This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture File Anonymization

0

Are there any good capture Anonymization you would recommend ?

asked 27 Nov '12, 23:39

bart80's gravatar image

bart80
11121316
accept rate: 0%

converted 27 Nov '12, 23:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

I converted your "comment" to a new "question" as more people might be interested and this way the answers can be found more easily.

(27 Nov '12, 23:46) SYN-bit ♦♦

One Answer:

3

I did a talk about that topic at Sharkfest 2011, for which you can find the presentations here (A-11): http://sharkfest.wireshark.org/sharkfest.11/index.html

Since all the tools I examined do not work with pcapng files, and are mostly for packet replay preparation, I started creating a new tool that will hopefully be ready to present at Sharkfest 2013 :-)

answered 28 Nov '12, 02:49

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

is just the fact that they cannot read pcapng or do you plan to use pcapng to store information about the anonymization process (what has been changed)?

BTW: Is that anontracer VM available for download?

(28 Nov '12, 04:21) Kurt Knochner ♦

At the time of the preparation of the talk they could not read pcapng; I haven't checked if they added support for it in the meantime tbh.

The plan is that my tool will be able to anonymize every aspect of the pcapng file, including name resolution header blocks etc. There will be still the almost impossible task of anonymizing layers beyond layer 4, but I'll see what I can do.

I can provide a download link for the VM, yes. It can be found here: http://www.bongertz.com/download/anontracer.zip

(28 Nov '12, 04:51) Jasper ♦♦

Thank you!

(28 Nov '12, 04:55) Kurt Knochner ♦

Tools that use libpcap can read some pcap-ng files if they're using libpcap 1.1.0 or later; they can't read files that have more than one link-layer header type or snapshot length (multiple interfaces are OK as long as they all have the same link-layer header type and snapshot length).

However, you can't write pcap-ng files with current versions of standard libpcap, so that probably won't help for anonymizing tools.

(28 Nov '12, 14:54) Guy Harris ♦♦

Regarding pcap-ng... I'm not using libpcap or any other existing library out there, it is all written from scratch and mostly working already. So much to code... so little time :-)

(28 Nov '12, 16:14) Jasper ♦♦