Wireshark mailing list archives
Re: Tools to anonymize pcaps with cellular/3gpp traffic
From: Jasper Bongertz <jasper () packet-foo com>
Date: Thu, 8 Jun 2017 15:16:43 +0200
Hi, I learned that there is a tool that is supposed to be supporting lots and lots of protocols (including Cellular stuff apparently), called "SafePCAP". It's not free though, and I haven't tried it, so I have no idea what it can or cannot do correctly. https://omnipacket.com/safepcap.html Cheers, Jasper Thursday, June 8, 2017, 3:09:25 PM, you wrote:
Hi Ivan I went through a similar topic some time ago. The answer is: generally speaking, no. The tools you mentione target specific protocols, which are a few (ip/tcp/udp ecc), but the cover the majority of traffic. To go to upper layers you should know the semantic of the protocols you want to anonymize. Moreover, not all fields are straightforward to change. A 4 bytes integer can be, a string, whatever its format is, is not straightforward (you could go to a change in packet len, then lengths have to be changed, etc.). And that's not all: the fields you're changing could require changes in other fields. A stupid example: a protocol with an IP + a flag that indicates whether the IP is from net 10. would require to change both. If you want to target a specific procol, you should write a software that knows that protocol and that does the dirty work for you. Tracewrangler is the most advanced I know, but falls in the aforementioned category. Bye. Dario.
On Wed, Jun 7, 2017 at 8:54 PM, Ivan Nardi <nardi.ivan () gmail com> wrote:
Hi
There are a few public available tools that anonymize pcap files, but they usually target L2-L4 layers and "standard" protocols (i.e. dns, icmp,...)
Is there any tool which sanitizes information carried on "3gpp" protocols (ranap, bssap, gsm_a dtap, gsm_map, sgsap...) or, at least, on some of them?
I am not looking for something particularly advanced: zeroing mcc and mnc (both in imsi and in cell/location information) should be enough, even without checksum updating.
The goal is to easily share some pcaps without changing them with an hex-editor by hand
I know that I am asking for a very specific tool, but it's worth giving it a try...
Thanks in advance
Ivan
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
jasper () packet-foo com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Tools to anonymize pcaps with cellular/3gpp traffic Ivan Nardi (Jun 07)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Jasper Bongertz (Jun 07)
- Message not available
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Darien Spencer (Jun 08)
- Message not available
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Ivan Nardi (Jun 08)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Jasper Bongertz (Jun 08)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Jasper Bongertz (Jun 07)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Dario Lombardo (Jun 08)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Jasper Bongertz (Jun 08)
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Ivan Nardi (Jun 08)
- <Possible follow-ups>
- Re: Tools to anonymize pcaps with cellular/3gpp traffic Michael Sukhar (Jun 08)