tcpdump/argus anonymizer

Carter Bullard carter at qosient.com
Wed Sep 20 08:04:42 EDT 2000


Hey Peter,
Looks like it fails on a partial fragment that contains only
1 packet.  Maybe that will be enough.

I did start on a tcpdump anonymizer and got pretty far along,
at least I can read them, and write them back out
with no problems, and I can change the times in all
the packets.  This is going to be a major effort, but I
think I'll have something early next week.

So I'm going to give someone the opportunity to change all
the MAC and IP addresses, change the times and zero out
user data above the transport headers for the protocols
that tcpdump supports.

So I'll read in every packet to get the MAC and IP address
inventory, and then formulate a conversion table.  The
conversion will try to preserve the address hierarchy, so
relationships between hosts can be preserved.  So broadcast
and multicast addresses will be preserved, but the actual
addresses will be different.  For MAC addresses, I'll keep
the vendor ID, and the multicast addresses intact.

Do we want to change ports?

Rather than try to be cleaver modifying IP addresses in
things like DNS requests and answers, I'll just limit the
first pass to anonymize after the transport headers.

I'll recalculate cksums so that the new packets are all valid
packets.  I'll write specified strings into user data areas.
I'll try to truncate the packets, but if I can't I'll just
write in a repeating string when I need to write over user
data.

The same logic will apply to argus records, so this is not
wasted time.

Can you think of anything else?

Carter



-----Original Message-----
From: Peter Van Epp [mailto:vanepp at sfu.ca]
Sent: Wednesday, September 20, 2000 12:07 AM
To: Carter Bullard
Subject: Re: argus-2.0.0g


	Yep looks like there is a problem.  This is my funny frags file and
1.8 is really the latest 1.8.1 and 2.0 is a just fetched copy of 2.0.0g:

test1# 1.8/argus_bpf -r tcpdump.test -w - | 1.8/ra -c -n >1.8.out

1325 packets recv'd by filter
0 packets dropped by kernel

test1# 2.0/argus_bpf -r tcpdump.test -w - | 2.0/ra -c -n >2.0.out
argus_bpf[14039]: 969379853.314618 : ArgusError ArgusUpdateFRAGState
(0x81c8b04,
 1) no extension buffer

test1# ls -l
total 2887
-rw-r--r--   1 root    wheel     1368 Sep 19 20:58 1.8.out
-rw-r--r--   1 root    wheel      961 Sep 19 20:58 2.0.out

test1# cat 1.8.out
Tue 09/19 09:10:44      man         0.0.0.0                   0.0.0.0
0
   0       0         0        INT
Tue 09/19 09:10:39 frag  ip   216.33.41.160        ->  142.58.140.138 56000
pk
3  ex 7049  ob 5569  max 1480 TIM
Tue 09/19 09:10:44 frag  ip   216.33.41.160        ->  142.58.140.138 14531
pk
3  ex 7121  ob 5641  max 1480 TIM
Tue 09/19 09:10:45 frag  ip   216.33.41.160        ->  142.58.140.138 60867
pk
3  ex 7049  ob 5569  max 1480 TIM
Tue 09/19 09:10:47 frag  ip   216.33.41.160        ->  142.58.140.138 43716
pk
3  ex 7059  ob 5579  max 1480 TIM
Tue 09/19 09:10:53 frag  ip   216.33.41.160        ->  142.58.140.138 40134
pk
4  ex 7058  ob 5578  max 1480 TIM
Tue 09/19 09:11:14 frag  ip   216.33.41.160        ->  142.58.140.138 33231
pk
1  ex    0  ob 2960  max 1480 TIM
Tue 09/19 09:11:16 frag  ip   216.33.41.160        ->  142.58.140.138 27344
pk
3  ex 7058  ob 5578  max 1480 TIM
Tue 09/19 09:10:27      tcp  142.58.140.138.1601   o>   216.33.41.160.1755
17
   11      2424      664      TIM
Tue 09/19 09:10:39      udp  142.58.140.138.1603   ->   216.33.41.160.1755
27
   0       648       0        TIM
Tue 09/19 09:10:28  F   udp   216.33.41.160.2640   ->  142.58.140.138.1604
1250
   0       3193993   0        TIM
Tue 09/19 20:58:18      man  pkts     1325  drops     0   flows active
0
closed    259                 CLO
test1#

test1# cat 2.0.out
19 Sep 00 09:10:39  udp   216.33.41.160.0      ->  142.58.140.138.0     4
 0         5569         0           TIM
19 Sep 00 09:10:44  udp   216.33.41.160.0      ->  142.58.140.138.0     4
 0         5641         0           TIM
19 Sep 00 09:10:45  udp   216.33.41.160.0      ->  142.58.140.138.0     4
 0         5569         0           TIM
19 Sep 00 09:10:47  udp   216.33.41.160.0      ->  142.58.140.138.0     4
 0         5579         0           TIM
19 Sep 00 09:10:27  tcp  142.58.140.138.1601  <->   216.33.41.160.1755  13
 9         1108         800         EST
19 Sep 00 09:10:28  udp   216.33.41.160.2640   ->  142.58.140.138.1604  497
 0         703044       0           INT
19 Sep 00 09:10:39  udp  142.58.140.138.1603   ->   216.33.41.160.1755  5
 0         120          0           INT
19 Sep 00 09:10:53  man  pkts    537  bytes        0  drops 739662
                                     STP
test1#

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000920/bb7e48fc/attachment.html>


More information about the argus mailing list