While wide-area Internet traffic has been heavily studied
for many years, the characteristics of traffic inside
Internet enterprises remain almost wholly unexplored.
Nearly all of the studies of enterprise traffic available in
the literature are well over a decade old and focus on
individual LANs rather than whole sites. A goal of this project
is to characterize internal enterprise traffic
recorded at a medium-sized site, and to determine
ways in which modern enterprise traffic is similar to
wide-area Internet traffic, and ways in which it is quite
We have collected packet traces that span
more than 100 hours of activity from a total
of several thousand internal hosts. This wealth
of data, which we are publicly releasing in anonymized
form, spans a wide range of dimensions.
By releasing these traces we hope to
provide a resource for others to use in studying patterns and dynamics
within enterprises. Further, we hope that providing a corpus of
"background traffic" for security researchers will allow for the sound
evaluation of defense mechanisms in the context of the "crud" that appears
on real networks.