On Fri, Nov 27, 2009 at 10:25:06AM -0800, Guy Harris wrote:
>
> On Nov 27, 2009, at 4:22 AM, WATT DAVE wrote:
> > Can Wireshark do any of this?
> >
> No.
>
> You'd have to write your own application to do that.
Or make use of tools that others have written. Have a look at bittwist
(http://bittwist.sourceforge.net/). In this suite, the program bittwiste
is capable of editing libpcap files. One of the options is:
-L layer
Copy up to the specified layer and discard the remaining data.
Value for layer must be either 2, 3 or 4 where 2 for Ethernet, 3
for ARP or IP, and 4 for ICMP, TCP or UDP.
You can do a few other runs with to change ip addresses with '-T ip'
and :
-s sip or oip,nip
Source IP address. Example: -s 192.168.0.1
If oip and nip are specified instead, all occurences of
oip in the source IP address field will be replaced with
nip.
-d dip or oip,nip
Destination IP address. Example: -d 192.168.0.2
If oip and nip are specified instead, all occurences of
oip in the destination IP address field will be replaced
with nip.
However, bittwiste does not like vlan-tags, so you should make traces
without 802.1q headers.
You can also have a look at tcpreplay (http://tcpreplay.synfin.net/trac/)
although I (shamefully) have to admit I have not used it yet myself.
Apart from that, there has been quite an extensive discussion about
packet scrubbing at Sharkfest'09. Bottom line of the discussion was that
it's very difficult to do right 100% and it's even worse than no
scrubbing at all if people rely on it and it's not done right. So the
idea of implementing scrubbing is kind of 'parked' at the moment...
Hope this helps,
Cheers,
Sake
