Version 1 (modified by spa1, 14 years ago) (diff) |
---|
traceanon is a libtrace tool that anonymises the IP addresses found in the IP and ICMP headers of packets within a trace. It will also updates the checksums of packets inside the TCP and UDP headers.
Usage
traceanon [ -s | --encrypt-source ] [ -d | --encrypt-dest ] [ -p prefix | --prefix=prefix ] [ -c key | --cryptopan=key ] sourceuri desturi
Options
- -s, --encrypt-source
- Encrypt source IP addresses.
- -d, --encrypt-dest
- Encrypt destination IP addresses.
- -p, --prefix
- Substitute the high bits of the IP addresses with the provided prefix
- -c, --cryptopan
- Anonymise IPs using the cryptopan method using the provided key
Applications
Anonymising traces using cryptopan
traceanon -sd -c "I like bears" erf:unanonymised.erf.gz erf:anonymised.erf.gz
Anonymising traces using prefix substitution
traceanon -sd -p 192.168.0.0/16 erf:unanonymised.erf.gz erf:anonymised.erf.gz
Details
Prefix substitution
Prefix substitution is the simpler of the two anonymisation schemes. It works by replacing the prefix of the IP addresses in the trace with the prefix provided on the command line. Obviously, this can result in multiple different IP addresses in the original trace becoming the same IP address in the anonymised trace. As a result, prefix substitution is only useful in certain circumstances and using cryptopan encryption is recommended for regular anonymisation.
Cryptopan encryption
Cryptopan is a prefix preserving encryption scheme based on AES. Under cryptopan, every IP address will map to a unique new IP address and IP addresses within the same subnet will share the same encrypted prefix. Generally, cryptopan is the anonymisation scheme that should be used with traceanon. Cryptopan encryption requires an encryption key that may be up to 32 bytes long and will be padded with NULLs. The same encryption key will produce the same mappings of real IPs to encrypted IPs.
Checksum Update
In addition to IP anonymisation, traceanon also updates the checksums within the TCP and UDP headers to be correct once the IP addresses have been replaced with their anonymised counterparts.
Notes
- The output trace format does not have to match the input formats, e.g.
traceanon pcapfile:unanonymised.pcap.gz erf:anon.erf.gz
will work. There is also no requirement for the input traces to all be of the same format either. These properties hold true for all libtrace applications, although format header information can be lost converting from one format to another, e.g. pcap headers have no space to store the ERF rxerror variable. - IP addresses within ARP packets are currently not anonymised - this may be added in a future version of libtrace.
- Currently, we do not support anonymising IP addresses based on packet direction - this may be added in a future version of libtrace.