Re: [Openpacket-devel] OpenPacket.org RC1
Brought to you by:
crazy_j,
taosecurity
Menu
▾
▴
Re: [Openpacket-devel] OpenPacket.org RC1
|
From: Aaron T. <syn...@gm...> - 2008-01-09 02:33:47
|
Just a few comments off the top of my head since I've given a lot of thought to editing pcap files: 1) Why would you anonymize the MAC addresses? Do people really care if a Apple host talked to an Intel card? I would argue if you are this concerned with data leak, you're not going to be publishing pcap's of your traffic on a public website anyways. 2) Rewriting IP addresses is full of fun problems. Things like multicast/subnet broadcasts (non-255.255.255.255) mean you can't aways rewrite dest addresses. DHCP, Bootp shouldn't rewrite source addresses. Then there's all those fun protocols which can/will embed your IP address in the payload (FTP port command, SIP, HTTP Host Header, etc) in various formats. It's easy to screw this up and make the sample pcap useless because the wrong IP was put in the application layer. 3) A lot of these tools only deal with DLT_EN10MB encapsulated pcaps (aka Ethernet). Once you start dealing with more interesting protocols like HDLC and the 100+ others that libpcap supports good luck. Note: tcpreplay/tcprewrite supports a number of the more common ones, but is hardly complete. 4) I'm not aware of any tools which can in an automated way properly handle Layer7 anonymization. I suppose you could open each packet in NetDude and hack things manually, but l doubt anyone is that motivated not to mention being error prone. 5) Anyone relying on anonymizing their pcap before they post it to keep them safe is a fool. If you care about security, the only valid solution is generate the network traffic on an air-gapped lab network or a "throw away" test network. I know I wouldn't risk my network or my job on a anonymizing tool which may or may not work. In conclusion: Any script which attempts to anonymize pcaps won't properly protect from a data leak and is just as likely to break the protocol to make the pcap useless. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin On Jan 8, 2008 5:00 PM, CS Lee <ge...@gm...> wrote: > Hi James, > > What do you mean by writing shell script to anonymize pcaps you want to > contribute? > > Good point where it should be users responsibility to anonymize pcap is so > that the moderators won't be suspected if anything happen. Certain packet > attributes should be anonymized such as - > > Link Layer: source and destination mac address > Network Layer: source and destination ip address > Transport Layer: usually none, icmp message maybe > Payload: dependent > > If the payload contents confidential information then it should be > anonymized or else it should be fine. To get most of the job done, I have > covered them here - > > http://geek00l.blogspot.com/search?q=bittwiste > > I think for link layer address modification, the latest bittwiste can do it > very well now. For payload wise, you can use bittwiste too or if you prefer > gui - netdude and some other tools such as tcpreplay. > > If you have already tried out the rawpacket HeX liveCD, we have all the > tools categorized under Pcap-Editor where you can use it. > > If Richard thinks it is necessary to write up tutorial or short guide for > pcap anonymization, i can take it by rearranging my writeup in blog or maybe > we can do the screencast for that particular purpose. > > Cheers ;] |
