Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Scrub Sensitive IP Addresses From Packet Captures (PCAP FIle)
Warning: In order to scrub sensitive data from a PCAP, you will need to use an open source application (tcprewrite) that is not included on Sourcefire Appliances. Sourcefire does not officially support this software and cannot provide assistance beyond the content of this article.
Scrub IP Addresses from PCAP Files
Removing sensitive data from PCAP files is a simple process using the tcprewrite tool, which is a part of the tcpdump suite of *nix tools for manipulating libpcap files. Tcprewrite can modify and rewrite packets stored in pcap(3) file format and supports both IPv4 and IPv6.
How is the tcprewrite utility used
You can obfuscate the IP addresses with tcprewrite with the following command:
When IP addresses are randomized, it is done in a deterministic manner, based on the seed value you provide, so that sessions between two hosts are maintained. Using different seed values results in different values for the IP addresses for the same input pcap. If you have multiple PCAPs to submit, you should use the same "--seed=" value for each PCAP so that the IP addresses are consistent across PCAPs.
The original file 'input.pcap' remains unchanged, while the output file 'output.pcap' is a copy of the original PCAP with random IP addresses substituted. Output.pcap is the file you should submit to technical support for analysis.