Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Tools to anonymize pcaps with cellular/3gpp traffic

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Dario Lombardo <dario.lombardo.ml@xxxxxxxxx>
Date: Thu, 8 Jun 2017 15:09:25 +0200
Hi Ivan
I went through a similar topic some time ago. The answer is: generally speaking, no. The tools you mentione target specific protocols, which are a few (ip/tcp/udp ecc), but the cover the majority of traffic. To go to upper layers you should know the semantic of the protocols you want to anonymize. Moreover, not all fields are straightforward to change. A 4 bytes integer can be, a string, whatever its format is, is not straightforward (you could go to a change in packet len, then lengths have to be changed, etc.). And that's not all: the fields you're changing could require changes in other fields. A stupid example: a protocol with an IP + a flag that indicates whether the IP is from net 10. would require to change both.
If you want to target a specific procol, you should write a software that knows that protocol and that does the dirty work for you.
Tracewrangler is the most advanced I know, but falls in the aforementioned category.
Bye.
Dario.

On Wed, Jun 7, 2017 at 8:54 PM, Ivan Nardi <nardi.ivan@xxxxxxxxx> wrote:
Hi
There are a few public available tools that anonymize pcap files, but they usually target L2-L4 layers and "standard" protocols (i.e. dns, icmp,...)
Is there any tool which sanitizes information carried on "3gpp" protocols (ranap, bssap, gsm_a dtap, gsm_map, sgsap...) or, at least, on some of them?

I am not looking for something particularly advanced: zeroing mcc and mnc (both in imsi and in cell/location information) should be enough, even without checksum updating.

The goal is to easily share some pcaps without changing them with an hex-editor by hand

I know that I am asking for a very specific tool, but it's worth giving it a try...

Thanks in advance
Ivan

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube