Scrub Sensitive IP Addresses From Packet Captures (PCAP FIle)

Nazmul Rajib · ‎07-11-2014

Warning: In order to scrub sensitive data from a PCAP, you will need to use an open source application (tcprewrite) that is not included on Sourcefire Appliances. Sourcefire does not officially support this software and cannot provide assistance beyond the content of this article.

Scrub IP Addresses from PCAP Files

Removing sensitive data from PCAP files is a simple process using the tcprewrite tool, which is a part of the tcpdump suite of *nix tools for manipulating libpcap files. Tcprewrite can modify and rewrite packets stored in pcap(3) file format and supports both IPv4 and IPv6.

How is the tcprewrite utility used

You can obfuscate the IP addresses with tcprewrite with the following command:

tcprewrite --pnat=10.0.0.0/8:192.168.1.1/24 -i infile.pcap -o outfile.pcap

The above command would turn any 10.x.x.x addresses into 192.168.1.x addresses.

Before running tcprewrite:

After running tcprewrite:

To randomize the IP address obfuscation in a PCAP file

tcprewrite --seed=423 --infile=input.pcap --outfile=output.pcap

When IP addresses are randomized, it is done in a deterministic manner, based on the seed value you provide, so that sessions between two hosts are maintained. Using different seed values results in different values for the IP addresses for the same input pcap. If you have multiple PCAPs to submit, you should use the same "--seed=" value for each PCAP so that the IP addresses are consistent across PCAPs.

The original file 'input.pcap' remains unchanged, while the output file 'output.pcap' is a copy of the original PCAP with random IP addresses substituted. Output.pcap is the file you should submit to technical support for analysis.