ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: [Wireshark-users] Need to be able to scrub sensitive data out of trace files

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Jeff Golden" <jgolden@xxxxxxxxxx>
Date: Fri, 18 Jun 2010 12:07:32 -0600
Hi all,

I've got a situation where I'm being required to pull traces and send them to our backline support and to development. Straight-forward enough, yes. The situation that gives rise to the complication is that they are running a "black" (i.e. 100% isolated) network for security reasons, and obviously the traces cannot be taken offsite. The only way they've allowed remnants of the traces to be removed is if I export the trace file to text (including the binary data) so as to allow the client to "scrub" what they deem to be sensitive data out of each packet (IP addresses, server name, eDirectory naming conventions, etc). This occurs not only in the header packet, but in the data as well. Problem is (as you can imagine) trying to track through 200 or more packets in text format is quite tedious, especially when it does not allow one to apply any sort of filters. 

I'm trying to find a tool / utility / methodology / etc that would either take the raw pcap file, allow the relative data to be "scrubbed" and saved back into a format usable by wireshark for analysis, or a tool that will take the text-exported files, and bring them back into a pcap format without loss of data.

I have explored the functionality of text2pcap; unfortunately, I lose ~ 50% of the packets. A quick test i just ran was to take a fresh 25000 packet trace (~ 5 MB in size) on my workstation, export it to text, and immediately run the text2pcap against it without making any modifications in the text file. It only imports 14000 of the packets, most of which read as "malformed" (the resulting file is only 504k).

I've investigated netdude and scrub-tcpdump as possible tools to accomplish this task, but unfortunately, netdude comes back with a "This file does not seem to be a tcpdump tracefile" error; scrub-tcpdump comes back with a "pcap_open_live failed: unknown file format" error

I haven't been able to locate any other tool that might perform either of these types of tasks. Hence this email to this list.

Any thoughts or tool recommendation you might have would be most appreciated.

Thanks

Jeff
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube