convert argus logs to pcap files

Rafael Barbosa rrbarbosa at gmail.com
Mon Oct 11 04:15:18 EDT 2010 

Here at the University of Twente we maintain a repository with network
traffic data: http://traces.simpleweb.org/
The older traces were anonymized with "tcpdpriv", and the newer ones with
"anontool", a more advanced tool that anonymizes some data from both pcap
and netflow (v5 and v9 if I am not mistaken):
http://www.ics.forth.gr/dcs/Activities/Projects/anontool.html

Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/



On Sun, Oct 10, 2010 at 12:17 AM, Peter Van Epp <vanepp at sfu.ca> wrote:

> On Fri, Oct 08, 2010 at 03:54:13PM -0400, George Jones wrote:
> > I was looking for a way to do anonymization of some pcap data.
>  ranonymize
> > seemed
> > to do a pretty good job with argus data, but I wanted to anonymize pcap
> data
> > for use
> > across multiple tools with the same set of anonymized address....yes,
> this
> > is somewhat
> > bass ackwards.   I've since stumbled acdross:
> >
> > http://scrub-tcpdump.sourceforge.net/docs.php
> >
> > which works pretty well for tcp and udp....but does not clean up arp and
> > friends.
> >
> > ---George
> >
>
>         Ah anonymization :-). Hard problem. Vern Paxton has a policy driven
> anonymization tool (available from the CAIDA site I think). There are also
> a variety of comments on how to break the anonymization in one of the
> journals
> (communications I think). The primary problem is that this is essentially
> an
> encryption problem and potentially the attacker has access to chosen
> plaintext
> with which to break the enryption. I used to be the security officer for
> the
> local gigapop and we tried for quite a while to figure a safe way to
> anonymize
> and publish traffic traces from the gigapop (probably from argus) for
> research
> purposes. We never came up with a scheme that I couldn't see a way to break
> and
> thus never did it and had to resort to NDAs with the specific researcher to
> protect the data. Caida used to publish (many years ago) anonymized trace
> data
> from a NAP but when I looked a few years ago they had stopped (I assume
> because
> of the issues around anonymization raised against Vern Paxton's tool
> although
> I don't know).
>        In your case if you have a controlled group that you can essentially
> NDA, the anonymization tool may work just fine.
>
> Peter Van Epp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101011/21c1f11b/attachment.html>

More information about the argus mailing list