PCAP Sanitization Tool
Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information.
FLAIM: flaim.ncsa.illinois.edu On Jun 16, 2010, at 12:58 PM, Bein, Matthew wrote:
Hello,
Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information.
Mike Collins mcollins@aleae.com
Log sanitation is a whole lot easier than packets. AFAIK, santizing pcaps is an intractable problem because of various kinds of encodings that exist within packets. Examples: - FTP IPv4 addresses are comma separated - DNS does label encoding of domain names (especially with pointers) - Forwarded emails contain deeply-buried domain names and IP addresses within gziped, based-64 encoded mime attachments. So, I don't think you are going to get what you are asking for. That said, there are tools that can strip out the payload and reassign IP addresses and port numbers. K. --- http://www.pcapr.net http://twitter.com/pcapr http://labs.mudynamics.com On Wed, Jun 16, 2010 at 10:18 AM, Michael Collins <mcollins@aleae.com> wrote:
FLAIM: flaim.ncsa.illinois.edu
On Jun 16, 2010, at 12:58 PM, Bein, Matthew wrote:
Hello,
Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information.
Mike Collins mcollins@aleae.com
Bein, Matthew wrote:
Hello,
Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information.
Would address anonymization work? Instead of removing src/dst ip, you can zero them. I've used CoralReef for that sort of things (http://www.caida.org/tools/measurement/coralreef/) Cheers! -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535
On Thu, 17 Jun 2010 11:15:05 +1200, Sebastian Castro said:
Bein, Matthew wrote:
Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information.
Would address anonymization work? Instead of removing src/dst ip, you can zero them.
No, if you simply zero the source and dest fields, you can't tell the difference between packets going "A->B" and "B->A", which is usually something you kind of want to keep track of.
On Jun 16, 2010, at 9:58 48AM, Bein, Matthew wrote:
Hello,
Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information.
What's your threat model? In general, proper anonymization of packet trace data is very hard. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Wed, 16 Jun 2010 18:37:01 PDT, Steven Bellovin said:
What's your threat model? In general, proper anonymization of packet trace data is very hard.
I'll go out on a limb and point out that a large chunk of the difficulty is because every protocol has had to invent its own hack-arounds for working across a NAT. The resulting lack of standardization making things like Wireshark protocol examinations and sanitizing capture data is one of the less well-known reasons why NATs are evil. I'll cut FTP some slack - it dates back *so* far we can legitimately say we just didn't know any better way back in the Stone Age. ;)
On Jun 17, 2010, at 6:46 51AM, Valdis.Kletnieks@vt.edu wrote:
On Wed, 16 Jun 2010 18:37:01 PDT, Steven Bellovin said:
What's your threat model? In general, proper anonymization of packet trace data is very hard.
I'll go out on a limb and point out that a large chunk of the difficulty is because every protocol has had to invent its own hack-arounds for working across a NAT. The resulting lack of standardization making things like Wireshark protocol examinations and sanitizing capture data is one of the less well-known reasons why NATs are evil.
My complaints are at a deeper level -- even without that, it's really hard. --Steve Bellovin, http://www.cs.columbia.edu/~smb
TCPReplay may be helpful to you. http://tcpreplay.synfin.net/ ====================== Travis www.theipsguy.com ====================== On Wed, Jun 16, 2010 at 12:58 PM, Bein, Matthew <mbein@iso-ne.com> wrote:
Hello,
Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information.
-- Travis Abrams, GCIH, CISSP, etc. www.theipsguy.com
I would add the following to FLAIM - ranonymize from Argus http://www.qosient.com/argus/anonymization.htm - Anontools http://www.ics.forth.gr/dcs/Activities/Projects/anontool.html - CPAN IP::Anonymous http://search.cpan.org/~jtk/IP-Anonymous-0.04/lib/IP/Anonymous.pm But I'm not sure if all of them could handle pcap. Best regards, Julien Bein, Matthew wrote on 16/06/10 18:58:
Hello,
Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information.
You can take a look at netdude: http://netdude.sourceforge.net/ -----Original Message----- From: Bein, Matthew [mailto:mbein@iso-ne.com] Sent: Wednesday, June 16, 2010 12:59 PM To: nanog@nanog.org Subject: PCAP Sanitization Tool Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. Confidentiality Notice: The information contained in this e-mail and any attachments (including, but not limited to, any attached e-mails) may be legally privileged and confidential. If you are not an intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please notify the sender and permanently delete the e-mail and any attachments immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you.
participants (9)
-
Bein, Matthew
-
Delgado,Rodolfo
-
jul
-
kowsik
-
Michael Collins
-
Sebastian Castro
-
Steven Bellovin
-
travis abrams
-
Valdis.Kletnieks@vt.edu