Ask Your Question
0

Anonymizing pcaps for sharing/analysis

asked 2021-04-20 08:58:29 +0000

HappySailor gravatar image

Hi there I'd like to share a PCAP file for comments. How can I strip MAC address info and data so that it can safely shared on this boeard?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-04-20 09:18:23 +0000

SYN-bit gravatar image

Have a look at this blog-post by @Jasper (who wrote Tracewrangler)

edit flag offensive delete link more

Comments

Thanks!.........

HappySailor gravatar imageHappySailor ( 2021-04-20 09:25:21 +0000 )edit

Tracewrangler works great. The only limitation I have bumped into is that it can only remove single VLAN tag. Use editcap to remove multiple VLAN tags.

BigFatCat gravatar imageBigFatCat ( 2021-04-20 12:16:28 +0000 )edit

Glad to hear it worked great for you and maybe @Jasper can add Q-in-Q (or rather, recursive) vlan scrubbing :-)

SYN-bit gravatar imageSYN-bit ( 2021-04-21 06:11:51 +0000 )edit

I'll have to check into that - Tracewrangler can parse stacked VLAN tags but maybe I forgot to actually add code to remove them...

Jasper gravatar imageJasper ( 2021-04-21 07:47:59 +0000 )edit

Why would people want to anonymise VLAN tags? Frankly, why would people want also to remove private ip addresses? Is there any reason why you would want to anonymise anything else than mac address and payload?

HappySailor gravatar imageHappySailor ( 2021-04-21 08:08:54 +0000 )edit

VLANs and private IP addresses tell something about the internal network architecture and can be used as intel for an attack. So it is wise not to expose them unnecessarily.

SYN-bit gravatar imageSYN-bit ( 2021-04-21 09:56:30 +0000 )edit

@Jasper, I am using build 949 and my pcap files have three VLAN tags.

Please let me know when you have a new version to test.

BigFatCat gravatar imageBigFatCat ( 2021-04-21 23:08:12 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-04-20 08:58:29 +0000

Seen: 1,083 times

Last updated: Apr 21 '21

Related questions

Delay in GOOSE Subscription

What is the syntax for wireshark custom column

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark

Can I create a capture filter on a pcap file

How can I extract parameters from pcap

How to figure out cookies from pcap files?

extract only payload parts of packets of pcap file

Is there a maximum file size for pcap-files?

How to use rawshark to analyse a pcap file which is generated by tcpdump?