Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Truncating Payloads and Anonymizing PCAP files SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Truncating Payloads and Anonymizing PCAP files

Sometimes, you may need to provide PCAP files to third-party organizations like a vendor support team to investigate a problem with your network. I was looking for a small tool to anonymize network traffic but also to restrict data to packet headers (and drop the payload). Google pointed me to a tool called ‘TCPurify’. 

It’s an old tool (last updated in 2008) but it still makes the job! The original website is offline but it is possible to find it using the Internet Archive[1]. They are two main features that are interesting with TCPurify:

  • It truncates almost all packets immediately after the last recognized header (IP or Ethernet), removing all data payload before storing the packet.
  • It has the capability of randomizing some or all IP addresses (based on the network portion of the address) to mask exactly where packets are where or to while still retaining some general idea. 

The latest source code is available also through the Intenet Archive. I did not find any package ready for latest Linux distributions so, let's install it the old-way: compilation! The installation is straightforward on a standard UNIX system. The only requirement is the libpcap and C header files:

# apt-get install libpcap-dev
# wget https://web.archive.org/web/20130701155216/http://irg.cs.ohiou.edu/~eblanton/tcpurify/tcpurify-0.11.2.tar.gz
# tar xvf tcpurify-0.11.2.tar.gz
# cd tcpurify-0.11.2
# ./configure
# make install

Now, you have a single executable available in /usr/local/bin. There are different ways to use TCPurify: it can listen to packets from an interface:

# tcpurify -i eth1 -o /tmp/capture.pcap

Or from another PCAP file:

# tcpurify -r /tmp/source.pcap -o /tmp/destination.pcap

What about the anonymization of the packets? There are different modes offered: “none” (does nothing, default), “nullify” (replace all IP addresses with 0.0.0.0) or ‘table’. This one is the most interesting. It allows defining which subnets will be anonymized using filters. Those filters are save in a map file to be able to reconstruct the original PCAL if required later.

Filters are defined like this:

subnet/netmask/xformmask

Example:

192.168.0.0/0xffff0000/0xffff

This will randomize IP addresses from 192.168.0.0/16 except the network & broadcast addresses (example: '192.168.1.2' will be anonymized to '192.168.123.43')

The ‘table’ mode requires an extra argument, 'mapfile' which will point to the filename that will contain the mappings.

Here is an example of usage:

# tcpurify -i eth1 -o /tmp/test.pcap table 192.168.0.0/0xffff0000/0xffff mapfile=/tmp/test.map
^C

The tool looks a very light tcpdump clone and does not allow to fine-tune the capture session. The most important missing option is the non-support for BPF filters. This means that you can’t restrict the traffic when reading from an interface. But you could collect traffic via a regular tcpdump and then anonymize it:

# tcpdump -i eth1 -w /tmp/test.pcap port 80
# tcpurify -r /tmp/test.cap -o /tmp/test_anonymized.pcap table 192.168.0.0/0xffff0000/0xffff mapfile=/tmp/test.map

The tool is not perfect and does not follow modern standards. For example, it does not allow reading PCAP data from stdin and writing to stdout but it can be helpful in many cases. It deserve to be added to your toolbox.

[1] https://web.archive.org/web/20140203210616/irg.cs.ohiou.edu/~eblanton/tcpurify/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

488 Posts
ISC Handler
Thanks X!
Express26

1 Posts
you may also want to check this tool: https://github.com/heia-fr/sirano
It allows to (reversibly) tokenize IP addresses, domain names, and phone numbers in pcap traces or log files. It was originally developed for VoIP traffic, but it can be used to a less extent on other type of traffic as well.
Steph

5 Posts

Sign Up for Free or Log In to start participating in the conversation!