Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Need to be able to scrub sensitive data out of trace files

From: "Jeff Golden" <jgolden () novell com>
Date: Fri, 18 Jun 2010 12:07:32 -0600
Hi all,

I've got a situation where I'm being required to pull traces and send them to our backline support and to development. 
Straight-forward enough, yes. The situation that gives rise to the complication is that they are running a "black" 
(i.e. 100% isolated) network for security reasons, and obviously the traces cannot be taken offsite. The only way 
they've allowed remnants of the traces to be removed is if I export the trace file to text (including the binary data) 
so as to allow the client to "scrub" what they deem to be sensitive data out of each packet (IP addresses, server name, 
eDirectory naming conventions, etc). This occurs not only in the header packet, but in the data as well. Problem is (as 
you can imagine) trying to track through 200 or more packets in text format is quite tedious, especially when it does 
not allow one to apply any sort of filters. 

I'm trying to find a tool / utility / methodology / etc that would either take the raw pcap file, allow the relative 
data to be "scrubbed" and saved back into a format usable by wireshark for analysis, or a tool that will take the 
text-exported files, and bring them back into a pcap format without loss of data.

I have explored the functionality of text2pcap; unfortunately, I lose ~ 50% of the packets. A quick test i just ran was 
to take a fresh 25000 packet trace (~ 5 MB in size) on my workstation, export it to text, and immediately run the 
text2pcap against it without making any modifications in the text file. It only imports 14000 of the packets, most of 
which read as "malformed" (the resulting file is only 504k).

I've investigated netdude and scrub-tcpdump as possible tools to accomplish this task, but unfortunately, netdude comes 
back with a "This file does not seem to be a tcpdump tracefile" error; scrub-tcpdump comes back with a "pcap_open_live 
failed: unknown file format" error

I haven't been able to locate any other tool that might perform either of these types of tasks. Hence this email to 
this list.

Any thoughts or tool recommendation you might have would be most appreciated.

Thanks

Jeff

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: