@ Contents of Network Intrusion Collected Data


Comma separated value files

Contents of Network Intrusion Collected Data
The network traffic was collected via a program called tcpdump. Tcpdump prints out the headers of network packets that pass by the network interface of the host executing tcpdump. The host used for this data collection was connected between the Enterprise LAN and external networks. Therefore, all network traffic passing between the Enterprise LAN and external networks was capturable by tcpdump. Because tcpdump prints out only header information, no user data was printed.

When executing tcpdump, several filters can be specified. With filters specified, tcpdump will only collect data that can pass through those filters. For the purposes of these tests, filters were established so that only Internet Transmission Control Protocol (TCP) and Internet User Datagram Protocol (UDP) packets were collected.

For each TCP packet, tcpdump prints the following information:

For each UDP packet, tcpdump prints the following information:

Additional documentation

To protect the identity of the hosts that were communicating with each other while the network traffic was collected, all IP addresses have been modified. Each external host is assigned a "fake" IP address. All internal hosts (hosts on the Enterprise LAN) will share the same "fake" IP address.

Description of Simulated Attacks
The file called "baseline" contains the network traffic that was collected while no simulated attack activity was taking place. It can be used as a baseline. Four different attacks were simulated on the Enterprise LAN with each attack corresponding to a file containing the network traffic database. They are called respectively network1, network2, network3, and network4. These datasets were compressed using the UNIX utility "gzip". These files are about 10% the size of the original ascii files and can be uncompressed by running the program "gunzip" on UNIX (MS Windows® users may want to use WinZip).

Well known tcp/udp port addresses for the non-network experts.


Copyright ©1996-2001 by the Institute for Visualization and Perception Research. All rights reserved.
Please, send comments and/or questions to Dr. Georges Grinstein.
Last update: April 4, 2001