Thursday, August 20, 2009

Misconfiguration Issue of NSA Span Port

One of the purposes of releasing this dataset is to help us improve on our capture techniques so that the next dataset is that much more useful to anyone who uses it. Thanks to the input we have already received on the 2009 CDX dataset, we have identified an issue in the way the NSA switch was configured. Specifically, we believe the span port from which our capture node was placed was configured for unidirectional listening. This resulted in our capture node only "hearing" received traffic from the red cell. We don't believe this is the case with the capture files from the USMA network (we controlled that configuration). We will ensure this mistake is not made in upcoming captures and the 2010 CDX capture.


  1. Which are the capture files from the USMA network? It would be nice if you could point out in the list of datasets, which belongs to which sensors (called A, B and C in the paper). And, it would be nice to have a list with all hosts belonging to the defended network.

  2. Hello

    This is an awesome effort and I really appreciate your making this data available to the research community.

    I have a question -

    In the network diagram there are 3 data capture points.

    The packet captures are posted in two groups:
    1. Data Capture From NSA
    2. Data Capture Outside Westpoint Network Border

    1 seems to be from capture point A and 2 seems to be from point B. Is data captured from point C not available?

    Thanks for your reply.

    snort.user AT

  3. Unfortunately, the data captured from point C is not available. We ran into some integrity issues with that machine. CDX Data Capture 2.0 (taking place April 2010) will have that point captured (reliably) for sure.

    Thanks for the question. Keep them coming.

  4. Were all the devices synchronised with NTP and a consistent timezone during the exercise? I'm trying to correlate some of the logs to the packet captures and noticing discrepancies.