Wireshark-dev: Re: [Wireshark-dev] Tools to anonymize pcaps with cellular/3gpp traffic

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jasper Bongertz <jasper@xxxxxxxxxxxxxx>
Date: Thu, 8 Jun 2017 15:16:43 +0200
Hi,

I learned that there is a tool that is supposed to be supporting lots
and lots of protocols (including Cellular stuff apparently), called
"SafePCAP". It's not free though, and I haven't tried it, so I have no
idea what it can or cannot do correctly.

https://omnipacket.com/safepcap.html

Cheers,
Jasper

Thursday, June 8, 2017, 3:09:25 PM, you wrote:

> Hi Ivan
> I went through a similar topic some time ago. The answer is:
> generally speaking, no. The tools you mentione target specific
> protocols, which are a few (ip/tcp/udp ecc), but the cover the
> majority of traffic. To go to upper layers you should know the
> semantic of the protocols you want to anonymize. Moreover, not all
> fields are straightforward to change. A 4 bytes integer can be, a
> string, whatever its format is, is not straightforward (you could go
> to a change in packet len, then lengths have to be changed, etc.).
> And that's not all: the fields you're changing could require changes
> in other fields. A stupid example: a protocol with an IP + a flag
> that indicates whether the IP is from net 10. would require to change both.
> If you want to target a specific procol, you should write a
> software that knows that protocol and that does the dirty work for you.
> Tracewrangler is the most advanced I know, but falls in the aforementioned category.
> Bye.
> Dario.

> On Wed, Jun 7, 2017 at 8:54 PM, Ivan Nardi <nardi.ivan@xxxxxxxxx> wrote:

> Hi

> There are a few public available tools that anonymize pcap files,
> but they usually target L2-L4 layers and "standard" protocols (i.e. dns, icmp,...)

> Is there any tool which sanitizes information carried on "3gpp"
> protocols (ranap, bssap, gsm_a dtap, gsm_map, sgsap...) or, at least, on some of them?


> I am not looking for something particularly advanced: zeroing mcc
> and mnc (both in imsi and in cell/location information) should be
> enough, even without checksum updating.

> The goal is to easily share some pcaps without changing them with an hex-editor by hand



> I know that I am asking for a very specific tool, but it's worth giving it a try...


> Thanks in advance

> Ivan

> ___________________________________________________________________________
>  Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>  Archives:    https://www.wireshark.org/lists/wireshark-dev
>  Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe





jasper@xxxxxxxxxxxxxx

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature