Captured network traces

The followed are lists of proxy traffic traces and unobfuscated (regular) traffic traces captured for testing and evaluation of CovertMark during the project. All traffic were captured under realistic internet browsing conditions on the modern web, which were carried out by real humans. This marks the greatest distinction between the CovertMark datasets and datasets used in prior protocol-obfuscation-detection researches.

Sources and destinations of packets have been scrambled with Crypto-PAn, which is primarily to protect the exact addresses of Tor PT bridges in proxy traces. Regular traffic captured as controls and negative training data were produced by human volunteers under experimental conditions with detailed instructions to protect their privacy. All unencrypted and non-TCP traffic have also been stripped out. However, in contrast with CAIDA traces, all encrypted payloads have been preserved, along with some cleartext metadata such as TLS SNI hostnames. This allows CovertMark to examine encrypted network traffic from the exact perspective of state censors performing advanced DPI detection of proxy servers.

Click on the file names below to download associated traces.

Proxy Traces

All proxy traces are unaffected by TCP segmentation offload (TSO), with longer-than-MTU payloads fully segmented.

File Name Packets IP(s) of Proxy Clients IP(s) of Proxy Servers Port(s) of Proxy Servers
shadowsocks1_anon 674458 130.0.170.18, 130.0.174.253 12.173.72.53, 56.136.248.69 443, 995
shadowsocks2_anon 286887 130.0.175.123 213.69.160.49 443
meek1_anon 756548 39.22.50.9, 130.0.168.247 6.78.64.204, 35.130.168.244 443
meek2_anon 602134 39.22.56.17 6.97.147.45 443
obfs4-1_anon 619754 39.22.52.90 , 207.52.86.23 20.234.236.206, 109.45.76.194 443, 38224
obfs4-2_anon 373504 130.0.171.196 20.234.236.206 38224

Negative / Regular Traffic Traces

The longer, multi-client cantab_anon.pcap was captured on machines with TCP segmentation offloading due to technical limitations, which means that longer-than-MTU payloads will appear unsegmented. This does not however affect CovertMark’s default detection strategies. The shorter, single-client lso_anon.pcap is unaffected with all longer-than-MTU payloads properly segmented.

File Name Packets Concurrent Users Client IP’s/Subnets
lso_anon 200405 1 130.0.169.136/32
cantab_anon 1566737 5 171.69.236.0/25