CAIDA Active Probe Information

As part of our research activities, CAIDA runs a number of periodic and ongoing macroscopic topology surveys. This page describes the probes sent out by our monitors.

Active Probes

Has your computer or router received unexpected traffic from a CAIDA Ark host?

You are seeing measurement probes from our Macroscopic Topology Project, a large-scale, publicly-funded Internet measurement initiative that is collecting connectivity, routing, and performance information about the wide-area infrastructure. We disseminate this information to network researchers in academia and industry as a public service (that is, without fee) for the purposes of promoting the engineering and maintenance of a robust, scalable global Internet infrastructure.

We are performing traceroute-like measurements of forward IP paths ('hops') from a source to many destinations, using a variety of measurement techniques (UDP packet to high port, ICMP ECHO_REQUEST, TCP SYN, etc.). For the most part, a target machine will receive just one probe packet per cycle, where a cycle currently lasts 2-3 days. However, if there is a firewall blocking incoming probes or blocking outgoing ICMP responses, then the firewall will see up to 15 packets (corresponding to 5 unresponsive hops at 3 tries per hop). Some destinations may see a higher packet rate if they are part of some particular sub-study.

We send probes to randomly-selected IP addresses with the goal of eventually probing a majority of all routed addresses, so it is impossible to contact and obtain permission from all destination host administrators prior to measurement.

In addition to the ICMP traceroutes we perform continuously, we perform quarterly MIDAR router alias resolution runs. We send pings using TCP, UDP, and ICMP packets to known router interfaces (rather than to end hosts, like web servers) in order to determine which interfaces belong to the same router so that we can construct a router-level topology map from our global traceroute data. We typically probe around 2 million router interfaces in a single run, which takes about 5-6 days.

The TCP probes are sent to port 80, but they are individual TCP ACK packets rather than HTTP connections (we use TCP ACK instead of SYN because we don't want to actually open a connection--we just want to receive a TCP RST that contains an IP-ID value that we can use to infer router aliases). The UDP probes are standard ping-style probes to a closed port, and we send standard ICMP echo requests.

Further information about the collected data can be found at the Routed /24 Topology Dataset page.

Thank you for your patience in this matter, please feel free to contact us if you have any further questions at

Last Modified