So I’ve been trying to get down to pcaps lately and watch more of what actually goes on. It’s in this spirit that L1pht.com is launching and sharing “What the PCAP”. Similar challenges were given in the past by The Honeynet Project in their “Scan of the Month”.  The idea is that we will post a .pcap file that contains something semi-interesting for you to analyze.  Though ours will likely not be the result of “in the wild” capture.  More than likely it’ll be a very tight and short capture that won’t take you more than a few minutes to analyze.  There are no prizes.  Just free tasty .pcaps for you to munch on.

Anonymizing Packet Captures With tcprewrite

Care and consideration should be taken when posting captures to the internet, projects or even to our vendors (I know, if we can’t trust the vendors who CAN we trust?).  If there isn’t a need to share internal addressing schemes or hints as to device types lets not.  This is something that can be easily accomplished with the tcpreplay suite of tools.

tcprewrite is a utility whose sole purpose in life is to rewrite our packets. It works by taking in a packet capture, processing it based on a set of options and spitting it out the other end in the new and improved altered form. Here’s an example:

tcprewrite --enet-dmac=00:DE:AD:FA:CE:01 --enet-smac=00:FE:ED:BE:EF:09 --pnat=10.16.99.0/24:192.168.69.0/24 -b --infile=/home/poopsmith/Desktop/freshlyCaptured.pcap --outfile=/home/poopsmith/Desktop/freshlyRewritten.pcap

Breaking the line down we have rewritten the destination MAC address (–enet-dmac=) and the source MAC address (–enet-smac=) to clearly fake ones (00:DE:AD:FA:CE:01 and 00:FE:ED:BE:EF:09). One item of note here, is that if you’ve captured ARP request/replies the data of those packets will not have been rewritten.

Next we have chosen to rewrite all addresses on the 10.16.99.0/24 range with 192.168.69.0/24 equivalents using the pseudo-NAT option (–pnat). Skipping packets to broadcast addresses is done with -b, and finally we have the input and output options.  As with the MAC, data sections aren’t altered using the above command line.  You’ll see some obvious issues with the HTTP Host: header still revealing some info.  Anyone have a fix/tip for this?

If any of these things are a concern for you consider taking the time to anonymize your traffic.  tcprewrite has several other options including randomizing IP addresses and rewriting VLAN tags. Many examples are available on their wiki.

With all of that out of the way, here’s your first pcap: wtp_001.pcap [9.6kb].

Challenge attacks, Challenge, pcap