[127173] in North American Network Operators' Group
Re: PCAP Sanitization Tool
daemon@ATHENA.MIT.EDU (kowsik)
Wed Jun 16 16:32:27 2010
In-Reply-To: <91DD8CA7-F2DB-4A60-895C-B5E1B064DEEE@aleae.com>
Date: Wed, 16 Jun 2010 13:31:48 -0700
From: kowsik <kowsik@gmail.com>
To: Michael Collins <mcollins@aleae.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Log sanitation is a whole lot easier than packets. AFAIK, santizing
pcaps is an intractable problem because of various kinds of encodings
that exist within packets.
Examples:
- FTP IPv4 addresses are comma separated
- DNS does label encoding of domain names (especially with pointers)
- Forwarded emails contain deeply-buried domain names and IP addresses
within gziped, based-64 encoded mime attachments.
So, I don't think you are going to get what you are asking for. That
said, there are tools that can strip out the payload and reassign IP
addresses and port numbers.
K.
---
http://www.pcapr.net
http://twitter.com/pcapr
http://labs.mudynamics.com
On Wed, Jun 16, 2010 at 10:18 AM, Michael Collins <mcollins@aleae.com> wrote:
> FLAIM: flaim.ncsa.illinois.edu
>
> On Jun 16, 2010, at 12:58 PM, Bein, Matthew wrote:
>
>> Hello,
>>
>>
>>
>> Anyone know of a good tool for sanitizing PCAP files? I would like to
>> keep as much of the payload as possible but remove src and dst ip
>> information.
>>
>
> Mike Collins
> mcollins@aleae.com
>
>
>
>
>
