On Mar 6, 2007, at 4:00 PM, Shehjar Tikoo wrote:
Heres the first version of the NFS anonymizer as a tshark tap.
http://www.gelato.unsw.edu.au/~shehjart/patches/
nfs_anonymizer_tap.diff
...
+static int
+anonymize_nfsdata(tvbuff_t *tvb, int offset)
+{
+ guint8 *tvb_ptr = NULL;
+ guint length = tvb_length(tvb) - offset - 4;
+
+ tvb_ptr = tvb_get_ptr(tvb, offset + 4, length);
+ if(tvb_ptr)
+ bzero(tvb_ptr, length);
+
+ return offset + length + 4;
+}
Wireshark doesn't support overwriting the contents of a tvbuff; it's
read-only, and there are parts of Wireshark that expect it not to be
modified. You *might* be able to get away with it in TShark.
Furthermore, even if you do cheat by converting the "const char *"
that "tvb_get_ptr()" returns into a "char *", and then overwrite what
the "char *" points to, all you're doing is overwriting an in-memory
buffer - that would "anonymize" in the sense of not displaying the
actual value of the field, but if you try to save the file, the
resulting file won't be anonymized. If all you're doing is taking a
capture and dissecting it with TShark, and just want the dissection to
be anonymized, that might be sufficient.
Also:
1) I don't know what type of benchmarking you're doing, but if it
involves knowing what's being done to specific files, a fancier
anonymizer could build a table mapping "real" file names to
"anonymized" file names, so that all references to a file name "foo"
would be mapped to the same anonymized name;
2) nothing about this code restricts it to pcap files - nothing in
Wireshark/TShark above the wiretap level knows or cares what the file
format is, they just see the packet data;
3) if you are trying to capture NFS-over-TCP traffic and want to
eliminate ACK-only traffic, you can do that with a capture filter as
long as you know the TCP port on the server (2049, except in rare
cases) by filtering out packets with no TCP payload - see, for example:
http://www.tcpdump.org/lists/workers/2005/11/msg00027.html
(replace "tcp" with "tcp port 2049" in that example).
