Packet captures can contain sensitive data. When you are describing a network problem, you may need to collect them. How do you send a capture to a 3rd party when it contains PII or business secrets?
When in doubt about a legal matter, consult a lawyer.
With the advent of GDPR, data security has become more important. Laws differ between countries (and US states), but generally speaking, network traffic becomes personal data when it can “uniquely identify an individual”. For example, if you own website that uses the client’s public IP address as a data point to identify them, then the IP address becomes personal data. Above all, when it comes to sensitive pcaps you should aim to:
Scenario: You want to scrub IP and MAC addresses. While in the normal course of scrubbing, you would probably want to sanitize more fields, we’re keeping it simple for this comparison.
It is possible to manually edit the hex; however, there are a couple reasons you may want to use a program instead:
TraceWrangler is a utility written for Windows that can anonymize various fields. It can also be installed under Macos and Linux using wine.
tcpreplay is old and only supports pcap files.
This is part of the tcpreplay suite of tools. Use your package manager to install it.
# Ubuntu / Ubuntu WSL on Windows apt install tcpreplay # Macos brew install tcpreplay
Given a pcap-type capture, this will rewrite IPs and MACs randomly and recompute checksums. There is a consistent mapping to between old IP and MAC addresses and new random ones.
tcprewrite -i example.pcap -o example.pcap --seed=42 --enet-mac-seed=42 --fixcsum
--seed=42: Randomly change all IP addresses with seed 42
--enet-mac-seed=42: Randomly change all MAC addresses with seed 42
--fixcsum: Fix any checksums
In my testing, adding a VLAN creates a file that Wireshark can only read up to layer 3.
Tracewrangler is more fully featured while tcprewrite is faster to get and use. Bittwiste is good for data removal if you have the exact type of capture it works with.
Sometimes the simplest solution is best. Filter the capture for only the traffic that the 3rd party needs to see. If this removes the sensitive data at the same time, you just hit two birds with one stone.