Re: pcap anonymizer

[Aaron Turner <synfinatic () gmail com>]

On Fri, Apr 29, 2011 at 12:20 AM, Andrej van der Zee
<andrejvanderzee () gmail com> wrote:
> With tcprewrite you can change ips too. Not sure if it updates checksums though...
> Andrej

Yes, tcprewrite updates the relevant checksums for all edits.  It will
also edit MAC addresses in case you care that someone can figure out
what vendor's hardware you're using.

One thing people need to think about when writing these kind of tools
is how many protocols expose host identities.  HTTP, SMTP, FTP, almost
every Microsoft protocol, etc.  Some are *usually* just host names
(HTTP Host Header for example), while others (like FTP) put the IP
address in.  There's also easy ways to figure out what OS and
Applications you're running.

Honestly, I'm not aware of any tool which covers every possibility so
if you really care about this sorta thing, plan on opening up the pcap
in wireshark and manually going through it looking for IP addresses.
You might try grepping through the PDML as well and check for any
misses.  Obviously though, even wireshark doesn't decode every
protocol fully so even that isn't 100% but at least it'll get you most
of the way there.

-- 
Aaron Turner
http://synfin.net/         Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.