convert argus logs to pcap files
Peter Van Epp
vanepp at sfu.ca
Sat Oct 9 18:17:44 EDT 2010
On Fri, Oct 08, 2010 at 03:54:13PM -0400, George Jones wrote:
> I was looking for a way to do anonymization of some pcap data. ranonymize
> seemed
> to do a pretty good job with argus data, but I wanted to anonymize pcap data
> for use
> across multiple tools with the same set of anonymized address....yes, this
> is somewhat
> bass ackwards. I've since stumbled acdross:
>
> http://scrub-tcpdump.sourceforge.net/docs.php
>
> which works pretty well for tcp and udp....but does not clean up arp and
> friends.
>
> ---George
>
Ah anonymization :-). Hard problem. Vern Paxton has a policy driven
anonymization tool (available from the CAIDA site I think). There are also
a variety of comments on how to break the anonymization in one of the journals
(communications I think). The primary problem is that this is essentially an
encryption problem and potentially the attacker has access to chosen plaintext
with which to break the enryption. I used to be the security officer for the
local gigapop and we tried for quite a while to figure a safe way to anonymize
and publish traffic traces from the gigapop (probably from argus) for research
purposes. We never came up with a scheme that I couldn't see a way to break and
thus never did it and had to resort to NDAs with the specific researcher to
protect the data. Caida used to publish (many years ago) anonymized trace data
from a NAP but when I looked a few years ago they had stopped (I assume because
of the issues around anonymization raised against Vern Paxton's tool although
I don't know).
In your case if you have a controlled group that you can essentially
NDA, the anonymization tool may work just fine.
Peter Van Epp
More information about the argus
mailing list