Version 5 (modified by salcock, 11 years ago) (diff) |
---|
traceanon is a libtrace tool that anonymises the IP addresses found in the IP and ICMP headers of packets within a trace. It will also updates the checksums of packets inside the TCP and UDP headers.
Usage
{{{traceanon
[ -s | --encrypt-source ] [ -d | --encrypt-dest ] [ -p prefix | --prefix=prefix ] [ -c key | --cryptopan=key ] [ -Z method | --compress-type=method ] [ -z level | --compress-level=level ] sourceuri desturi}}}
Options
- -s, --encrypt-source
- Encrypt source IP addresses.
- -d, --encrypt-dest
- Encrypt destination IP addresses.
- -p, --prefix
- Substitute the high bits of the IP addresses with the provided prefix
- -c, --cryptopan
- Anonymise IPs using the cryptopan method using the provided key
- -z, --compress-level
- Compress the output trace using the given compression level. Compression level can range from 0 (no compression) through to 9. Higher compression levels require more CPU to compress data. Default is no compression.
- -Z, --compress-type
- Compress the output trace using the given compression algorithm. Options are "gzip", "bzip2", "lzo" or "none". Default is "none".
Applications
Anonymising traces using cryptopan
traceanon -Z gzip -z 1 -sd -c "I like bears" erf:unanonymised.erf.gz erf:anonymised.erf.gz
Anonymising traces using prefix substitution
traceanon -Z gzip -z 1 -sd -p 192.168.0.0/16 erf:unanonymised.erf.gz erf:anonymised.erf.gz
Details
Prefix substitution
Prefix substitution is the simpler of the two anonymisation schemes. It works by replacing the prefix of the IP addresses in the trace with the prefix provided on the command line. Obviously, this can result in multiple different IP addresses in the original trace becoming the same IP address in the anonymised trace. As a result, prefix substitution is only useful in certain circumstances and using cryptopan encryption is recommended for regular anonymisation.
Cryptopan encryption
Cryptopan is a prefix preserving encryption scheme based on AES. Under cryptopan, every IP address will map to a unique new IP address and IP addresses within the same subnet will share the same encrypted prefix. Generally, cryptopan is the anonymisation scheme that should be used with traceanon. Cryptopan encryption requires an encryption key that may be up to 32 bytes long and will be padded with NULLs. The same encryption key will produce the same mappings of real IPs to encrypted IPs.
Checksum Update
In addition to IP anonymisation, traceanon also updates the checksums within the TCP and UDP headers to be correct once the IP addresses have been replaced with their anonymised counterparts.
Notes
- The output trace format does not have to match the input formats, e.g.
traceanon pcapfile:unanonymised.pcap.gz erf:anon.erf.gz
will work. This property holds true for all libtrace applications, although format header information can be lost converting from one format to another, e.g. pcap headers have no space to store the ERF rxerror variable. - IP addresses within ARP packets are currently not anonymised - this may be added in a future version of libtrace.
- Currently, we do not support anonymising IP addresses based on packet direction - this may be added in a future version of libtrace.
.-----