Sanitizing and anonymizing PCAP or PCAPng files is often necessary to be able to share information about attack vectors, security problems or incidents in general. While it may seem simple to replace IP addresses or ports there are still quite a number of network packet details that are hard to replace. This technical talk will shed a light on where those troublemakers are encountered and how to get around them.
When sanitizing/anonymizing PCAPs (or the newer, better, but also much more complex PCAPng network capture file format) there are a ton of problems to run into: Replacement need to be consistent, Checksums need to be recalculated sometimes but now always, and IPv6 has dependencies to MAC addresses that need to be considered as well. Additionally, protocols may be stacked on top of each other, tunneling IPv4 over IPv4 or IPv6 over IPv4, adding complexity to the replacement process. And finally, sanitizing TCP payloads is a certifiable nightmare because you never quite know what you're looking at, and the data segments may require reassembly/unpacking before you can do anything. It's easy to break sequence numbers, unless every replacement is exactly the same size as the original value. This talk will take a closer look at some of the typical problems that come up when sanitizing/anonymizing network packet captures, and at tools that can help with getting reasonable results.