Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
README.html | 2000-05-26 22:13 | 5.3K | ||
PktTrc01.dat | 1997-09-17 08:42 | 6.2M | ||
The file PktTrc01.dat is "Trace 1" described below. The data are from Professor Doug Comer of Purdue University. (He refers to it as "IP data," but there do seem to be a few non-IP frames there too. Recall that IP can coexist with other protocols.)
This is binary data. You can view its hex contents using the Unix od command, with the -h option (note that file offsets given on the left side will be in octal).
NOTE CAREFULLY THAT THESE DATA WERE COLLECTED IN BIG-ENDIAN ORDER. IN VIEWING THEM, SAY WITH od, THIS MUST BE TAKEN INTO ACCOUNT. (See my introduction to bits, bytes and memory addresses for an explanation of big-endian vs. little-endian machines, and for some review of storage of data types.
Here is a summary of the first few frames in the data file (offsets within the file are in octal):
frame start d-head start e-head start ip-head start tcp-head ***** ************ ************ ************* ************** 0 0020 0050 0066 0112 1 0140 0170 0206 0232 2 0260 0310 0326 0352The description below says that Trace 1 consists of headers only. This means:
data record header (added by Comer) Ethernet frame header IP header UDP or TCP header (if it is a UDP or TCP frame)The Ethernet preamble and postambles are not included, nor are CRC fields. In many cases the data was removed too (e.g. because it contained a password), but in some cases the data IS there.
Prof. Comer's description of the data set follows:
*****************************************************************
About the packet trace files
Trace 1 - trace of all IP protocol suite packets (headers only) Trace 2 - FTP session (dir, get, put) Trace 3 - FTP session (mput) Trace 4 - FTP session (mget) [Image] Trace 5 - TELNET session (headers only) [Image] Trace 6 - SMTP session [Image] Trace 7 - WWW session [Image] Trace 8 - X Window System session
The packet trace data files contain packet traces from an Ethernet segment at Bucknell University. The original traces were generated with the Solaris snoop utility. Some traces were post-processed to remove private data such as passwords from the packets.
Each data file is composed of a fixed header followed by a series of variable-length records. The data for each packet is stored in a separate record. Each record contains a header describing the packet and a timestamp, as well as the contents of one packet. The packets are Ethernet frames, including the source and destination addresses, the protocol type and the frame data.
The data file header consists of 4 32-bit integers, which can be ignored. The fixed header in each record has the format (where an int32 is a 32-bit integer):
struct rechdr { int32 framelen; /* length of the frame, as received */ int32 tracelen; /* length of the frame, as saved in file */ int32 recrdlen; /* length of entire record, with header */ int32 pad; /* ignore */ struct timeval { /* timestamp when packet was received */ int32 tv_sec; /* seconds since 1/1/70 */ int32 tv_usec; /* ... and microseconds */ } timestamp; }The packet data then follows immediately after the data. The following code fragment gives an outline of a program to read and process one of the data files:
lseek(ifile, 16, SEEK_SET); /* skip file header */ /* read next record header; quit at EOF */ while ((i = read(ifile, &hdrbuf, sizeof(struct rechdr))) > 0) { /* read next packet; size of packet is */ /* ... length of record - header */ read (ifile, pktbuf, hdrbuf.recrdlen - sizeof (struct rechdr)); /* * process packet here */ }Note: The code fragment given above was extracted from a program written for Solaris 2.4; you'll need to adapt the code for your local computer.
As mentioned above, some files have had the data removed from the packet records. In the list below, files without data are annotated (headers only). The packet headers can be analyzed and printed, and can be used, for example, to trace the packets exchanged during a TCP a connection or to develop histogram plots based on protocol types. The record header contains the length of the original packet along with the time the packet was received, allowing the computation of network segment load statistics.
The data files are stored in a single directory on the CD. The pathname for this directory is:
Computer system URL Macintosh NETBOOKS:pkttrces Windows 95 or Windows 3.1 D:/pkttrces E:/pkttrces UNIX /cdrom/netbook/pkttrcesEach of the data files listed below has an associated cover page. The cover page for each file has a short description of the contents of the file and the name of the file containing the trace data.