This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

Thank you all first for this good job.

I wan to make Wireshark showing and saving a false IP address in a replacement in a real one. In some words, we assume that Wireshark is sniffing traffic between my PC (IP1) and a server (IP2).

So is there a manner, in a low level file for example (winpcap? because I'm on Windows bad thinks...) where we can add some thing like this:

  • capture source IP, let it = to SourceIP

  • capture dest IP, let it = to DestIP

  • Let RealIP=192.168.0.10

  • Let FalseIP=192.168.10.10

  • If (SourceIP=RealIP) than let SourceIP=FalseIP

  • If (destIP=RealIP) than let SourceIP=FalseIP

By this way, all the IP shown on the GUI interfaces, all the stored files, and all the filters, will work on the new IP (the FalseIP) each time the RealIP is detected.

The problem is to know where to make this changes.

If some one can help me by sending me the file to change (or the files to change) it will be very hopeful and helpful.

Good Christmas to every body.

Thank you.

Mustapha.

asked 07 Dec '13, 16:01

Mustapha's gravatar image

Mustapha
11114
accept rate: 0%

edited 08 Dec '13, 05:08

grahamb's gravatar image

grahamb ♦
19.8k330206

Hello Jasper and Kurt,

I'm very happy to know that some one had already meet this need. I saw Jasper's presentation (SHARKFEST ‘11 | Stanford University | June 13–16, 201) and he said exactly what I'm looking for:

--------------Start of page 6-----------------

• On-the-fly anonymization

– Anonymize tracefiles while they‘re captured

– Modification is done between capturing the packets and writing them to disk

• Challenges

– Anonymization process must be fast enough to avoid drops

– Original data can‘t be examined as it is never written to disk

----------------End of page 6---------------

But some issues still pending:

1- To use PktAnon piping, Wireshark should be run like this:

Wireshark -i eth0 -s 0 -w - | pktanon ./settings.xml Right??

In this case, a false executable file (on windows) having the same icon as Wiershark, should run the command Wireshark -i eth0 -s 0 -w - | pktanon ./settings.xml.

The question her is: did all the Wireshark GUI features will respect the anonymity PktAnon on the fly? in real time?

2- make changes on dumpcap.c is may be the better solution if it concern all the features Wireshark GUI propose. But the question her to: where and how can I add the static mapping? For information her is the code line (approximately) to add:

capture source IP, let it = to SourceIP
capture dest IP, let it = to DestIP
Let IPToHide=192.168.0.10
Let FalseIP=192.168.10.10
If (SourceIP=IPToHide) than let SourceIP=FalseIP
If (destIP=IPToHide) than let SourceIP=FalseIP

By this way, all the IP shown on the GUI interfaces, all the stored files on Hard Disc, and all the filters, will work on the new IP (the FalseIP) each time the IPToHide is detected.

Could some one post the dumpcap.c modified with the right code to do this static change?

Thank you in advance.

Regards

Mustapha

(16 Dec '13, 04:52) Mustapha

I think, some body didn't understand yet my request. SO i did this picture and hope I will be more explicit and more clear :)

So her is the need:

alt text

(16 Dec '13, 05:28) Mustapha

Sounds like you just need a tool to change IP addresses in a capture file. If so, please check tracewrangler, a tool of @Jasper.

http://www.tracewrangler.com

IP address changes can be done with an anonymization task (see the docs).

Regards
Kurt

permanent link

answered 07 Dec '13, 16:58

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hello Kurt,

thank you for your quick and prompt reply. It's not exactly what I'm looking for. I knew such tool, like bittwist and bittwiste (http://bittwist.sourceforge.net/news.html) Those tools can change sensitive informations in log files.

But what I'm looking for is to change the information on the fly: I mean, just after the capture, Wireshark change it before writing to HD or to show it on screen. I think it could be possible by one of those solutions:

1- a modified source code of Wireshark (or modified part/file of it) I can compile to generate a new executable Wireshark I can install, urn, and never see to sensitive informations (neither on screen, nor in files) Change should be done on the fly in real time.

2- a patch I can apply to installed Wireshark to force it to change sensitive informations on the fly also (before showing live capture or writing it to HD)

Any idea? or ready patch or source code?

:)

Mustapha

(07 Dec '13, 18:18) Mustapha
1

What is the purpose of such a modification? If the static mapping between 'false' and real IP is known, everybody can reverse that information and get the real IP back!?! Sounds a bit like 'security by obscurity'... ;-)

(07 Dec '13, 23:33) Kurt Knochner ♦

The final users of such modified or patched Wireshark should not know the static mapping. The goal her is to let some body to " catch" traffic and give it to an engineer, without see reality of the network. Just the engineer is a ware of the mapping. I hope that my explanation was clear. But don't hesitate to ask me more questions if it's not clear yet. Thank you. Regards.

(10 Dec '13, 16:10) Mustapha
1

O.K. let me ask the other way round: What are you afraid of? That the 'sniffing user' sees the real IP addresses in the network he attaches a capture device? Well, if that is your concern, then you have a bigger problem than you might think ;-))

I think we need to know more about your 'workflow' regarding the capture and analysis phase and why you want to hide the IP addresses from the person that does the capturing part. Maybe someone can then suggest a solution that actually works :-)

(11 Dec '13, 05:43) Kurt Knochner ♦

I think I already explain the context where this wil be used. So the goal now is to find where in source code we must make required changes, or what is the patch to apply. Any ideas? Regards.

(11 Dec '13, 16:33) Mustapha
1

well....

I think you don't understand what I'm trying to say. So, let me rephrase it.

You want to hide the real IP addresses from users who are allowed to capture network traffic, by using Security through obscurity - in your case, by changing the IP addresses in the capture file to prevent those users to see the real ones.

That's not going to work very well, because you will only stop stupid users with that kind of tactics. Reasons are:

  • If you have a static mapping between the IP addresses, this mapping will be in the code and thus also in the binary. Everybody (with a little bit intelligence and know-how) would be able to figure that out, if there is enough 'energy/interest' to do it.
  • Everybody would be able to download an unmodified version of Wireshark and use that instead of your IP mapping version. You can't stop users from doing that, as there is a portable version of Wireshark, that does not need to be installed.
  • Everybody would be able to boot the capture PC with a Linux CD and do the capturing there with either tcpdump or Wireshark.

So, as you can see, it's utterly simple to undermine your IP hiding strategy. That's why I asked for the workflow and what you are really trying to do. Changing the Wireshark source code, to hide IP addresses from those who are allowed to take a network capture, simply does not make any sense, as it's too easy to undermine.

I can imagine a solution that might work. But then I need more information about your 'workflow' and your goals (why do you want to hide the IP addresses).

(11 Dec '13, 22:52) Kurt Knochner ♦

No solution or idea?

(13 Dec '13, 16:11) Mustapha
1

I think Kurt made all the points I'd make on this one. The functionality that you are looking for doesn't exist right now, and while in concept I can see how it might exist I'm not sure where in the source you'd need to look at making modifications.

Rather than ask how to accomplish this though, can you confirm your reason for wanting this functionality? There might be a better solution for you. Wireshark's development efforts are usually (I hope) based on need, but I honestly don't understand how this kind of mechanism can give any value, other than the illusion of IP addressing confidentiality. Even if it existed I honestly don't think Wireshark should support it, if for no other reason than that it could give a false sense of security.

(13 Dec '13, 22:09) Quadratic

Concerning security, we all know that actually, we hide just keys, and show publicly used algorithm (RSA, AES, etc.) It means and proof the robustness of this kind of security. But tell me why you will show the algorithm you are using if you can hide it too? You/we are free in private use to show or hide the name or kind of algorithm you are using.

So it's the same for the need of hide some IP address for the user supervising the computer doing the capture. FYI, the user can't install any think on this pc, and doesn't have any privilege on it. I still think that a simple code (like lines I described in my first post) added in the right file of wireshark code source will do this perfectly. I need just to know what is this file...

I agree with you that this static mapping (and why not dynamic??) Will not interest thousands of users. But it will be very helpful for those who one day will need it.

Thank you for your interest and hope you'll tell me which file should I modify.

Regards.

(13 Dec '13, 23:58) Mustapha
1

hope you'll tell me which file should I modify.

dumpcap.c

However, there is no protocol intelligence in dumpcap.c and therefore you'll have to write the code yourself to find and replace the IP addresses in the data stream. Maybe you can use the code of bittwiste and/or pktanon.

Anyway, I still believe this does not make sense at all, because your users will be able to undermine any change to dumpcap.

FYI, the user can't install any think on this pc, and doesn't have any privilege on it.

They don't need to install Wireshark at all. As I said, there is a portable version. Just unzip it to a temp directory and your done. How do you stop your users from doing that? How do you stop your users from booting the PC with a Linux CD or from a USB drive? You can't, and thus you changes to Wireshark/dumpcap sound like a waste of time for me ;-))

Anyway, it's your environment and if you believe that's a clever solution go ahead and change dumpcap.

(15 Dec '13, 11:07) Kurt Knochner ♦

Tank you Kurt for your replay and idea. The PC used for the capture has no USB Port (or can be deactivated from BIOS with secure password) SO the user CAN NOT install or UNISTALL or PLAY any other thinks than it should play/run.

(15 Dec '13, 13:01) Mustapha
1

I think, some body didn't understand yet my request. SO i did this picture and hope I will be more explicit and more clear :)

well, I believe I understood your basic requirement, but I was not convinced (nor am I now), that changing the code of Wireshark will be a clever solution. Nevertheless, as I said: If you still want to do it, you'll have to change dumpcap.c. See my comment regarding this.

As I also said: I might have a better solution, but then I still need more information about your workflow. Maybe you don't understand what I mean by this, so let me ask a few simple questions

  • Will the capture PC be used for regular traffic (according to your picture, I guess the answer is yes)?
  • Would it be an option to capture traffic off-box, meaning on a dedicated system that gets the traffic from a mirror/monitor port of the switch?
  • Why do you want to hide the real IP addresses from those people that are starting Wireshark? Wouldn't they know the real IP addresses anyway, or get them pretty easily (netstat -na)???
  • Do those people need GUI access to the capturing system, i.e. log in via RDP for other tasks, besides taking a capture file?

Do you think you can answer these questions?

(16 Dec '13, 06:20) Kurt Knochner ♦

Thank you Kurth, Yes I can answer.

"as I said: If you still want to do it, you'll have to change dumpcap.c. See my comment regarding this."

I noted it, But it's too hard for me to add this code in dumpcap.c. I'm no more strong in C/C++ developpement...

My reply to the questions is:

1- Yes, the computer will be used for regular trafic (HTTP only)

2- No, the user should see all details of what his PC is capturing. All details but not one IP (may be some IPs) in the network. I don't have any interest the user access any port mirror/monitor. So it's prohibited. And also, he must view the traffic on HIS pc in real time to check other thinks (other users, protocols, etc.)

3- All tools like netstat, ping, tracert, etc. are suppressed. Don't worry about this.

4- Yes they need GUI because it's easy for them.

I put the same question in Libpcap forum. May be by modifying this library it's more easiest?

Do you think you can post a new dumpcap.c modified? Is it too hard to make?

Regards.

Mustapha

(16 Dec '13, 09:13) Mustapha
1

I noted it, But it's too hard for me to add this code in dumpcap.c. I'm no more strong in C/C++ developpement...

well.. but how are you going to implement the changes we are talking about for quite some time now !?!? You specifically asked for some information which code to change !?!

All details but not one IP (may be some IPs) in the network.

What kind of users are these? One-legged and one-eyed? They shall see the network traffic, but not the IP addresses? Sorry, I really don't get it and you're still not offering a plausible explanation.

I put the same question in Libpcap forum. May be by modifying this library it's more easiest?

erm... no, I don't think so...

Do you think you can post a new dumpcap.c modified? Is it too hard to make?

erm.... no. As I said: I'm not convinced that it is a good idea anyway. It's not too hard to do. It just takes time. But why invest time into something that does not make sense (for me, and some others here). I'm sorry, but I don't think I can help you with that.

However, I will tell you my idea, to help to end a discussion, that leads to nowhere.

I would do it the following way, and yes I know it's not what you want (based on your answers to my question), but maybe you rethink your endeavor, after you've read my suggestion.

  • Build a special purpose capturing PC based on Linux (or perhaps Windows if you Like that more)
  • let the switch mirror/monitor the traffic of your web server port (or whatever it might be)
  • Write a Web interface to access the system
  • restrict any other access to the system (ssh, telnet, RDP, console login, etc.)
  • Through the Web interfaces allow: start capture, stop capture, download capture. Nothing more!
  • Do the capturing with an unmodified version of tcpdump and/or dumpcap.
  • Save the capture file to disk
  • Anonymize the file with whatever tool is best for you (pktanon, bittwiste, etc.)
  • Don't use a static mapping! Instead, choose random values for every file and record the mapping into a database on the same system.
  • Download the modified capture file and provide it to whomever it may interest.
  • Allow access to the database with the random mapping to a group of advanced users, if they ever need to reverse the mapping, or give them direct access to the original (unmodified) files.

That's what I meant by a workflow. Unfortunately you did not answer that question, although I asked several times.

As I said, that's (most certainly) not what you want to hear. But as you still did not give any reason (I understand) for your IP changing plans, that's the best I can offer to you. And, you don't have to change anything in Wireshark. However, you'll have to create the web interface with the functionality I described. Maybe that's easier for you, if you are a web designer or 'web programmer'.

Good luck.

(16 Dec '13, 11:19) Kurt Knochner ♦
1

BTW: If you think there is a strong need for that code change (and you already know hundreds of other people that need exactly the same feature), you are free to file an enhancement request at https://bugs.wireshark.org

If you're lucky, someone likes the idea as well, picks it up and implements the feature for you.

(16 Dec '13, 11:45) Kurt Knochner ♦

Yes, it's a strong need. Tahnk you for the help and suggestions you proposed Kurt.

Regards.

(16 Dec '13, 12:23) Mustapha
showing 5 of 16 show 11 more comments

You could take a look at pktanon. It uses XML files to set the replacement directives, and it is possible to pipe captured traffic from tcpdump through pktanon to disk. I've tried that for my 2011 Sharkfest talk. One of the last slides shows an example of how to do this.

permanent link

answered 14 Dec '13, 11:21

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you Jasper. I will see and test it tonight or tomorrow and be back to you. Regards. Mustapha.

(15 Dec '13, 04:53) Mustapha

Sounds like you just need a tool to change IP addresses in a capture file. If so, please check tracewrangler, a tool of @Jasper.

http://www.tracewrangler.com

IP address changes can be done with an anonymization task (see the docs).

Regards Kurt

I agree with you kurt . To change your ip address, you need to contact your ISP . You can't replace your real ip to false ip without your ISP knowledge . After changing your ip address, use Ip-details.com to check whether it gets modified or not

permanent link

answered 16 Dec '13, 04:26

creamusers's gravatar image

creamusers
161
accept rate: 0%

The IP address will not be changed in reality (for exchange on the network) It should be altered just between the NIC and wireshark. Please see the picture bellow.

(16 Dec '13, 05:31) Mustapha

To change your ip address, you need to contact your ISP .

erm... no! Did you read the question? The IP addresses are in the range of private use addresses. While those can also be provided by an ISP, the whole story is not about changing the IP address of the system, but to replace some addresses in a capture file!! I'm pretty sure, your ISP does not care about that at all ;-))

BTW: this answer should not have gotten an up vote, as it's completely off the problem.

(16 Dec '13, 10:54) Kurt Knochner ♦

"Could some one post the dumpcap.c modified with the right code to do this static change?"

Dumpcaps receives the entire packet from Libpcap and just adds pcap(ng) block headers and possibly trailers, it does not parse the packet data at all before writing it to file or a pipe to be read by wireshark or tshark, so you'd have to invent the code you want from scratch e.g read and modify the packet data before writing it out - the performance penalty is probabaly big and dumpcap is supposed to be slim as it runs with privileges. As pointed out to you, you should probably try other security measures than trying to change IP addresses on the fly.

permanent link

answered 16 Dec '13, 06:03

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

So, should I look around libpcap, to modify it to do this task?

(16 Dec '13, 07:45) Mustapha
1

Well I don't think you should do it!

But in dumpcap in the routine capture_loop_write_packet_cb() you could parse the raw packet and try to find the IP addresses and change them, pd is the raw bytes of the packet. You probably have to check the link layer and "parse" up to the IP layer if it's an IP packet. Note that this will only chnage the addresses in the IP layer if the real addresses are mentioned in ICMP or SIP messages or something like that the'd still will not be obscured. (VRRP, OSPF....?)

(16 Dec '13, 08:06) Anders ♦

Thank you Andres for your reply.

The "capture_loop_write_packet_cb()" appear 9 times in dumpcap.c. So I don't know how to proceed. I'm not a C programmer (no more...)

By the way, the checksums will not be corrects I suppose, no? so this will be my next task if we succeed this first step.

Could you please post a dumpcap.c modified ready to compilation?

(16 Dec '13, 09:28) Mustapha
1

"The "capture_loop_write_packet_cb()" appear 9 times in dumpcap.c. So I don't know how to proceed. I'm not a C programmer (no more...)" Do the canges in that function, not where it's called.

"Could you please post a dumpcap.c modified ready to compilation" No, as I don't agree with the idea and it's a bigger job than you might think, >100 lines of code I'd imagine.

(16 Dec '13, 21:45) Anders ♦

I still believe it could be done with less than 100 code lines. We have just to find the right place in source code and the efficient code lines to add. Any way, thank you evry body for this interesting exchange.

Regards.

(17 Dec '13, 00:23) Mustapha
1

Just for calibrating expectations: the code in TraceWrangler doing IP address replacements is, as a rough estimate, about 500-1500 lines of code, and that is not including the SQLite engine code to store replacements to keep the consistent. IP addresses can appear in so many places its crazy.

(17 Dec '13, 00:48) Jasper ♦♦
1

I still believe it could be done with less than 100 code lines.

You said you're not a C programmer and apparently you don't know Wireshark. So, how do you estimate the effort to be less than 100 lines???

(17 Dec '13, 00:58) Kurt Knochner ♦

Because, in 1986, when I was in telecommunication engineering school, I played with programming. Of course at this time hwas no C or C++, and Internet and RFCs were unknown. But I still remember that in 1986 too, I resolved the Hanoï tours problem in less than 10 code lines (with Basic programming language) in a moment where other students made it in hundreds... Now I'm forced to take what you said in consideration as I have no more any idea... But I repeat that I'm sure we can always find good idea to implement any think with less programming effort.

(17 Dec '13, 02:15) Mustapha
1

My 2p worth:

@Mustapha, I think that you have 3 options:

  1. Modify the code yourself to do exactly what you want.
  2. Pay someone else to modify the code to do exactly what you want.
  3. Add an enhancement request to the Wireshark Bugzilla and hope that someone else sees the utility in your proposal and implements the required changes in their own free time.

Personally, I think that #3 is unlikely to lead to your required changes happening, so your best options are #1 or #2.

(17 Dec '13, 02:17) grahamb ♦
1

I resolved the Hanoï tours problem in less than 10 code lines (with Basic programming language)

Well, the towers of hanoi problem can be solved in ~ about 10 lines of code, but this problem is not the towers of hanoi, right?

I guess the best option would be:

  • you implement the feature, maybe in less then 100 lines (C is pretty easy to learn if you know Basic - there are lots of tutorials at Youtube) and then you submit the patch to the community, so everybody can benefit from that cool new feature.

How does that sound? It sounds perfect to me.

(17 Dec '13, 02:35) Kurt Knochner ♦
showing 5 of 10 show 5 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×178
×48
×5
×1
×1

question asked: 07 Dec '13, 16:01

question was seen: 15,227 times

last updated: 17 Dec '13, 02:35

p​o​w​e​r​e​d by O​S​Q​A