Wireshark mailing list archives
Re: Tools to anonymize pcaps with cellular/3gpp traffic
From: Jasper Bongertz <jasper () packet-foo com>
Date: Wed, 7 Jun 2017 21:38:33 +0200
Hi Ivan,
There are a few public available tools that anonymize pcap files, but they usually target L2-L4 layers and "standard" protocols (i.e. dns, icmp,...)
There is a good reason for this: the complexity to anonymize anything on top of L4 is a nightmare. UDP only haunts you with IP fragment reassembly, which is not as easy as it may sound, but sanitizing TCP based applications is like an instant migraine when I think about segmented payloads. The main reason why sanitization looks simple enough to most people is that they assume that sanitization means "patching some zeros over sensitive stuff at some offset, and you're done." - and it's something else entirely if it is done correctly. Real sanitization needs to parse/dissect the whole packet, extract all information bottom up, and rebuild all layers with sanitized values (where required) from the top protocol down. For that a protocol parser/dissector needs to be written, and a protocol assembly counterpart needs to be coded as well. This is exactly what I'm doing in TraceWrangler.
Is there any tool which sanitizes information carried on "3gpp" protocols (ranap, bssap, gsm_a dtap, gsm_map, sgsap...) or, at least, on some of them?
Not that I know of - mostly because few care about real sanitization (most tools are "patching" tools), and nobody so far touches applications on L5 and higher in a useful way (meaning, not simply zeroing or randomizing everything). Well, TraceWrangler does, for DHCPv4 and RTPS (both mostly because UDP is single packet stuff most of the time), but that's it. DNS is still missing because it's hard to do right, since it has that pesky pointer FQDN assembly mechanism (sort of a compression algorithm) that is complicating things when rebuilding the protocol layer. The main point for me to implement protocols on top of L4 is if I can get sample PCAPs and documentation on how to parse and rebuild them. With those telecommunication protocols it seems to be one of the classic deadlock situations: I need a PCAP to see how to sanitize it, but nobody can share it without some sanitization first - and no, just coding stuff based on protocol specs isn't working (probably because I'm not a coder. I'm a network analyst that can write some sort of strange code) :-)
I am not looking for something particularly advanced: zeroing mcc and mnc (both in imsi and in cell/location information) should be enough, even without checksum updating.
Let me tell you, it may not sound advanced, but it is ;-) Anyway, if you can get me PCAPs and Specs for the stuff on top of TCP/UDP I can see what I can do. That's basically what happened for RTPS (I thought it was simple, because it's on top of UDP... and then IP reassembly was like 16tons coming down on me just when I thought I was done) :-)
The goal is to easily share some pcaps without changing them with an hex-editor by hand
That's the main reason why I started writing TraceWrangler ;-) Cheers, Jasper
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Tools to anonymize pcaps with cellular/3gpp traffic Ivan Nardi (Jun 07)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Jasper Bongertz (Jun 07)
- Message not available
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Darien Spencer (Jun 08)
- Message not available
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Ivan Nardi (Jun 08)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Jasper Bongertz (Jun 08)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Jasper Bongertz (Jun 07)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Dario Lombardo (Jun 08)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Jasper Bongertz (Jun 08)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Ivan Nardi (Jun 08)
- <Possible follow-ups>
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Michael Sukhar (Jun 08)