The following data sets are in SiLK format; SiLK-v0.10.0 or greater is required to read them. The data sets assume you have configured SiLK with sensors named S0 and S1.

LBNL-05

This sample data is derived from anonymized enterprise header traces obtained from Lawrence Berkeley National Laboratory and ICSI, and is used here with their permission. This data covers selected hours on selected dates in late 2004 and early 2005. For more information on this dataset, see http://www.icir.org/enterprise-tracing/Overview.html

The data is packaged in two files; one containing the non-scanning traffic and the other containing the scanning traffic. To unpack the file, run

gzip -d -c SiLK-LBNL-05-nonscan.tar.gz | tar xf -

Each file will unpack into the directory SiLK-LBNL-05, which can be used as the top-level data directory for rwfilter by setting the environment variable SILK_DATA_ROOTDIR to the directory's location. The non-scanning traffic appears as sensor S0, and the scanning traffic as sensor S1. This allows the two sets of data to be analyzed together (though note that the two sets of data are anonymized differently) or separately (via the --sensor switch).

The inside of the network is assumed to contain the following CIDR blocks:

      128.3.0.0/16
      128.55.0.0/16
      131.243.0.0/16
      198.125.133.0/24
      198.128.24.0/22
      198.129.88.0/22
    
Non-scanning traffic

(MD5=9b173ada1a3ffdcf94edee6df5dc1ec3)

(SHA1=d5b375408727414ec30acb8a87cc6b1bd556601f)

Scanning traffic

(MD5=0fe65a7d8008546473db7c1d48cd528f)

(SHA1=aa6d7457772645d0e37107dc39ab8e90790981f8)