[Dataset] umd/sigcomm2008 (v. 2009-03-02)

top

the initial version

@MISC{umd-sigcomm2008-2009-03-02,
  author = {Aaron Schulman and Dave Levin and Neil Spring},
  title = {{CRAWDAD} data set umd/sigcomm2008 (v. 2009-03-02)}, 
  howpublished = {Downloaded from http://crawdad.cs.dartmouth.edu/umd/sigcomm2008},
  month = mar,  
  year = 2009
}
					

We collected a trace of wireless network activity at SIGCOMM 2008. 
The subjects of the traced network chose to participate by joining 
the traced SSID. 
The release contains 3 types of anonymized traces: 802.11a, Ethernet 
and Syslog from the Access Point. We anonymized the trace data using 
a modified version
(http://www.cs.umd.edu/projects/wifidelity/sigcomm08_traces/sigcomm08-tcpmkpub.tar.gz)
of the tcpmkpub tool (http://www.icir.org/enterprise-tracing/tcpmkpub.html)
The packet traces include anonymized DHCP and DNS headers.

We collected a trace of wireless network activity at SIGCOMM 2008. 
The subjects of the traced network chose to participate by joining 
the traced SSID.

Our goal is to gather a detailed trace of network activity at SIGCOMM 
2008 to improve 802.11 tracing techniques as part of the Wifidelity 
project and enable analysis of the behavior of a wireless LAN that is 
(presumably) heavily used.

We used four BSSIDs on four channels with one NAT (Network Address Translation) router.
To collect the traces, we deployed eight 802.11a monitors so 2 monitors 
are assigned to each channel. 

A Xirrus Wi-Fi Array (http://www.xirrus.com/products/arrays-80211abg.php) 
provided the traced 802.11a network (SSID:SIGCOMM-ONLY-Traced). The WiFi Array 
consisted of four BSSIDs that were broadcast on four 802.11a channels.

After anonymization, the DHCP assigned IP addresses for clients are 
in the following subnets: 26.12.0.0/16 and 26.2.0.0/16.

We recorded network protocol information from all wired and wireless packets 
sent on the wireless network of SSID:SIGCOMM-ONLY-Traced. 
Each packet includes physical layer information (in the Prism header) 
such as the wireless signal strength as well as the 802.11, IP, TCP, UDP, and 
ICMP headers, depending on the packet type.
We did not record packet payloads above the transport layer except for DHCP and 
DNS payloads. However, we anonymized or deleted potentially sensitive information 
such as MAC and IP addresses, and DHCP and DNS headers.

The user chose to participate in the trace  by associating with the 
SIGCOMM-ONLY-Traced SSID. Otherwise, the users joined the "Untraced" 
SSID: SIGCOMM-ONLY-Untraced. The traces do not contain any data from 
the "Untraced" SSID.

We anonymized the traces to protect the identity and activity of users who opted 
to be traced during SIGCOMM 2008.

- Filtering 802.11a traces

Each packet in the wireless traces meets one or both of the following criteria:

1. BSSID address matches the "traced" BSSID.
2. Packet is a probe request for the "SIGCOMM-ONLY-Traced" SSID.

- Filtering Ethernet traces

The AP was set up with a monitor VLAN for the "SIGCOMM-ONLY-Traced" network.

- Filtering Syslog traces

The syslog trace only contains information about users associated with 
the "traced" network. The method to filter out syslog messages about "Untraced" 
users is as follows: 

Include all syslog messages while a client is associated to the "traced" network. 
The syslog messages indicate when a client associates to, and disassociates 
from the "traced" network.

[Traceset] umd/sigcomm2008/pcap (v. 2009-03-02)

top

the initial version.

@MISC{umd-sigcomm2008-pcap-2009-03-02,
  author = {Aaron Schulman and Dave Levin and Neil Spring},
  title = {{CRAWDAD} trace set umd/sigcomm2008/pcap (v. 2009-03-02)}, 
  howpublished = {Downloaded from http://crawdad.cs.dartmouth.edu/umd/sigcomm2008/pcap},
  month = mar,  
  year = 2009
}
					

We collected pcap traces of wireless network activity at SIGCOMM 2008. 
The subjects of the traced network chose to participate by joining the traced SSID.

1. 802.11a

During most of the conference approximately two 802.11a monitors were placed 
at the four corners of the main conference hall. We did not record the exact 
location of each monitor. However, we tried to capture each channel with two 
monitors placed at opposite corners of the room.

2. Ethernet

Packets sent from the NAT to the AP and from the AP to the NAT were captured 
using an Ethernet trace collector attached to the packet dump port on the WiFi Array.

The packets are anonymized using a modified version of the tcpmkpub tool. 
The tool is available from the download link of [sigcomm08-tcpmkpub.tar.gz].
Metadata about the trace anonymization is provided in the file tcpmkpub.log.export.

In the description below, [new] indicates new functionality added to tcpmkpub, and

[tcpmkpub] indicates the functionality of the original tcpmkpub tool, described in 
the following reference:

R. Pang, M. Allman, V. Paxson, and J. Lee. The Devil and Packet Trace Anonymization
SIGCOMM Computer Communication Review, 2006.

[Crypto-PAn] indicates the functionality of the original tcpmkpub tool, described in 
the following reference:

Xu, J. Fan, M. H. Ammar, and S. B. Moon. Prefix-preserving IP address anonymization:
measurement-based security evaluation and a new cryptography-based scheme. In Proceedings of
the IEEE International Conference on Network Protocols (ICNP), pages 280–289, Nov. 2002.

1. Checksums (IP/UDP/TCP) [tcpmkpub]

The anonymization code recomputes checksums. The anonymization meta-data 
(tcpmkpub.log.export) holds information about packets in the traces with 
bad checksums. Bad checksums are indicated in the anonymized traces by a 1 
in the checksum field, or 2 if the checksum was 1, A UDP checksum of 0 is not changed.

2. Link Layer

A. Ethernet [tcpmkpub]

MAC Addresses:
- The 3 high and low-order bytes are hashed separately.
- The high-order 3 bytes are hashed to retain vendor information.
- Addresses containing all 1's or all 0's are not changed.
- The Multicast bit is retained.

B.VLAN [new]

The vlan header did not need to be anonymized.

C. 802.11 [new]

- MAC addresses are anonymized using the same method as the Ethernet MAC addresses.
- If the packet is fragmented (fragment bit == 1 or fragment # > 0), skip the rest of the packet.

3. Network Layer

A. IP [tcpmkpub]

- External addresses hashed using prefix preserving scheme [Crypto-PAn].
- Internal addresses hashed to unused prefix by the external addresses and 
the subnet and host portions of the address are transformed.
- Multicast addresses are not anonymized.
- The [tcpmkpub] paper recommends removing packets from network scanners. 
We did not determine this was a threat to our network as the identity tied 
to a local address was dynamic.

B. ARP [tcpmkpub]

- If the ARP packet contains a partial IP packet, use the IP anonymization above.
- IP addresses anonymized using the IP anonymization procedure above.

4. Transport Layer

A. TCP [tcpmkpub]

- The TCP timestamp options are transformed into separate monotonically increasing 
counters with no relationship to time for each IP address in the anonymized trace.
- If timestamp is 0 do not modify it.
- Replace timestamp with a unique number incremented in the order of the trace.

B. UDP [tcpmkpub]

Recompute checksum according to checksum policy above.

5. Application Layer

A. DNS [new]

- Anonymize DNS labels individually by taking the Keyed-HMAC of the label.
- Keep the low-order 8 bytes of the hash digest as the label.
- Convert the digest to ASCII by converting to hex.
- Store the new length of the DNS packet in the following fields: [IP/UDP/DNS,PCAP Captured, PCAP On Wire].
- Anonymize any type 'A' resource record data using the IP anonymization scheme above.

DNS Packets may be cut off because of the snaplen at capture.

B. DHCP [new]

- Client IP address is anonymized.
- Client hardware address is anonymized.
- Your IP address (yiaddr) is anonymized.

The rest of the DHCP packets were cut off by the snaplen at capture.

[Traceset] umd/sigcomm2008/syslog (v. 2009-03-02)

top

the initial version.

@MISC{umd-sigcomm2008-syslog-2009-03-02,
  author = {Aaron Schulman and Dave Levin and Neil Spring},
  title = {{CRAWDAD} trace set umd/sigcomm2008/syslog (v. 2009-03-02)}, 
  howpublished = {Downloaded from http://crawdad.cs.dartmouth.edu/umd/sigcomm2008/syslog},
  month = mar,  
  year = 2009
}
					

We collected syslog traces of wireless network activity at SIGCOMM 2008. 
The subjects of the traced network chose to participate by joining the traced SSID.

A tracing box connected to the Array's management port collected syslog traces. 
Unfortunately, after the conference we noticed that these traces were corrupted. 
However, we were able to salvage one of the syslog traces because we collected it 
with the Ethernet tracing box.

macmkpub, a MAC address anonymizer based on the tcpmkpub anonymization code, 
anonymized the MAC addresses in the syslog traces.
Metadata about the trace anonymization is provided in the file 'tcpmkpub.log.export'.

[Trace] umd/sigcomm2008/pcap/802.11a (v. 2009-03-02)

top

the initial version

@MISC{umd-sigcomm2008-pcap-802.11a-2009-03-02,
  author = {Aaron Schulman and Dave Levin and Neil Spring},
  title = {{CRAWDAD} trace umd/sigcomm2008/pcap/802.11a (v. 2009-03-02)}, 
  howpublished = {Downloaded from http://crawdad.cs.dartmouth.edu/umd/sigcomm2008/pcap/802.11a},
  month = mar,  
  year = 2009
}
					

We collected pcap traces of wireless network activity from the wireless side at SIGCOMM 2008. 
The subjects of the traced network chose to participate by joining the traced SSID.

During most of the conference approximately two 802.11a monitors were placed 
at the four corners of the main conference hall. We did not record the exact 
location of each monitor. However, we tried to capture each channel with two 
monitors placed at opposite corners of the room.

The network topology is configured as follows:
 
Users:
26.12.*.*
26.2.*.*

Network Management:
26.6.*.*

sigcomm08_wl_(monitor #)_(first packet time)_(last packet time)_(bssid)_(channel).pcap

Please refer to the sanitization section of the traceset 'umd/sigcomm2008/pcap'.

[Trace] umd/sigcomm2008/pcap/Ethernet (v. 2009-03-02)

top

the initial version

@MISC{umd-sigcomm2008-pcap-Ethernet-2009-03-02,
  author = {Aaron Schulman and Dave Levin and Neil Spring},
  title = {{CRAWDAD} trace umd/sigcomm2008/pcap/Ethernet (v. 2009-03-02)}, 
  howpublished = {Downloaded from http://crawdad.cs.dartmouth.edu/umd/sigcomm2008/pcap/Ethernet},
  month = mar,  
  year = 2009
}
					

We collected pcap traces of wireless network activity from the Ethernet side at SIGCOMM 2008. 
The subjects of the traced network chose to participate by joining the traced SSID.

Packets sent from the NAT to the AP and from the AP to the NAT were captured 
using an Ethernet trace collector attached to the packet dump port on the WiFi Array.

The network topology is configured as follows:

Users:
26.12.*.*
26.2.*.*

Network Management:
26.6.*.*

sigcomm08_eth_(first packet time)_(last packet time).pcap

Please refer to the sanitization section of the traceset 'umd/sigcomm2008/pcap'.

[Trace] umd/sigcomm2008/pcap/anonymization_log (v. 2009-03-02)

top

the initial version

@MISC{umd-sigcomm2008-pcap-anonymization_log-2009-03-02,
  author = {Aaron Schulman and Dave Levin and Neil Spring},
  title = {{CRAWDAD} trace umd/sigcomm2008/pcap/anonymization_log (v. 2009-03-02)}, 
  howpublished = {Downloaded from http://crawdad.cs.dartmouth.edu/umd/sigcomm2008/pcap/anonymization_log},
  month = mar,  
  year = 2009
}
					

We collected pcap traces of wireless network activity at SIGCOMM 2008. 
The subjects of the traced network chose to participate by joining the traced SSID.
The anonymization log contains a tcpmkpub anonymization log and md5 checksums 
for the trace files.

tcpmkpub anonymization log for the traces 'umd/sigcomm2008/pcap/802.11a' and 
'umd/sigcomm2008/pcap/Ethernet', and md5 checksums for the trace files.

The anonymization log file name is 'tcpmkpub.log.export'.

[Trace] umd/sigcomm2008/syslog/Ethernet (v. 2009-03-02)

top

the initial version

@MISC{umd-sigcomm2008-syslog-Ethernet-2009-03-02,
  author = {Aaron Schulman and Dave Levin and Neil Spring},
  title = {{CRAWDAD} trace umd/sigcomm2008/syslog/Ethernet (v. 2009-03-02)}, 
  howpublished = {Downloaded from http://crawdad.cs.dartmouth.edu/umd/sigcomm2008/syslog/Ethernet},
  month = mar,  
  year = 2009
}
					

We collected syslog traces of wireless network activity at SIGCOMM 2008.

We collected syslog traces with the Ethernet tracing box.

The network topology is configured as follows:

Users:
26.12.*.*
26.2.*.*

Network Management:
26.6.*.*

sigcomm08_syslog_(first log time)_(last log time)

Please refer to the sanitization section of the traceset 'umd/sigcomm2008/syslog'.

[Author] Aaron Schulman

top

[Author] Dave Levin

top

[Author] Neil Spring

top