PCAP Sanitization Tool

kowsik kowsik at gmail.com
Wed Jun 16 20:31:48 UTC 2010


Log sanitation is a whole lot easier than packets. AFAIK, santizing
pcaps is an intractable problem because of various kinds of encodings
that exist within packets.

Examples:

- FTP IPv4 addresses are comma separated
- DNS does label encoding of domain names (especially with pointers)
- Forwarded emails contain deeply-buried domain names and IP addresses
within gziped, based-64 encoded mime attachments.

So, I don't think you are going to get what you are asking for. That
said, there are tools that can strip out the payload and reassign IP
addresses and port numbers.

K.
---
http://www.pcapr.net
http://twitter.com/pcapr
http://labs.mudynamics.com

On Wed, Jun 16, 2010 at 10:18 AM, Michael Collins <mcollins at aleae.com> wrote:
> FLAIM: flaim.ncsa.illinois.edu
>
> On Jun 16, 2010, at 12:58 PM, Bein, Matthew wrote:
>
>> Hello,
>>
>>
>>
>> Anyone know of a good tool for sanitizing PCAP files? I would like to
>> keep as much of the payload as possible but remove src and dst ip
>> information.
>>
>
> Mike Collins
> mcollins at aleae.com
>
>
>
>
>




More information about the NANOG mailing list