This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is the best way to sanitize traces?

0

I can use the “Limit each packet to N bytes” capture option to make sure that application data is not captured, or editcap -s to remove already captured application data. But how do I change the IP addresses. I would like to maintain the relationships between IP addresses, that is addresses in the same subnet/network remain in the same subnet/network. I don't require that the addresses be changed to the standard private address space, just that they no longer reflect my addresses.

asked 10 Oct '10, 07:05

noah's gravatar image

noah
6112
accept rate: 0%


2 Answers:

2

You can use bittwiste.1 - pcap capture file editor
You can find more information in the man-page.

answered 10 Oct '10, 08:02

joke's gravatar image

joke
1.3k4934
accept rate: 9%

Thanks that looks like it will do what I want.

(10 Oct '10, 11:19) noah

bit-twist is a great tool!

(12 Oct '10, 06:07) GeonJay

1

Just a note of caution here -

bittwiste's IP address replacement does not go further than the IP header to sanitize the IP addresses - so watch out for packets that may contain the original IP addresses embedded further along - for example - watch out for the 227 response to an FTP PASV command or the FTP PORT command packets. Typically - if I absolutely have to ensure the original IP address is not somewhere in the trace file, I open it with a hex editor and search/replace throughout. This won't recalculate the checksums for you and you might consider disabing the checksum coloring rule because of that.

answered 10 Oct '10, 14:41

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

Yes, HxD, freeware Hex Editor and Disk Editor, can do this job perfectly:
http://mh-nexus.de/en/hxd/

But then you have to be aware of other sensitive information in the capture file.
The OP has already truncated the packets.

(11 Oct '10, 00:52) joke

This won't recalculate the checksums for you...

But Wireshark can, so load your capture, see what it says it should be, hexedit, rinse and repeat.

(12 Oct '10, 07:20) Jaap ♦