umd/sigcomm20082009030257200903022009-03-25umd/sigcomm2008Dataset of wireless network measurement in the SIGCOMM 2008 conference.We collected a trace of wireless network activity at SIGCOMM 2008.
The subjects of the traced network chose to participate by joining
the traced SSID.
The release contains 3 types of anonymized traces: 802.11a, Ethernet
and Syslog from the Access Point. We anonymized the trace data using
a modified version
(http://www.cs.umd.edu/projects/wifidelity/sigcomm08_traces/sigcomm08-tcpmkpub.tar.gz)
of the tcpmkpub tool (http://www.icir.org/enterprise-tracing/tcpmkpub.html)
The packet traces include anonymized DHCP and DNS headers.the initial version2009-03-022008-08-172008-08-21READMEThe SIGCOMM 2008 Traces WebsiteSIGCOMM 2008 Tracing Handout161162163http://www.cs.umd.edu/projects/wifidelity/sigcomm08_traces/http://www.crawdad.org/wiki/pmwiki.php?n=Main.Dataset.umd-sigcomm2008802.11802.11 frames802.11apacket tracesyslogtcpdumpNetwork Diagnosis802.11 infrastructureWe collected a trace of wireless network activity at SIGCOMM 2008.
The subjects of the traced network chose to participate by joining
the traced SSID.
Our goal is to gather a detailed trace of network activity at SIGCOMM
2008 to improve 802.11 tracing techniques as part of the Wifidelity
project and enable analysis of the behavior of a wireless LAN that is
(presumably) heavily used.We used four BSSIDs on four channels with one NAT (Network Address Translation) router.
To collect the traces, we deployed eight 802.11a monitors so 2 monitors
are assigned to each channel.
A Xirrus Wi-Fi Array (http://www.xirrus.com/products/arrays-80211abg.php)
provided the traced 802.11a network (SSID:SIGCOMM-ONLY-Traced). The WiFi Array
consisted of four BSSIDs that were broadcast on four 802.11a channels.
After anonymization, the DHCP assigned IP addresses for clients are
in the following subnets: 26.12.0.0/16 and 26.2.0.0/16.We recorded network protocol information from all wired and wireless packets
sent on the wireless network of SSID:SIGCOMM-ONLY-Traced.
Each packet includes physical layer information (in the Prism header)
such as the wireless signal strength as well as the 802.11, IP, TCP, UDP, and
ICMP headers, depending on the packet type.
We did not record packet payloads above the transport layer except for DHCP and
DNS payloads. However, we anonymized or deleted potentially sensitive information
such as MAC and IP addresses, and DHCP and DNS headers.The user chose to participate in the trace by associating with the
SIGCOMM-ONLY-Traced SSID. Otherwise, the users joined the "Untraced"
SSID: SIGCOMM-ONLY-Untraced. The traces do not contain any data from
the "Untraced" SSID.
We anonymized the traces to protect the identity and activity of users who opted
to be traced during SIGCOMM 2008.
- Filtering 802.11a traces
Each packet in the wireless traces meets one or both of the following criteria:
1. BSSID address matches the "traced" BSSID.
2. Packet is a probe request for the "SIGCOMM-ONLY-Traced" SSID.
- Filtering Ethernet traces
The AP was set up with a monitor VLAN for the "SIGCOMM-ONLY-Traced" network.
- Filtering Syslog traces
The syslog trace only contains information about users associated with
the "traced" network. The method to filter out syslog messages about "Untraced"
users is as follows:
Include all syslog messages while a client is associated to the "traced" network.
The syslog messages indicate when a client associates to, and disassociates
from the "traced" network./download/umd/sigcomm2008/sigcomm08_traces.tar.gz/download/umd/sigcomm2008/sigcomm08-tcpmkpub.tar.gz85200903022009-03-25the initial version.umd/sigcomm2008/pcapPCAP traceset of wireless network measurement in SIGCOMM 2008 conference.We collected pcap traces of wireless network activity at SIGCOMM 2008.
The subjects of the traced network chose to participate by joining the traced SSID.2009-03-022008-08-172008-08-21Network Diagnosis1. 802.11a
During most of the conference approximately two 802.11a monitors were placed
at the four corners of the main conference hall. We did not record the exact
location of each monitor. However, we tried to capture each channel with two
monitors placed at opposite corners of the room.
2. Ethernet
Packets sent from the NAT to the AP and from the AP to the NAT were captured
using an Ethernet trace collector attached to the packet dump port on the WiFi Array.The packets are anonymized using a modified version of the tcpmkpub tool.
The tool is available from the download link of [sigcomm08-tcpmkpub.tar.gz].
Metadata about the trace anonymization is provided in the file tcpmkpub.log.export.
In the description below, [new] indicates new functionality added to tcpmkpub, and
[tcpmkpub] indicates the functionality of the original tcpmkpub tool, described in
the following reference:
R. Pang, M. Allman, V. Paxson, and J. Lee. The Devil and Packet Trace Anonymization
SIGCOMM Computer Communication Review, 2006.
[Crypto-PAn] indicates the functionality of the original tcpmkpub tool, described in
the following reference:
Xu, J. Fan, M. H. Ammar, and S. B. Moon. Prefix-preserving IP address anonymization:
measurement-based security evaluation and a new cryptography-based scheme. In Proceedings of
the IEEE International Conference on Network Protocols (ICNP), pages 280–289, Nov. 2002.
1. Checksums (IP/UDP/TCP) [tcpmkpub]
The anonymization code recomputes checksums. The anonymization meta-data
(tcpmkpub.log.export) holds information about packets in the traces with
bad checksums. Bad checksums are indicated in the anonymized traces by a 1
in the checksum field, or 2 if the checksum was 1, A UDP checksum of 0 is not changed.
2. Link Layer
A. Ethernet [tcpmkpub]
MAC Addresses:
- The 3 high and low-order bytes are hashed separately.
- The high-order 3 bytes are hashed to retain vendor information.
- Addresses containing all 1's or all 0's are not changed.
- The Multicast bit is retained.
B.VLAN [new]
The vlan header did not need to be anonymized.
C. 802.11 [new]
- MAC addresses are anonymized using the same method as the Ethernet MAC addresses.
- If the packet is fragmented (fragment bit == 1 or fragment # > 0), skip the rest of the packet.
3. Network Layer
A. IP [tcpmkpub]
- External addresses hashed using prefix preserving scheme [Crypto-PAn].
- Internal addresses hashed to unused prefix by the external addresses and
the subnet and host portions of the address are transformed.
- Multicast addresses are not anonymized.
- The [tcpmkpub] paper recommends removing packets from network scanners.
We did not determine this was a threat to our network as the identity tied
to a local address was dynamic.
B. ARP [tcpmkpub]
- If the ARP packet contains a partial IP packet, use the IP anonymization above.
- IP addresses anonymized using the IP anonymization procedure above.
4. Transport Layer
A. TCP [tcpmkpub]
- The TCP timestamp options are transformed into separate monotonically increasing
counters with no relationship to time for each IP address in the anonymized trace.
- If timestamp is 0 do not modify it.
- Replace timestamp with a unique number incremented in the order of the trace.
B. UDP [tcpmkpub]
Recompute checksum according to checksum policy above.
5. Application Layer
A. DNS [new]
- Anonymize DNS labels individually by taking the Keyed-HMAC of the label.
- Keep the low-order 8 bytes of the hash digest as the label.
- Convert the digest to ASCII by converting to hex.
- Store the new length of the DNS packet in the following fields: [IP/UDP/DNS,PCAP Captured, PCAP On Wire].
- Anonymize any type 'A' resource record data using the IP anonymization scheme above.
DNS Packets may be cut off because of the snaplen at capture.
B. DHCP [new]
- Client IP address is anonymized.
- Client hardware address is anonymized.
- Your IP address (yiaddr) is anonymized.
The rest of the DHCP packets were cut off by the snaplen at capture.umd/sigcomm2008274200903022009-03-25the initial versionumd/sigcomm2008/pcap/802.11aPCAP traces of wireless network measurement collected from the wireless side in SIGCOMM 2008 conference.We collected pcap traces of wireless network activity from the wireless side at SIGCOMM 2008.
The subjects of the traced network chose to participate by joining the traced SSID.false2009-03-022008-08-172008-08-21During most of the conference approximately two 802.11a monitors were placed
at the four corners of the main conference hall. We did not record the exact
location of each monitor. However, we tried to capture each channel with two
monitors placed at opposite corners of the room.
The network topology is configured as follows:
Users:
26.12.*.*
26.2.*.*
Network Management:
26.6.*.*sigcomm08_wl_(monitor #)_(first packet time)_(last packet time)_(bssid)_(channel).pcapPlease refer to the sanitization section of the traceset 'umd/sigcomm2008/pcap'.umd/sigcomm2008/pcap274200903022009-03-25the initial versionumd/sigcomm2008/pcap/EthernetPCAP traces of wireless network measurement collected from the Ethernet side in the SIGCOMM 2008 conference.We collected pcap traces of wireless network activity from the Ethernet side at SIGCOMM 2008.
The subjects of the traced network chose to participate by joining the traced SSID.false2009-03-022008-08-172008-08-21Packets sent from the NAT to the AP and from the AP to the NAT were captured
using an Ethernet trace collector attached to the packet dump port on the WiFi Array.
The network topology is configured as follows:
Users:
26.12.*.*
26.2.*.*
Network Management:
26.6.*.*sigcomm08_eth_(first packet time)_(last packet time).pcapPlease refer to the sanitization section of the traceset 'umd/sigcomm2008/pcap'.umd/sigcomm2008/pcap274200903022009-03-25the initial versionumd/sigcomm2008/pcap/anonymization_logThe anonymization log of wireless network traces in the SIGCOMM 2008 conference.We collected pcap traces of wireless network activity at SIGCOMM 2008.
The subjects of the traced network chose to participate by joining the traced SSID.
The anonymization log contains a tcpmkpub anonymization log and md5 checksums
for the trace files.false2009-03-022008-08-172008-08-21tcpmkpub anonymization log for the traces 'umd/sigcomm2008/pcap/802.11a' and
'umd/sigcomm2008/pcap/Ethernet', and md5 checksums for the trace files.The anonymization log file name is 'tcpmkpub.log.export'.umd/sigcomm2008/pcap86200903022009-03-25the initial version.umd/sigcomm2008/syslogSyslog traceset of wireless network measurement in the SIGCOMM 2008 conference.We collected syslog traces of wireless network activity at SIGCOMM 2008.
The subjects of the traced network chose to participate by joining the traced SSID.2009-03-022008-08-172008-08-21Network DiagnosisA tracing box connected to the Array's management port collected syslog traces.
Unfortunately, after the conference we noticed that these traces were corrupted.
However, we were able to salvage one of the syslog traces because we collected it
with the Ethernet tracing box.macmkpub, a MAC address anonymizer based on the tcpmkpub anonymization code,
anonymized the MAC addresses in the syslog traces.
Metadata about the trace anonymization is provided in the file 'tcpmkpub.log.export'.umd/sigcomm2008275200903022009-03-25the initial versionumd/sigcomm2008/syslog/EthernetSyslog traces of wireless network measurement in the SIGCOMM 2008 conference.We collected syslog traces of wireless network activity at SIGCOMM 2008.false2009-03-022008-08-172008-08-21We collected syslog traces with the Ethernet tracing box.
The network topology is configured as follows:
Users:
26.12.*.*
26.2.*.*
Network Management:
26.6.*.*sigcomm08_syslog_(first log time)_(last log time)Please refer to the sanitization section of the traceset 'umd/sigcomm2008/syslog'.umd/sigcomm2008/syslog161umd/sigcomm2008tools/analyze/pcap/wifidelityAaron Schulmanschulman@cs.umd.eduUniversity of MarylandComputer SciencePh.D student3122 A.V. Williams Bldg.
University of Maryland
College Park MD, 20740http://www.cs.umd.edu/~schulman/162umd/sigcomm2008tools/analyze/pcap/wifidelityDave Levindml@cs.umd.eduUniversity of MarylandComputer SciencePh.D student301-405-2776http://www.cs.umd.edu/~dml/163umd/sigcomm2008tools/analyze/pcap/wifidelityNeil Springnspring@cs.umd.eduUniversity of MarylandComputer ScienceAssistant Professor4133 A. V. Williams
Department of Computer Science
University of Maryland
College Park, MD 20742301-405-2909301-405-6707http://www.cs.umd.edu/~nspring/contact.html