Tuesday, September 25, 2012

Cool Tool - Anonymizing Network Captures with Bit-Twist

I spend a great deal of my professional time working with network data captures (in other words, grabbing network packets off the wire and looking at them), and my tool of choice is Wireshark, the open-source network analyzer.  I've been encountering a particular problem recently, however, and Wireshark just can't do the job.  Tonight, I found an answer.

Obviously, network data is chock-full of sensitive data, so I'm rarely able to share my work with folks outside my company.  Even the IP addresses of particular systems would be useful information crackers, cyberbullies or other nefarious types.  So, then, how to "anonymize" network data captures so that I might share them more openly, use them in presentations, etc.?

Bit-Twist does the job.  It's a generalized Ethernet packet generator, and it uses the same libpcap libraries as do Wireshark, tcpdump and any number of network capture/analysis packages.  Its intended use is to "replay" capture files back onto the network, in order to facilitate testing processes...BUT it also includes the capability of rewriting IP addresses in capture files.  This makes total sense from a testing standpoint, in that one might wish to direct the same network stream(s) against multiple test systems, but it also means that one's capture files can be safely anonymized!  It's a two-step process that, given an original file named weirdstuff.cap, looks like this:

bittwiste -I weirdstuff.cap -O tmp.cap -T ip -s ip1,new-ip1 -d ip1,new-ip1 
bittwiste -I tmp.cap -O anonymized-weirdstuff.cap -T ip -s ip2,new-ip2 -d ip2,new-ip2

Yes, it takes two passes, but it allows me to change the same IP address in both source and destination fields.  That's a win!

Bit-Twist is free, open-source, and available for Mac, Linux and Windows from Sourceforge.  Grab it!

Bit-Twist: Libpcap-based Ethernet packet generator


2 comments:

Unknown said...

Hey, thanks for the post; I don't get why you're doing it twice though. The first command is meant to replace ip1 with new-ip1 in both source and destination fields right? Then why do a second pass? Also, in the second pass, what does ip2 refer to? Thanks!

Unknown said...

maybe there are two different streams....