship to time for each IP address in the anonymized trace. - If timestamp is 0 do not modify it. - Replace timestamp with a unique number incremented in the order of the trace. B. UDP [tcpmkpub] Recompute checksum according to checksum policy above. 5. Application Layer A. DNS [new] - Anonymize DNS labels individually by taking the Keyed-HMAC of the label. - Keep the low-order 8 bytes of the hash digest as the label. - Convert the digest to ASCII by converting to hex. - Store the new length of the DNS packet in the following fields: [IP/UDP/DNS,PCAP Captured, PCAP On Wire]. - Anonymize any type 'A' resource record data using the IP anonymization scheme above. DNS Packets may be cut off because of the snaplen at capture. B. DHCP [new] - Client IP address is anonymized. - Client hardware address is anonymized. - Your IP address (yiaddr) is anonymized. The rest of the DHCP packets were cut off by the snaplen at capture.umd/sigcomm2008/pcap Traces802.11a: PCAP traces of wireless network measurement collected from the wireless side in SIGCOMM 2008 conference.configuration: During most of the conference approximately two 802.11a monitors were placed at the four corners of the main conference hall. We did not record the exact location of each monitor. However, we tried to capture each channel with two monitors placed at opposite corners of the room. The network topology is configured as follows: Users: 26.12.*.* 26.2.*.* Network Management: 26.6.*.*format:sigcomm08_wl_(monitor #)_(first packet time)_(last packet time)_(bssid)_(channel).pcapEthernet: PCAP traces of wireless network measurement collected from the Ethernet side in the SIGCOMM 2008 conference.configuration: Packets sent from the NAT to the AP and from the AP to the NAT were captured using an Ethernet trace collector attached to the packet dump port on the WiFi Array. The network topology is configured as follows: Users: 26.12.*.* 26.2.*.* Network Management: 26.6.*.*format:sigcomm08_eth_(first packet time)_(last packet time).pcapanonymization_log: The anonymization log of wireless network traces in the SIGCOMM 2008 conference.configuration: tcpmkpub anonymization log for the traces 'umd/sigcomm2008/pcap/802.11a' and 'umd/sigcomm2008/pcap/Ethernet', and md5 checksums for the trace files.format:The anonymization log file name is 'tcpmkpub.log.export'.umd/sigcomm2008/syslogSyslog traceset of wireless network measurement in the SIGCOMM 2008 conference.file: sigcomm08_syslog.tar.gzdescription: We collected syslog traces of wireless network activity at SIGCOMM 2008. The subjects of the traced network chose to participate by joining the traced SSID.measurement purpose: Network Diagnosismethodology: A tracing box connected to the Array's management port collected syslog traces. Unfortunately, after the conference we noticed that these traces were corrupted. However, we were able to salvage one of the syslog traces because we collected it with the Ethernet tracing box.sanitization: macmkpub, a MAC address anonymizer based on the tcpmkpub anonymization code, anonymized the MAC addresses in the syslog traces. Metadata about the trace anonymization is provided in the file 'tcpmkpub.log.export'.umd/sigcomm2008/syslog TracesEthernet: Syslog traces of wireless network measurement in the SIGCOMM 2008 conference.configuration: We collected syslog traces with the Ethernet tracing box. The network topology is configured as follows: Users: 26.12.*.* 26.2.*.* Network Management: 26.6.*.*format:sigcomm08_syslog_(first log time)_(last log time)

本数据集收集于SIGCOMM 2008会议期间的无线网络活动轨迹。被追踪网络的参与者自愿加入追踪的SSID以参与研究。数据集包含三种匿名化轨迹：来自接入点的802.11a、以太网和Syslog。我们采用tcpmkpub工具（http://www.cs.umd.edu/projects/wifidelity/sigcomm08_traces/sigcomm08-tcpmkpub.tar.gz）的修改版（http://www.icir.org/enterprise-tracing/tcpmkpub.html）对轨迹数据进行匿名化处理。数据包轨迹包括匿名化的DHCP和DNS头部。最后更新时间：2009年3月25日，发布日期：2009年3月2日，测量开始时间：2008年8月17日，测量结束时间：2008年8月21日，收集环境：在SIGCOMM 2008会议上，我们收集了无线网络活动轨迹。被追踪网络的参与者通过加入追踪SSID的方式自愿参与。我们的目标是收集SIGCOMM 2008会议期间的网络活动详细轨迹，以改进802.11追踪技术，作为Wifidelity项目的一部分，并能够分析（假设）高度使用的无线局域网的行为。网络配置：我们使用了四个BSSID和四个频道，以及一个NAT（网络地址转换）路由器。为了收集轨迹，我们部署了八个802.11a监控器，每个频道分配两个监控器。Xirrus Wi-Fi Array（http://www.xirrus.com/products/arrays-80211abg.php）提供了被追踪的802.11a网络（SSID：SIGCOMM-ONLY-Traced）。WiFi Array由四个在四个802.11a频道上广播的BSSID组成。匿名化后，客户端分配的IP地址位于以下子网中：26.12.0.0/16和26.2.0.0/16。数据收集方法：我们记录了SSID：SIGCOMM-ONLY-Traced无线网络发送的所有有线和无线数据包上的网络协议信息。每个数据包都包含物理层信息（在Prism头部中），例如无线信号强度，以及根据数据包类型的不同，还包括802.11、IP、TCP、UDP和ICMP头部。我们未记录传输层以上的数据包有效载荷，除了DHCP和DNS有效载荷。然而，我们对可能敏感的信息进行了匿名化或删除，例如MAC和IP地址，以及DHCP和DNS头部。净化：用户通过连接到SIGCOMM-ONLY-Traced SSID来选择参与追踪。否则，用户将连接到“未追踪”SSID：SIGCOMM-ONLY-Untraced。轨迹中不包含来自“未追踪”SSID的任何数据。我们对轨迹进行了匿名化处理，以保护在SIGCOMM 2008期间选择被追踪的用户身份和活动。过滤802.11a轨迹：无线轨迹中的每个数据包都满足以下一个或两个条件：1. BSSID地址与“被追踪”BSSID匹配。2. 数据包是对“SIGCOMM-ONLY-Traced”SSID的探针请求。过滤以太网轨迹：AP被配置为为“SIGCOMM-ONLY-Traced”网络设置监控VLAN。过滤Syslog轨迹：Syslog轨迹仅包含关于连接到“被追踪”网络的用户的信息。过滤掉关于“未追踪”用户的syslog消息的方法如下：在客户端连接到“被追踪”网络期间包含所有syslog消息。syslog消息指示客户端何时连接到和从“被追踪”网络断开连接。tracesetumd/sigcomm2008/pcapSIGCOMM 2008会议中无线网络测量的PCAP轨迹集。文件：sigcomm08_traces.tar.gz描述：我们在SIGCOMM 2008会议上收集了无线网络活动轨迹的pcap。被追踪网络的参与者通过加入追踪SSID的方式自愿参与。测量目的：网络诊断方法：1. 802.11a在会议的大部分时间里，大约有大约两个802.11a监控器放置在主会议厅的四个角落。我们没有记录每个监控器的确切位置。然而，我们试图通过在房间的相对角落放置两个监控器来捕获每个频道。2. 以太网使用连接到WiFi Array数据包转储端口的以太网轨迹收集器捕获从NAT到AP以及从AP到NAT发送的数据包。净化：使用tcpmkpub工具的修改版对数据包进行了匿名化处理。该工具可从[sigcomm08-tcpmkpub.tar.gz]的下载链接获取。在下面的描述中，[new]表示tcpmkpub中添加的新功能，[tcpmkpub]表示以下参考文献中描述的原始tcpmkpub工具的功能：R. Pang, M. Allman, V. Paxson, and J. Lee. The Devil and Packet Trace Anonymization SIGCOMM Computer Communication Review, 2006。[Crypto-PAn]表示以下参考文献中描述的原始tcpmkpub工具的功能：Xu, J. Fan, M. H. Ammar, and S. B. Moon. Prefix-preserving IP address anonymization: measurement-based security evaluation and a new cryptography-based scheme. In Proceedings of the IEEE International Conference on Network Protocols (ICNP), pages 280–289, Nov. 2002。1. 校验和（IP/UDP/TCP）[tcpmkpub]匿名化代码重新计算校验和。匿名化元数据(tcpmkpub.log.export)包含有关轨迹中校验和错误的数据包的信息。错误的校验和在匿名化轨迹中以校验和字段中的1表示，如果校验和为1，则表示为2。UDP校验和为0时不更改。2. 链路层A. 以太网[tcpmkpub]MAC地址：- 高低3个字节分别进行哈希处理。- 高位3个字节进行哈希处理以保留厂商信息。- 包含全部1或全部0的地址不更改。- 保留多播位。B.VLAN[new]VLAN头部不需要匿名化。C. 802.11[new]- 使用与以太网MAC地址相同的方法对MAC地址进行匿名化。- 如果数据包被分片（分片位==1或分片编号>0），则跳过数据包的其余部分。3. 网络层A. IP[tcpmkpub]- 使用前缀保留方案[rypto-PAn]对外部地址进行哈希处理。- 使用外部地址、子网和地址的主机部分对内部地址进行哈希处理，以转换为未使用的子网。- 不匿名化多播地址。- [tcpmkpub]论文建议从网络扫描器中删除数据包。我们没有确定这对我们的网络构成威胁，因为与本地地址相关的身份是动态的。B. ARP[tcpmkpub]- 如果ARP数据包包含部分IP数据包，则使用上述IP匿名化。- 使用上述IP匿名化过程对IP地址进行匿名化。4. 传输层A. TCP[tcpmkpub]- 将TCP时间戳选项转换为与时间无关的独立单调递增计数器，每个IP地址在匿名化轨迹中有不同的计数器。- 如果时间戳为0，则不修改它。- 将时间戳替换为按轨迹顺序递增的唯一编号。- B. UDP[tcpmkpub]根据上述校验和策略重新计算校验和。5. 应用层A. DNS[new]- 通过对标签进行密钥-HMAC来单独匿名化DNS标签。- 将哈希摘要的低8个字节用作标签。- 将摘要转换为ASCII，通过转换为十六进制来实现。- 在以下字段中存储DNS数据包的新长度：[IP/UDP/DNS,PCAP Captured, PCAP On Wire]。- 使用上述IP匿名化方案对任何类型'A'的资源记录数据进行匿名化。- DNS数据包可能因为捕获的snaplen而被截断。- B. DHCP[new]- 匿名化客户端IP地址。- 匿名化客户端硬件地址。- 匿名化您的IP地址（yiaddr）。捕获的其余DHCP数据包被snaplen截断。umd/sigcomm2008/pcap Traces802.11a：在SIGCOMM 2008会议上从无线侧收集的无线网络测量的PCAP轨迹。配置：在会议的大部分时间里，大约有两个802.11a监控器放置在主会议厅的四个角落。我们没有记录每个监控器的确切位置。然而，我们试图通过在房间的相对角落放置两个监控器来捕获每个频道。网络拓扑配置如下：用户：26.12.*.* 26.2.*.* 网络管理：26.6.*.*格式：sigcomm08_wl_(监控器编号)_(第一数据包时间)_(最后数据包时间)_(bssid)_(频道)。Ethernet：在SIGCOMM 2008会议上从以太网侧收集的无线网络测量的PCAP轨迹。配置：使用连接到WiFi Array数据包转储端口的以太网轨迹收集器捕获从NAT到AP以及从AP到NAT发送的数据包。网络拓扑配置如下：用户：26.12.*.* 26.2.*.* 网络管理：26.6.*.*格式：sigcomm08_eth_(第一数据包时间)_(最后数据包时间)。anonymization_log：SIGCOMM 2008会议中无线网络轨迹的匿名化日志。配置：为'umd/sigcomm2008/pcap/802.11a'和'umd/sigcomm2008/pcap/Ethernet'轨迹的tcpmkpub匿名化日志，以及轨迹文件的md5校验和。格式：匿名化日志文件名为'tcpmkpub.log.export'。umd/sigcomm2008/syslogSIGCOMM 2008会议中无线网络测量的Syslog轨迹集。文件：sigcomm08_syslog.tar.gz描述：我们在SIGCOMM 2008会议上收集了无线网络活动轨迹的Syslog。被追踪网络的参与者通过加入追踪SSID的方式自愿参与。测量目的：网络诊断方法：一个连接到阵列管理端口的跟踪盒收集了syslog轨迹。不幸的是，在会议之后我们发现这些轨迹已损坏。然而，我们能够恢复一个syslog轨迹，因为我们使用以太网跟踪盒收集了它。净化：基于tcpmkpub匿名化代码的macmkpub MAC地址匿名化器在syslog轨迹中对MAC地址进行了匿名化。关于轨迹匿名化的元数据提供在文件'tcpmkpub.log.export'中。umd/sigcomm2008/syslog TracesEthernet：SIGCOMM 2008会议上无线网络测量的Syslog轨迹。配置：我们使用以太网跟踪盒收集了syslog轨迹。网络拓扑配置如下：用户：26.12.*.* 26.2.*.* 网络管理：26.6.*.*格式：sigcomm08_syslog_(第一日志时间)_(最后日志时间)