This dataset contains anonymized layer 1-4 packet headers of two-way passive traces captured on a 100 GB link between Los Angeles and Dallas, Texas. These data are useful for research on the characteristics of Internet traffic, including application breakdown, security events, geographic and topological distribution, flow volume and duration.

Meta data for all passive monthly traces, incl. chicago and sanjose monitors. This includes the files used to generate the public trace stats.

AS Rank is CAIDA's ranking of Autonomous Systems (AS) (which approximately map to Internet Service Providers) and organizations (Orgs) (which are a collection of one or more ASes). This ranking is derived from topological data collected by CAIDA's Archipelago Measurement Infrastructure and Border Gateway Protocol (BGP) routing data collected by the Route Views Project and RIPE NCC.
ASes and Orgs are ranked by their customer cone size, which is the number of their direct and indirect customers.
Note: We do not have data to rank ASes (ISPs) by traffic, revenue, users, or any other non-topological metric..

The UCSD Network Telescope consists of a globally routed, but lightly utilized /9 and /10 network prefix, that is, 1/256th of the whole IPv4 address space. It contains few legitimate hosts; inbound traffic to non-existent machines - so called Internet Background Radiation (IBR) - is unsolicited and results from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed denial-of-service attacks, and the automated spread of malware. CAIDA continously captures this anomalous traffic discarding the legitimate traffic packets destined to the few reachable IP addresses in this prefix. We archive and aggregate these data, and provide this valuable resource to network security researchers. This dataset represents raw traffic traces captured by the Telescope instrumentation and made available in near-real time as one-hour long compressed pcap files. We collect more than 3 TB of uncompressed IBR traffic traces data per day. The most recent 14 days of data are stored locally at CAIDA. Once data slides out of this near-real-time window, the pcap files are off-loaded to a tape storage. This historical Telescope data starting from 2008 are available by additional request.

This dataset contains anonymized layer 1-4 packet headers of two-way passive traces captured on a 100 GB link between Los Angeles and San Jose. These data are useful for research on the characteristics of Internet traffic, including application breakdown, security events, geographic and topological distribution, flow volume and duration.

Passive 100G sampler is offered to researchers at commercial organizations when they request Anonymized Internet Traces. These data are part of the 2024 Anonymized Traces 100G dataset. The files consist of 5 second snapshots of a bidirectional capture taken in November 2024.

Packet headers (upto transport layer, inclusive) for Anonymized Internet Traces 2019 Dataset. Derived from 10G traces on Equinix NYC monitor.

This dataset captures unsolicited traffic, as recorded by Merit's 35/8 darknet. Darknet data (also known as Internet background radiation) consist of Internet packets that arrive to an unused Internet space, and are therefore usually associated with malicious activities such as horizontal Internet scanning, malware propagation, and "backscatter" from distributed denial of service (DDoS) attacks. This dataset is provided in the CAIDA Corsaro "flowtuple" format (see https://www.caida.org/tools/measurement/corsaro/ ). Researchers can use this dataset to identify scanners, check for evidence of DDoS activity (e.g., in the case of a TCP SYN flood attack with a spoofed source IP, the victim will reply with a TCP SYN-ACK to the spoofed IP; if the spoofed IP happened to be within the 35/8 address space, our darknet will capture the SYN-ACK replies) or extract other nefarious activities and network misconfigurations.

Week-long collections (one week per quarter) of responses to spoofed traffic sent by DoS attack victims to the UCSD Network Telescope between 2004 and 2008. Includes backscatter during DITL-2008.

Archival aggregated flowtuple Telescope data in Corsaro format

Contains quarterly samples of the DNS query and response traffic resulting from the DNS lookups. No longer ongoing; last data are from April 2014.

Packet headers (upto transport layer, inclusive) for Anonymized Internet Traces on IPv6 Day and IPv6 Launch Day Dataset. Contains traces taken on IPv6 Day (2011-06-08) and IPv6 Launch (2012-06-06).

One hour sample of telescope data, captured on 2018-05-17 at 13:00 UTC.

CAIDA continuously captures traffic from the UCSD Network Telescope, filtering out legitimate packets destined for the few reachable IP addresses within this prefix. This dataset includes a one-hour raw one-way traffic trace in PCAP format, along with aggregated flow data in Avro format and RSDoS attack metadata in CSV format

Metadata for all 100g passive monthly traces