Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Tools to anonymize pcaps with cellular/3gpp traffic

From: Jasper Bongertz <jasper@xxxxxxxxxxxxxx>
Date: Wed, 7 Jun 2017 21:38:33 +0200
Hi Ivan,

> There are a few public available tools that anonymize pcap files,
> but they usually target L2-L4 layers and "standard" protocols (i.e.
> dns, icmp,...)

There is a good reason for this: the complexity to anonymize anything
on top of L4 is a nightmare. UDP only haunts you with IP fragment
reassembly, which is not as easy as it may sound, but sanitizing TCP
based applications is like an instant migraine when I think about
segmented payloads.

The main reason why sanitization looks simple enough to most people is
that they assume that sanitization means "patching some zeros over
sensitive stuff at some offset, and you're done." - and it's something
else entirely if it is done correctly.

Real sanitization needs to parse/dissect the whole packet, extract all
information bottom up, and rebuild all layers with sanitized
values (where required) from the top protocol down. For that a
protocol parser/dissector needs to be written, and a protocol assembly
counterpart needs to be coded as well. This is exactly what I'm doing
in TraceWrangler.

> Is there any tool which sanitizes information carried on "3gpp"
> protocols (ranap, bssap, gsm_a dtap, gsm_map, sgsap...) or, at least,
> on some of them?

Not that I know of - mostly because few care about real sanitization
(most tools are "patching" tools), and nobody so far touches
applications on L5 and higher in a useful way (meaning, not simply
zeroing or randomizing everything). Well, TraceWrangler does, for
DHCPv4 and RTPS (both mostly because UDP is single packet stuff most
of the time), but that's it. DNS is still missing because it's hard to
do right, since it has that pesky pointer FQDN assembly mechanism
(sort of a compression algorithm) that is complicating things when
rebuilding the protocol layer.

The main point for me to implement protocols on top of L4 is if I can
get sample PCAPs and documentation on how to parse and rebuild them.
With those telecommunication protocols it seems to be one of the
classic deadlock situations: I need a PCAP to see how to sanitize it,
but nobody can share it without some sanitization first - and no, just
coding stuff based on protocol specs isn't working (probably because I'm
not a coder. I'm a network analyst that can write some sort of strange
code) :-)

> I am not looking for something particularly advanced: zeroing mcc
> and mnc (both in imsi and in cell/location information) should be
> enough, even without checksum updating.

Let me tell you, it may not sound advanced, but it is ;-)

Anyway, if you can get me PCAPs and Specs for the stuff on top of
TCP/UDP I can see what I can do. That's basically what happened for
RTPS (I thought it was simple, because it's on top of UDP... and then
IP reassembly was like 16tons coming down on me just when I thought I
was done) :-)

> The goal is to easily share some pcaps without changing them with an hex-editor by hand

That's the main reason why I started writing TraceWrangler ;-)

Cheers,
Jasper

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature