I can use the “Limit each packet to N bytes” capture option to make sure that application data is not captured, or editcap -s to remove already captured application data. But how do I change the IP addresses. I would like to maintain the relationships between IP addresses, that is addresses in the same subnet/network remain in the same subnet/network. I don't require that the addresses be changed to the standard private address space, just that they no longer reflect my addresses. asked 10 Oct '10, 07:05  noah |
2 Answers:
You can use bittwiste.1 - pcap capture file editor answered 10 Oct '10, 08:02  joke |
Just a note of caution here - bittwiste's IP address replacement does not go further than the IP header to sanitize the IP addresses - so watch out for packets that may contain the original IP addresses embedded further along - for example - watch out for the 227 response to an FTP PASV command or the FTP PORT command packets. Typically - if I absolutely have to ensure the original IP address is not somewhere in the trace file, I open it with a hex editor and search/replace throughout. This won't recalculate the checksums for you and you might consider disabing the checksum coloring rule because of that. answered 10 Oct '10, 14:41  lchappell ♦ Yes, HxD, freeware Hex Editor and Disk Editor, can do this job perfectly: But then you have to be aware of other sensitive information in the capture file. (11 Oct '10, 00:52) joke
But Wireshark can, so load your capture, see what it says it should be, hexedit, rinse and repeat. (12 Oct '10, 07:20) Jaap ♦ |
Thanks that looks like it will do what I want.
bit-twist is a great tool!