nanog mailing list archives

Re: PCAP Sanitization Tool

From: kowsik <kowsik () gmail com>
Date: Wed, 16 Jun 2010 13:31:48 -0700

Log sanitation is a whole lot easier than packets. AFAIK, santizing
pcaps is an intractable problem because of various kinds of encodings
that exist within packets.

Examples:

- FTP IPv4 addresses are comma separated
- DNS does label encoding of domain names (especially with pointers)
- Forwarded emails contain deeply-buried domain names and IP addresses
within gziped, based-64 encoded mime attachments.

So, I don't think you are going to get what you are asking for. That
said, there are tools that can strip out the payload and reassign IP
addresses and port numbers.

K.
---
http://www.pcapr.net
http://twitter.com/pcapr
http://labs.mudynamics.com

On Wed, Jun 16, 2010 at 10:18 AM, Michael Collins <mcollins () aleae com> wrote:

FLAIM: flaim.ncsa.illinois.edu

On Jun 16, 2010, at 12:58 PM, Bein, Matthew wrote:

Hello,



Anyone know of a good tool for sanitizing PCAP files? I would like to
keep as much of the payload as possible but remove src and dst ip
information.


Mike Collins
mcollins () aleae com

Current thread:

PCAP Sanitization Tool Bein, Matthew (Jun 16)
- Re: PCAP Sanitization Tool Michael Collins (Jun 16)
  - Re: PCAP Sanitization Tool kowsik (Jun 16)
- Re: PCAP Sanitization Tool Sebastian Castro (Jun 16)
  - Re: PCAP Sanitization Tool Valdis . Kletnieks (Jun 17)
- Re: PCAP Sanitization Tool Steven Bellovin (Jun 16)
  - Re: PCAP Sanitization Tool Valdis . Kletnieks (Jun 17)
    - Re: PCAP Sanitization Tool Steven Bellovin (Jun 17)
- Re: PCAP Sanitization Tool travis abrams (Jun 16)
- Re: PCAP Sanitization Tool jul (Jun 19)
- RE: PCAP Sanitization Tool Delgado,Rodolfo (Jun 21)