Wireshark-dev: Re: [Wireshark-dev] Feature Request
From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Thu, 23 Jul 2009 15:28:33 +0200
Kevin,
 
Yes, this is definitely worthy of a feature request. In fact, the developers have discussed this option at Sharkfest in great depth. Please feel comfortable to add it to the list.
 
In general, there are many caveats in implementing anonimization. It should be handled per protocol, taken into account that certain data can be segmented across multiple frames. It can be compressed or encapsulated. Certain lower layer data can be present in higher layer protocols. So in the end, if it is implemented, it should be used with great caution. A false sense of security is worse than having no security at all (which of course can be disputed ;-)).
 
As for masking IP addresses. Of course it is easy to alter the src and dst ip addresses of packets, but what to do with the icmp unreachable messages. And the port command of an FTP session? Or the X-Forwarded-For header in HTTP? And should IP addresses be changed the same way on all protocol levels?
 
We really need this feature IMHO, but it is pretty complex to implement it properly unfortunately.
 
Cheers,
 
 
Sake
 
PS   Have a look at the bittwist "suite", it contains bittwiste which could alter mac-addresses, ip-addresses, ports etc of packets, so that might suit your needs, but be aware of the higher layers that might still contain the things you were trying to mask (http://bittwist.sourceforge.net/).
 
----- Original Message -----
Sent: Thursday, July 23, 2009 2:22 PM
Subject: [Wireshark-dev] Feature Request

I'd like to add a feature request to the list in the wiki. As per the rules listed there, I'd like to know from the devs if this idea is something worthy of a feature request.

A lot of times, Wireshark captures get uploaded to the internet for others to view/compare/analyze. However, there are many times when a log of IP addresses and MAC addresses could be detrimental. Therefore, I'm suggesting an easy way (one click perhaps?) to anonymize the data. Unique IPs and MACs would have to be replaced with something such as 1.1.1.1 and 1.1.1.2, etc... and maintained throughout the results.

Granted, this would not be useful for every occasion or user but I think that it would be a welcome addition that would benefit a great number of users.

Thanks,
Kevin


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe