PCAP Sanitization Tool

Bein_Matthew · June 16, 2010, 4:58pm

Hello,

Anyone know of a good tool for sanitizing PCAP files? I would like to
keep as much of the payload as possible but remove src and dst ip
information.

Michael_Collins · June 16, 2010, 5:18pm

FLAIM: flaim.ncsa.illinois.edu

kowsik · June 16, 2010, 8:31pm

Log sanitation is a whole lot easier than packets. AFAIK, santizing
pcaps is an intractable problem because of various kinds of encodings
that exist within packets.

Examples:

- FTP IPv4 addresses are comma separated
- DNS does label encoding of domain names (especially with pointers)
- Forwarded emails contain deeply-buried domain names and IP addresses
within gziped, based-64 encoded mime attachments.

So, I don't think you are going to get what you are asking for. That
said, there are tools that can strip out the payload and reassign IP
addresses and port numbers.

K.

Sebastian_Castro · June 16, 2010, 11:15pm

Bein, Matthew wrote:

Hello,

Anyone know of a good tool for sanitizing PCAP files? I would like to
keep as much of the payload as possible but remove src and dst ip
information.

Would address anonymization work? Instead of removing src/dst ip, you
can zero them.

I've used CoralReef for that sort of things
(CoralReef Software Suite - CAIDA)

Cheers!

Steven_Bellovin · June 17, 2010, 1:37am

What's your threat model? In general, proper anonymization of packet trace data is very hard.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

travis_abrams · June 17, 2010, 2:07am

TCPReplay may be helpful to you.

http://tcpreplay.synfin.net/

Valdis_Kletnieks · June 17, 2010, 1:35pm

No, if you simply zero the source and dest fields, you can't tell the difference
between packets going "A->B" and "B->A", which is usually something you kind
of want to keep track of.

Valdis_Kletnieks · June 17, 2010, 1:46pm

I'll go out on a limb and point out that a large chunk of the difficulty is
because every protocol has had to invent its own hack-arounds for working
across a NAT. The resulting lack of standardization making things like
Wireshark protocol examinations and sanitizing capture data is one of the less
well-known reasons why NATs are evil.

I'll cut FTP some slack - it dates back *so* far we can legitimately
say we just didn't know any better way back in the Stone Age.

Steven_Bellovin · June 17, 2010, 1:49pm

My complaints are at a deeper level -- even without that, it's really hard.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

jul · June 19, 2010, 3:28pm

I would add the following to FLAIM
- ranonymize from Argus
http://www.qosient.com/argus/anonymization.htm
- Anontools
http://www.ics.forth.gr/dcs/Activities/Projects/anontool.html
- CPAN IP::Anonymous
http://search.cpan.org/~jtk/IP-Anonymous-0.04/lib/IP/Anonymous.pm

But I'm not sure if all of them could handle pcap.

Best regards,

Julien

Delgado_Rodolfo · June 21, 2010, 8:16pm

You can take a look at netdude:

http://netdude.sourceforge.net/