Sanitizing PCAPs: Fun and games until someone uses IPv6 or TCP

Presented at 32C3 (2015), Dec. 28, 2015, 11 p.m. (60 minutes).

Sanitizing and anonymizing PCAP or PCAPng files is often necessary to be able to share information about attack vectors, security problems or incidents in general. While it may seem simple to replace IP addresses or ports there are still quite a number of network packet details that are hard to replace. This technical talk will shed a light on where those troublemakers are encountered and how to get around them.

When sanitizing/anonymizing PCAPs (or the newer, better, but also much more complex PCAPng network capture file format) there are a ton of problems to run into: Replacement need to be consistent, Checksums need to be recalculated sometimes but now always, and IPv6 has dependencies to MAC addresses that need to be considered as well. Additionally, protocols may be stacked on top of each other, tunneling IPv4 over IPv4 or IPv6 over IPv4, adding complexity to the replacement process. And finally, sanitizing TCP payloads is a certifiable nightmare because you never quite know what you're looking at, and the data segments may require reassembly/unpacking before you can do anything. It's easy to break sequence numbers, unless every replacement is exactly the same size as the original value. This talk will take a closer look at some of the typical problems that come up when sanitizing/anonymizing network packet captures, and at tools that can help with getting reasonable results.


Presenters:

  • Jasper Bongertz
    Jasper Bongertz is a Senior Technical Consultant and started working freelance in 1992 while he began studying computer science at the Technical University of Aachen. In 2013, he joined Airbus Defence and Space CyberSecurity, focusing on IT security, Incident Response and Network Forensics. He is also the author of a large training portfolio with a special focus on Wireshark, now owned by Fast Lane GmbH. Jasper is certified Sniffer Certified Professional (SCP), VMware Certified Professional (VCP3/4/5) and was a VMware Certified Instructor (VCI) until January 2014.

Links:

Similar Presentations: