convert argus logs to pcap files

Peter Van Epp vanepp at sfu.ca
Sat Oct 9 18:17:44 EDT 2010


On Fri, Oct 08, 2010 at 03:54:13PM -0400, George Jones wrote:
> I was looking for a way to do anonymization of some pcap data.  ranonymize
> seemed
> to do a pretty good job with argus data, but I wanted to anonymize pcap data
> for use
> across multiple tools with the same set of anonymized address....yes, this
> is somewhat
> bass ackwards.   I've since stumbled acdross:
> 
> http://scrub-tcpdump.sourceforge.net/docs.php
> 
> which works pretty well for tcp and udp....but does not clean up arp and
> friends.
> 
> ---George
> 

	Ah anonymization :-). Hard problem. Vern Paxton has a policy driven 
anonymization tool (available from the CAIDA site I think). There are also 
a variety of comments on how to break the anonymization in one of the journals
(communications I think). The primary problem is that this is essentially an 
encryption problem and potentially the attacker has access to chosen plaintext
with which to break the enryption. I used to be the security officer for the 
local gigapop and we tried for quite a while to figure a safe way to anonymize
and publish traffic traces from the gigapop (probably from argus) for research 
purposes. We never came up with a scheme that I couldn't see a way to break and 
thus never did it and had to resort to NDAs with the specific researcher to 
protect the data. Caida used to publish (many years ago) anonymized trace data 
from a NAP but when I looked a few years ago they had stopped (I assume because
of the issues around anonymization raised against Vern Paxton's tool although 
I don't know). 
	In your case if you have a controlled group that you can essentially 
NDA, the anonymization tool may work just fine. 

Peter Van Epp



More information about the argus mailing list