Re: Need to be able to scrub sensitive data out of trace files

[M K <gedropi () gmail com>]

What I have done in the past is File>Save As as csv file.  Then bring
up Excel and import the csv into a spreadsheet.  Once within a
spreadsheet you can choose whatever columns you wish to delete/hide.
On 6/18/10, Jeff Golden <jgolden () novell com> wrote:
> Hi all,
>
> I've got a situation where I'm being required to pull traces and send them
> to our backline support and to development. Straight-forward enough, yes.
> The situation that gives rise to the complication is that they are running a
> "black" (i.e. 100% isolated) network for security reasons, and obviously the
> traces cannot be taken offsite. The only way they've allowed remnants of the
> traces to be removed is if I export the trace file to text (including the
> binary data) so as to allow the client to "scrub" what they deem to be
> sensitive data out of each packet (IP addresses, server name, eDirectory
> naming conventions, etc). This occurs not only in the header packet, but in
> the data as well. Problem is (as you can imagine) trying to track through
> 200 or more packets in text format is quite tedious, especially when it does
> not allow one to apply any sort of filters.
>
> I'm trying to find a tool / utility / methodology / etc that would either
> take the raw pcap file, allow the relative data to be "scrubbed" and saved
> back into a format usable by wireshark for analysis, or a tool that will
> take the text-exported files, and bring them back into a pcap format without
> loss of data.
>
> I have explored the functionality of text2pcap; unfortunately, I lose ~ 50%
> of the packets. A quick test i just ran was to take a fresh 25000 packet
> trace (~ 5 MB in size) on my workstation, export it to text, and immediately
> run the text2pcap against it without making any modifications in the text
> file. It only imports 14000 of the packets, most of which read as
> "malformed" (the resulting file is only 504k).
>
> I've investigated netdude and scrub-tcpdump as possible tools to accomplish
> this task, but unfortunately, netdude comes back with a "This file does not
> seem to be a tcpdump tracefile" error; scrub-tcpdump comes back with a
> "pcap_open_live failed: unknown file format" error
>
> I haven't been able to locate any other tool that might perform either of
> these types of tasks. Hence this email to this list.
>
> Any thoughts or tool recommendation you might have would be most
> appreciated.
>
> Thanks
>
> Jeff
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe