Re: [tcpdump-workers] pcap anonymizer

2011-05-02 Thread Stephen Donnelly 

On 29/04/11 19:12, Guy Harris wrote:

On Apr 28, 2011, at 3:31 PM, Michael Richardson wrote:


Unless someone says that there is something else out there, I'm going to
write an (IPv4) pcap file anonymizer.  I won't make the first version
efficient.

The Internet Traffic Archive has some anonymizing software:

http://ita.ee.lbl.gov/html/software.html

http://ita.ee.lbl.gov/html/contrib/tcpdpriv.html

http://ita.ee.lbl.gov/html/contrib/sanitize.html

and some other stuff that turned up from a search for

pcap anonymizer

include:


http://crawdad.cs.dartmouth.edu/meta.php?name=tools/sanitize/generic/AnonTool

http://www.tm.uka.de/software/pktanon/


There is also Crypto-PAn.

http://www.cc.gatech.edu/computing/Networking/projects/cryptopan/


CAIDA has a useful taxonomy of tools here:

http://www.caida.org/tools/taxonomy/anontaxonomy.xml


Stephen
--
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] only outbound traffic

2011-05-02 Thread Seth Hall 

On Apr 29, 2011, at 3:34 AM, Andrej van der Zee wrote:

>> On Apr 29, 2011, at 2:13 AM, Guy Harris wrote:
>> Why would an "offset" keyword be better in the filtering language than, say, 
>> the "vlan" keyword it already has?  You'd still have to do the same sort of 
>> special stuff, but it'd be a more manual operation.  (I.e., why would saying 
>> "offset {length of VLAN tag}" be better than "vlan"?)
> 
> Its more explicit too me. It is not really intuitive that "port 80 and vlan" 
> and " vlan and port 80" gives different results, until you realize that vlan 
> increases the ether type offset. 


The real fun starts when you have traffic with both MPLS and VLAN tags. :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] pcap anonymizer

2011-05-02 Thread Seth Hall 

On Apr 30, 2011, at 12:10 PM, Aaron Turner wrote:

> Honestly, I'm not aware of any tool which covers every possibility so

I hate to even mention this, but Bro-IDS' current release (1.5.x) can do this 
because as you mentioned, information is leaked through many application 
protocols and you can program Bro to change application protocol fields fairly 
arbitrarily however you want it to while still updating all relevant checksums. 
 I hate to mention it because we're actually removing the code from the next 
major release due to it's slow decay from lack of use.

We'd actually really like to hear from anyone interested in this capability to 
possibly guide future developments.

Thanks,
 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.