NAT Network Traffic Dataset

Citation Author(s):
Sameh
Farhat
American University of Beirut
Imad H.
Elhajj
American University of Beirut
Ayman
Kayssi
American University of Beirut
Submitted by:
Sameh Farhat
Last updated:
Thu, 09/17/2020 - 02:48
DOI:
10.21227/zxdq-hg05
Data Format:
License:
0
0 ratings - Please login to submit your rating.

Abstract 

Network Address Translation (NAT), which is present in almost all routers and CPEs, maps private IP addresses to routable or public IP addresses. This feature has advantages such as reuse of private IP addresses but also has disadvantages such as creating “Shadow IT” where network admins do not have knowledge of all devices on their network. This dataset contains network traffic that is double-NATed thus replicating the scenario of shadow IT in an enterprise context. Network traffic in this dataset was collected over the course of two weeks with three sessions each day (morning, midday, and evening). Each session consists of 7 tests tackling different number of devices (up to 4 devices) at a time resulting in a total of 294 tests (294 capture files). Microsoft Network Monitor 3.4 was the tool used to capture the traffic.

Instructions: 

Download Microsoft Network Monitor (at the following link: https://www.microsoft.com/en-us/download/details.aspx?id=4865) to be able to access the data. Open the capture file and then wait for all the collected frames to be loaded. The traffic is labelled by the time and the day of capturing, the source and the destination IP addresses, protocol name, description, and sometimes, process name. In order to easily navigate the traffic you can use the available filters. For example, you can choose to display only the traffic leaving or returning to one device by applying the following filter: “IPv4.Address == 192.168.137.xxx”. You can also filter the traffic by other means (check the following link: https://docs.microsoft.com/en-us/archive/blogs/netmon/intro-to-filtering...). In the excel spreadsheet, you can find the IP addresses of the different devices used in each test, and the start and end time of each activity or task that was run in the test in the following format hh:mm:ss AM/PM. This information was recorded in the process of conducting each test. 

Refer to the time delay report attached for more information.