Trace File Sanitization Pt. 1 – TraceWrangler
This post is part 1 in a series of posts on trace file anonymization/sanitization. In this series, I will be focusing on three individual tools that each accomplish capture file anonymization. The general use of capture anonymization is to allow capture file owners to obfuscate potentially sensitive data within the files to prepare them for consumption in a non-secured environment. Most likely scenario would be preparing a trace to send to a vendor or consultant. There are differing levels of sanitization within a trace file ranging from removal of .pcap metadata (comments within .pcapng files) all the way to the removal of all payload data after layer 4 and total randomization of any other potentially identifiable information within the frame.
The three tools I’ll be focusing on in this series are:
TraceWrangler is a GUI based trace obfuscation tool built exclusively for Windows. It supports .pcapng file formats as well as .pacp and .cap. At the time of writing, the last development release was in Sept. 2013.
In this exercise, I will work through a basic process of ingesting a trace file, anonymizing the IPv4, IPv6, and MAC addresses within the capture, then exporting it to a sanitized version of the file. In this case, we are required to keep the payload data of an HTTP request. These steps will not remove any potentially sensitive data within the payload, however TraceWrangler has the capability to do that. I would encourage you to check out the documentation to understand that process.
Let’s start with our initial capture file. In the screenshot below, you can see that my original IP addresses, as well as MAC addresses are visible.
My host: IP – 192.168.0.10 MAC – 24:77:03:0c:ca:9c
Remote host: IP – 220.127.116.11 MAC – 40:8b:07:ab:38:80
Now let’s fire up TraceWrangler. Once you have dragged the trace file you would like to work with into the TraceWrangler screen, select Add under the Taskname section at the bottom left. That will bring up the Select Task dialog. You will choose Anonymize under the Available Tasks drop down and enter a name for the Task. Once you have done that, you will be brought to the Task Details window.
The default action within TraceWrangler is to strip as much information out as possible. In this case, we’re not going to do that. We actually only want to modify the L2 and L3 information in the file. The remainder of the information should stay in tact so our analysis tool can do it’s job based off the actual information captured.
The next step is to navigate to each of the sections within the left hand navigation of the Task Details screen and modify the configurations to those listed below:
- General – Uncheck Remove all unknown layers
- PCAPng – Change the Action to Passthrough
- VLAN – Change to Passthrough
- Tunnel – Change to Passthrough
- ICMPv4 – Change to Passthrough
- ICMPv6 – Change to Passthrough
- DHCPv4 – Change to Passthrough
Once you’ve changed these settings, you can navigate back to Ethernet, IPv4, and IPv6 to provide a list of addresses to replace, or keep the default action of randomization.
After all configurations have been changed, click on the Execute button. This will modify the capture according to the settings we’ve created above and generate a new file within the directory the original file was located. This new file will be named filename_anon.extension.
In this case, you can see that the IP addresses and MAC addresses have been changed while maintaining the integrity of all data from layer 4 up.