Wireshark-users: Re: [Wireshark-users] Saving without payload

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 28 Nov 2009 10:16:43 +0100
On Fri, Nov 27, 2009 at 10:25:06AM -0800, Guy Harris wrote:
> 
> On Nov 27, 2009, at 4:22 AM, WATT DAVE wrote:
> > Can Wireshark do any of this?
> >
> No.
> 
> You'd have to write your own application to do that.

Or make use of tools that others have written. Have a look at bittwist
(http://bittwist.sourceforge.net/). In this suite, the program bittwiste
is capable of editing libpcap files. One of the options is:

-L layer
  Copy up to the specified layer and discard the  remaining data.
  Value for layer must be either 2, 3 or 4 where 2 for Ethernet, 3
  for ARP or IP, and 4 for ICMP, TCP or UDP.

You can do a few other runs with to change ip addresses with '-T ip'
and :

-s sip or oip,nip
  Source IP address. Example: -s 192.168.0.1
  If  oip  and nip are specified instead, all occurences of
  oip in the source IP address field will be replaced with
  nip.

-d dip or oip,nip
  Destination IP address. Example: -d 192.168.0.2
  If  oip  and nip are specified instead, all occurences of
  oip in the destination IP address field will be replaced
  with nip.

However, bittwiste does not like vlan-tags, so you should make traces
without 802.1q headers.

You can also have a look at tcpreplay (http://tcpreplay.synfin.net/trac/) 
although I (shamefully) have to admit I have not used it yet myself.


Apart from that, there has been quite an extensive discussion about
packet scrubbing at Sharkfest'09. Bottom line of the discussion was that
it's very difficult to do right 100% and it's even worse than no
scrubbing at all if people rely on it and it's not done right. So the
idea of implementing scrubbing is kind of 'parked' at the moment...

Hope this helps,
Cheers,


Sake