This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hiding/Replacing Packet Payload Data

0

We will be performing analysis on a network in an environment governed by strict security laws and client policies. The user data cannot be removed from the facility.

We would like to be able to take our captures back to the office and review them there, rather than analyzing under the watchful gaze of our client. We can obfuscate the address info, but do not know a way to selectively remove (or replace) the packet payloads based on the highest level protocol in the packet, and still leave the protocol info, packet sizes, and other info needed to perform our analysis.

This capability is also needed to construct our report without exposing secured information.

Does anyone know of any Wireshark settings or good tools for that purpose? Alternative suggestions?

asked 09 Oct '12, 04:45

bmcmanus's gravatar image

bmcmanus
1223
accept rate: 0%


2 Answers:

1

Basically you're in need of trace file anonymization techniques. You might want to take a look at a presentation I did at Sharkfest 2011 about that topic, which you can find on the retrospective page here: http://sharkfest.wireshark.org/sharkfest.11/index.html

I have to admit that none of the tools I mention in the presentation are to my full liking, mostly because they're targeted at modifying replay data for packet generators (tcprewrite/bittwiste) or very automatic anonymization without much chance of adjusting specific packets (pktanon). Also, they all do not work with pcapng files (last time I checked), which is another problem.

Right now I am working on a tool that (hopefully) will be making things easier (and processes pcapng), but it is still a long way to go before it is of any use.

answered 09 Oct '12, 05:56

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks for the excellent overview of what's out there. I don't see anything that's much better than our old WildPackets PacketScrubber. PktAnon looks quite flexible, and would likely be the tool if it could handle and obfuscate dot1q/ad. MPLS is a growing concern, too.

Look forward to seeing your new tool for pcapng!

(09 Oct '12, 06:31) bmcmanus

0

Alternative suggestions?

Unfortunately, the best alternative is to do the analysis on site in such an environment. You can ask the client not to "disturb" the analysis, as you might oversee some important things, if your concentration is distracted by questions and "suggestions" of the customer.

If you anonymize/scrub/remove the payload data, there are only limited analysis "tests" you can do with that data, often limited to network performance issues (basically !), based on packet flow and timing. If you need to analyze any higher level problem, how would you do that without the real data?

Any intelligent packet scrubber would have to modify the data in a consistent way for a big bunch of protocols and I doubt that there is any single tool out there that can do this. Imagine just the effort to modify CIFS/SMB in a consistent way (change names of users, shares, credentials, content of files, etc.) or SSL (replace cert, fake private keys, etc.) or even HTTP with all the SESSION IDs, internal URLs, and the content ;-))

May I ask what kind of problem you are after?

Regards
Kurt

answered 09 Oct '12, 08:17

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

In this case, we have been asked to investigate the perennial "slow network". Based on what we've been told, sight unseen, we suspect that the problem may be layer 1/2 (bad GBICs and/or STP issues), with perhaps a bit of TCP/SMB (multiple AD versions are present) to sweeten the pot. oh, joy.

Of course, we would have to have the full packet contents for the expected AD issues, but any L1/L2 issues will need to be cleared up first. In our experience, once the problems through L3 are resolved, most systems typically run well.

(11 Oct '12, 04:51) bmcmanus