Kevin,
Yes, this is definitely worthy of a feature request. In fact, the developers
have discussed this option at Sharkfest in great depth. Please feel comfortable
to add it to the list.
In general, there are many caveats in implementing anonimization. It should be
handled per protocol, taken into account that certain data can be segmented
across multiple frames. It can be compressed or encapsulated. Certain lower
layer data can be present in higher layer protocols. So in the end, if it is
implemented, it should be used with great caution. A false sense of security is
worse than having no security at all (which of course can be disputed ;-)).
As for masking IP addresses. Of course it is easy to alter the src and dst ip
addresses of packets, but what to do with the icmp unreachable messages. And
the port command of an FTP session? Or the X-Forwarded-For header in HTTP? And
should IP addresses be changed the same way on all protocol levels?
We really need this feature IMHO, but it is pretty complex to implement it
properly unfortunately.
Cheers,
Sake
PS Have a look at the bittwist "suite", it contains bittwiste which could
alter mac-addresses, ip-addresses, ports etc of packets, so that might suit
your needs, but be aware of the higher layers that might still contain the
things you were trying to mask (http://bittwist.sourceforge.net/).
----- Original Message -----
From: Kevin Jones
To: [email protected]
Sent: Thursday, July 23, 2009 2:22 PM
Subject: [Wireshark-dev] Feature Request
I'd like to add a feature request to the list in the wiki. As per the rules
listed there, I'd like to know from the devs if this idea is something worthy
of a feature request.
A lot of times, Wireshark captures get uploaded to the internet for others to
view/compare/analyze. However, there are many times when a log of IP addresses
and MAC addresses could be detrimental. Therefore, I'm suggesting an easy way
(one click perhaps?) to anonymize the data. Unique IPs and MACs would have to
be replaced with something such as 1.1.1.1 and 1.1.1.2, etc... and maintained
throughout the results.
Granted, this would not be useful for every occasion or user but I think that
it would be a welcome addition that would benefit a great number of users.
Thanks,
Kevin
------------------------------------------------------------------------------
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
