Wireshark-dev: [Wireshark-dev] Capture Sanitisation
From: Ivan <[email protected]>
Date: Tue, 23 Mar 2010 22:44:28 +1300

Just joined the mailing list so to start of would like to congratulate all involved on contributing to a superb product.
I have been a long time user but recently more so than normal.  I have 
found very often that functionality to sanitise captured data would be 
extremely helpful.  Understandingly many prefer that captures provided 
to 3rd parties don't contain excessive or confidential data or network 
Searches of the mailing lists and general Internet have not shown me any 
existing functionality within Wireshark.
If such a feature is not implemented I would like to add to the wishlist 
(http://wiki.wireshark.org/WishList) but as per instructions am posting 
here first.
In order of preference I would like the ability to

1) Remove TCP or UDP payload retaining the header (truncate captured packets at the end of the TCP or UDP header). Obviously this could be done for other protocols too but TCP and UDP would be a good start.
2) As a later and advanced step if protocol definitions indicated 
headers and payload allow removal of payload within more protocols.  For 
example the http headers could be retained while removing the actual 
http data.
2) Be able to randomly substitute IP addresses within the captures 
consistently so that analysis is still valid but actual addresses are 
kept private.  Header checksums should be recalculated.
I am not sure if this functionality would belong in one of the command 
line tools, Wireshark or both.
Some non Wireshark solutions that may be worth referencing
Sanitize - http://ita.ee.lbl.gov/html/contrib/sanitize.html
Bit-Twist - http://bittwist.sourceforge.net/