Wireshark-users: Re: [Wireshark-users] Whitewashing Packet Traces?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 27 Jul 2007 11:42:36 -0700
J. Andrew Kitkowski wrote:

In this case, the trace was taken between a W2K3
server and a Netapp filer (just between two
interfaces/IPs), and we're looking for a way we can
basically whitewash the trace.  That is, basically
replace the IPs within the trace with other IPs
(change "10.100.100.1" to "192.168.1.1") and the same
for MACs.
However, unfortunately when opening traces with vi and
the like, the IPs are not listed in plaintext.

I presume by "traces" you mean the output of tcpdump/TShark *without* the "-w" flag, or the result of exporting a capture as text from Wireshark. Opening the output of tcpdump/TShark *with* "-w", or the result of saving a capture from Wireshark, with "vi" isn't going to be a lot of fun, as those files are binary, not text (by intent and design).

I checked all available docs, and did some google
hunts. Is there a way to do this, basically take a
Wireshark trace file, then edit it to "swap out" data
like IPs and MACs?

Wireshark binary capture files are in libpcap format, which is the same format as tcpdump; tcpdpriv:

	http://ita.ee.lbl.gov/html/software.html

*might* do the job, although I don't see anything about whether it censors MAC addresses as well as IP addresses, so it might not censor MAC addresses. (It probably also doesn't handle arbitrary tunnelling of IP inside something running atop IP, if that's an issue.)

Note also that if they *really* want to whitewash the trace, they'd probably want to censor file names and contents as well; I don't know of any tools that do that.