Wireshark-dev: [Wireshark-dev] Capture Sanitisation

From: Ivan <wireshark@xxxxxxxxxxx>
Date: Tue, 23 Mar 2010 22:44:28 +1300
Hi,

Just joined the mailing list so to start of would like to congratulate all involved on contributing to a superb product.

I have been a long time user but recently more so than normal. I have found very often that functionality to sanitise captured data would be extremely helpful. Understandingly many prefer that captures provided to 3rd parties don't contain excessive or confidential data or network information.

Searches of the mailing lists and general Internet have not shown me any existing functionality within Wireshark.

If such a feature is not implemented I would like to add to the wishlist (http://wiki.wireshark.org/WishList) but as per instructions am posting here first.

In order of preference I would like the ability to

1) Remove TCP or UDP payload retaining the header (truncate captured packets at the end of the TCP or UDP header). Obviously this could be done for other protocols too but TCP and UDP would be a good start.

2) As a later and advanced step if protocol definitions indicated headers and payload allow removal of payload within more protocols. For example the http headers could be retained while removing the actual http data.

2) Be able to randomly substitute IP addresses within the captures consistently so that analysis is still valid but actual addresses are kept private. Header checksums should be recalculated.

I am not sure if this functionality would belong in one of the command line tools, Wireshark or both.

Some non Wireshark solutions that may be worth referencing
Sanitize - http://ita.ee.lbl.gov/html/contrib/sanitize.html
Bit-Twist - http://bittwist.sourceforge.net/

Thanks

Ivan