RE: PCAP Sanitization Tool
You can take a look at netdude: http://netdude.sourceforge.net/ -Original Message- From: Bein, Matthew [mailto:mb...@iso-ne.com] Sent: Wednesday, June 16, 2010 12:59 PM To: nanog@nanog.org Subject: PCAP Sanitization Tool Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. Confidentiality Notice: The information contained in this e-mail and any attachments (including, but not limited to, any attached e-mails) may be legally privileged and confidential. If you are not an intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please notify the sender and permanently delete the e-mail and any attachments immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you.
Re: PCAP Sanitization Tool
I would add the following to FLAIM - ranonymize from Argus http://www.qosient.com/argus/anonymization.htm - Anontools http://www.ics.forth.gr/dcs/Activities/Projects/anontool.html - CPAN IP::Anonymous http://search.cpan.org/~jtk/IP-Anonymous-0.04/lib/IP/Anonymous.pm But I'm not sure if all of them could handle pcap. Best regards, Julien Bein, Matthew wrote on 16/06/10 18:58: Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information.
Re: PCAP Sanitization Tool
On Thu, 17 Jun 2010 11:15:05 +1200, Sebastian Castro said: Bein, Matthew wrote: Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. Would address anonymization work? Instead of removing src/dst ip, you can zero them. No, if you simply zero the source and dest fields, you can't tell the difference between packets going A-B and B-A, which is usually something you kind of want to keep track of. pgpvdeN1RDxE7.pgp Description: PGP signature
Re: PCAP Sanitization Tool
On Wed, 16 Jun 2010 18:37:01 PDT, Steven Bellovin said: What's your threat model? In general, proper anonymization of packet trace data is very hard. I'll go out on a limb and point out that a large chunk of the difficulty is because every protocol has had to invent its own hack-arounds for working across a NAT. The resulting lack of standardization making things like Wireshark protocol examinations and sanitizing capture data is one of the less well-known reasons why NATs are evil. I'll cut FTP some slack - it dates back *so* far we can legitimately say we just didn't know any better way back in the Stone Age. ;) pgpgewu8sVfm3.pgp Description: PGP signature
Re: PCAP Sanitization Tool
On Jun 17, 2010, at 6:46 51AM, valdis.kletni...@vt.edu wrote: On Wed, 16 Jun 2010 18:37:01 PDT, Steven Bellovin said: What's your threat model? In general, proper anonymization of packet trace data is very hard. I'll go out on a limb and point out that a large chunk of the difficulty is because every protocol has had to invent its own hack-arounds for working across a NAT. The resulting lack of standardization making things like Wireshark protocol examinations and sanitizing capture data is one of the less well-known reasons why NATs are evil. My complaints are at a deeper level -- even without that, it's really hard. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: PCAP Sanitization Tool
FLAIM: flaim.ncsa.illinois.edu On Jun 16, 2010, at 12:58 PM, Bein, Matthew wrote: Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. Mike Collins mcoll...@aleae.com
Re: PCAP Sanitization Tool
Log sanitation is a whole lot easier than packets. AFAIK, santizing pcaps is an intractable problem because of various kinds of encodings that exist within packets. Examples: - FTP IPv4 addresses are comma separated - DNS does label encoding of domain names (especially with pointers) - Forwarded emails contain deeply-buried domain names and IP addresses within gziped, based-64 encoded mime attachments. So, I don't think you are going to get what you are asking for. That said, there are tools that can strip out the payload and reassign IP addresses and port numbers. K. --- http://www.pcapr.net http://twitter.com/pcapr http://labs.mudynamics.com On Wed, Jun 16, 2010 at 10:18 AM, Michael Collins mcoll...@aleae.com wrote: FLAIM: flaim.ncsa.illinois.edu On Jun 16, 2010, at 12:58 PM, Bein, Matthew wrote: Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. Mike Collins mcoll...@aleae.com
Re: PCAP Sanitization Tool
Bein, Matthew wrote: Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. Would address anonymization work? Instead of removing src/dst ip, you can zero them. I've used CoralReef for that sort of things (http://www.caida.org/tools/measurement/coralreef/) Cheers! -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535
Re: PCAP Sanitization Tool
On Jun 16, 2010, at 9:58 48AM, Bein, Matthew wrote: Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. What's your threat model? In general, proper anonymization of packet trace data is very hard. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: PCAP Sanitization Tool
TCPReplay may be helpful to you. http://tcpreplay.synfin.net/ == Travis www.theipsguy.com == On Wed, Jun 16, 2010 at 12:58 PM, Bein, Matthew mb...@iso-ne.com wrote: Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. -- Travis Abrams, GCIH, CISSP, etc. www.theipsguy.com
