Objective : This document describes the various columns in the file
hijacked_prefix_information.txt. This data is used for the control plane analysis
of the paper. 


Let us consider the following example entry from this file.

  1         2     3        4      5         6                  7            8       9        10  11 
BGP4MP|1270742071|A|134.222.87.1|286|109.104.128.0/19|286 4134 23724 23724|IGP|134.222.87.1| 0  | 0 |
                          12                          13 14        15    16 17     18        19
286:18 286:19 286:28 286:29 286:800 286:888 286:3001|NAG|  | p2p p2c s2s|RW|12|1270742314| 48265 | 
     20                   21             22      23          24                      25
109.104.128.0    | 109.104.128.0/21    | AL | ripencc  | 2009-09-04 | ITIRANA-AL-AS ITIRANA Sh.p.k.|
      26          27        28             29         30           31      32    33   34   35
superprefix-CYM|AS3303|109.104.128.0/19|0.0.0.0/1|subprefix-RIPE| 3303|largeISP|562 | 5  | 207 |

Data from Updates:
From this row, the first 14 columns (bar separated) are from the "Updates" that are retrieved from the route views server. These columns for our exmaple row is given here:
BGP4MP|1270742355|A|198.32.176.177|7575|97.128.0.0/9|7575 4134 23724 23724|IGP|198.32.176.177|0|0|7575:1002|NAG||

Details:
The first field must be indicating protocol version/message type.
Second field is the time stamp.
Third field : not sure
fourth field: It has to be the ip address of the router from which "this" router received the update.
fifth field: The AS number to which the ip address in fourth field belongs. (Neighbor AS)
6th field: The prefix that this update is concerned with.
7th field: route path
8th field: It has to do something with internal bgp and external bgp. However, am not sure how exactly this flag is set.
9th field: IP address repeated from 4th field
10th field: not sure
11th field : not sure
.
.
14th field: not sure


Relationship data: 
15th field: The column shows the relationship between each pair of ASes from route path (7th field).
From our example: The 7th field: 7575 4134 23724 23724 
     	 	      15th field : p2p p2c s2s
Implies, following relationships:
		      peer-to-peer(p2p) between AS 7575 and 4134.
		      provider-to-customer(p2c) between AS 4134 and AS 23724
		      same-to-same(s2s) between AS 23724 and AS 23724
The other possible entries are : customer-to-provider(c2p).

 Source flag:
16th field: implies the source from where we have retrieved this updates. For now we have two sources.
     	    	     RW: Route views data
		     BG: BGPMon

Information from updates:
These are additional two columns inserted based on the information retrieved from updates data. 
17th field: This number indicates the number number of updates advertised by AS 23724 for this particular prefix in column 6.
18th field: This is the time when the last updates for the prefix(in column 6) was seen. 

Cymru data:
Fields 19th through to 25rd are the entries retrieved from Cymru whois service.
19th field: The AS number to which the prefix (in column 6) belongs. 
20th field: The ip address that we queried for.
21th field: IP prefix range to which that the queried IP address belongs.
22th field: The country where the prefix is assigned.
23st field: The registry that is responsible for the address. This could be ARIN, APNIC etc.
24nd field: Date when the prefix was allocated to the organization/agency.
25rd field: The name of the organization/agency to which the prefix is assigned.

Type of hijack:
26th field: Indicates the type of hijack that occured. We compare the prefix range(6th field) announced by attacking AS against the prefix range indicated by cymru whois service(19th field). 
We set the value of this field based on following possibilites:
     	    Subprefix-RIPE: When attacking AS announced ownership of subprefix of a prefix assgined to victim.
	    superprefix-RIPE: When attaking AS announced ownerhsip of prefix length greater than the prefix length of victim. 
	    normal-RIPE: When attacking AS announced ownership of prefix having length same as the prefix length of victim. 
30th filed: Indicates the type of hijack that occcured. We compare the prefic range (6th field) announced by attacking AS against the prefic range indicated by RIPE whois service(29th field).
We set the value of this field based on following possibilities:
            Subprefix-CYM: When attacking AS announced ownership of subprefix of a prefix assgined to victim.
	    superprefix-CYM: When attaking AS announced ownerhsip of prefix length greater than the prefix length of victim. 
	    normal-CYM: When attacking AS announced ownership of prefix having length same as the prefix length of victim. 

RIPE data:
Fields 27,28 and 29 are the entries retrieved from RIPE whois service.
27th field: AS to which the queried prefix range belongs.
28th field: The prefix that we queried(This should be same as column 6. So this is redundant column).
29th field: The prefix range that the query prefix range belongs to according to information present the RIPE database.

AS information from Cyclops:
Field from 31 to 35 are the information retreived from the cyclops database. The fields describe different properties of AS in column 27. This AS ownership is as seen by the RIPE whois service for the queried prefix range. 
31st field: This is the AS number same as in 27th column. This is redundant entry.
32nd field: Indicates the size of AS. It could largeISP,smallISP,stub or tier1. 
33rd field: Degree of AS
34th field : provider_tree size of AS
35th field: customer_tree size of AS 


