traceanon is a libtrace tool that anonymises the IP addresses found in the IP and ICMP headers of packets within a trace. It will also updates the checksums of packets inside the TCP and UDP headers.

Usage

traceanon [ -s | --encrypt-source ] [ -d | --encrypt-dest ] [ -p prefix | --prefix=prefix ] [ -c key | --cryptopan=key ] sourceuri desturi

Options

-s, --encrypt-source

Encrypt source IP addresses.

-d, --encrypt-dest

Encrypt destination IP addresses.

-p, --prefix

Substitute the high bits of the IP addresses with the provided prefix

-c, --cryptopan

Anonymise IPs using the cryptopan method using the provided key

Applications

Anonymising traces using cryptopan

traceanon -sd -c "I like bears" erf:unanonymised.erf.gz erf:anonymised.erf.gz

Anonymising traces using prefix substitution

traceanon -sd -p 192.168.0.0/16 erf:unanonymised.erf.gz erf:anonymised.erf.gz

Details

Prefix substitution

Prefix substitution is the simpler of the two anonymisation schemes. It works by replacing the prefix of the IP addresses in the trace with the prefix provided on the command line. Obviously, this can result in multiple different IP addresses in the original trace becoming the same IP address in the anonymised trace. As a result, prefix substitution is only useful in certain circumstances and using cryptopan encryption is recommended for regular anonymisation.

Cryptopan encryption

Cryptopan is a prefix preserving encryption scheme based on AES. Under cryptopan, every IP address will map to a unique new IP address and IP addresses within the same subnet will share the same encrypted prefix. Generally, cryptopan is the anonymisation scheme that should be used with traceanon. Cryptopan encryption requires an encryption key that may be up to 32 bytes long and will be padded with NULLs. The same encryption key will produce the same mappings of real IPs to encrypted IPs.

Checksum Update

In addition to IP anonymisation, traceanon also updates the checksums within the TCP and UDP headers to be correct once the IP addresses have been replaced with their anonymised counterparts.

Notes

• The output trace format does not have to match the input formats, e.g.

  traceanon pcapfile:unanonymised.pcap.gz erf:anon.erf.gz
  

  will work. There is also no requirement for the input traces to all be of the same format either. These properties hold true for all libtrace applications, although format header information can be lost converting from one format to another, e.g. pcap headers have no space to store the ERF rxerror variable.
• IP addresses within ARP packets are currently not anonymised - this may be added in a future version of libtrace.
• Currently, we do not support anonymising IP addresses based on packet direction - this may be added in a future version of libtrace.