I published the following diary on isc.sans.org: “Truncating Payloads and Anonymizing PCAP files“:
Sometimes, you may need to provide PCAP files to third-party organizations like a vendor support team to investigate a problem with your network. I was looking for a small tool to anonymize network traffic but also to restrict data to packet headers (and drop the payload). Google pointed me to a tool called ‘TCPurify’… [Read more]
Sure but TCPurify drops the payload… Only headers are stored in the destination PCAP.
Interesting, and further more… the IP address is burried often within other packets such as HTTP headers. This won’t do the job to properly anonymize packets and retain overall pcap integrity (if required on the level on a large scale). Custom protocol parsers are needed.
But thanks though! An extra tool is always welcome.
Thanks for sharing!
“It has the capability of randomizing some or all IP addresses…” I strongly suggest masking the ALL over the SOME. If you still have a valid checksum, you can reliably recover up to 2 octets. If you correlate with geoIP data and some intel, even more.
This tool will automate that for you:
https://github.com/XlogicX/tcpunmask
Here’s the talk that PoC’s the tool:
https://www.youtube.com/watch?v=X5t1wVyof2I