C3Subtitles: 32c3: Sanitizing PCAPs
back

Sanitizing PCAPs

Fun and games until someone uses IPv6 or TCP

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:43:09
Language
English
Abstract
Sanitizing and anonymizing PCAP or PCAPng files is often necessary to be able to share information about attack vectors, security problems or incidents in general. While it may seem simple to replace IP addresses or ports there are still quite a number of network packet details that are hard to replace. This technical talk will shed a light on where those troublemakers are encountered and how to get around them.

When sanitizing/anonymizing PCAPs (or the newer, better, but also much more complex PCAPng network capture file format) there are a ton of problems to run into: Replacement need to be consistent, Checksums need to be recalculated sometimes but now always, and IPv6 has dependencies to MAC addresses that need to be considered as well. Additionally, protocols may be stacked on top of each other, tunneling IPv4 over IPv4 or IPv6 over IPv4, adding complexity to the replacement process. And finally, sanitizing TCP payloads is a certifiable nightmare because you never quite know what you're looking at, and the data segments may require reassembly/unpacking before you can do anything. It's easy to break sequence numbers, unless every replacement is exactly the same size as the original value. This talk will take a closer look at some of the typical problems that come up when sanitizing/anonymizing network packet captures, and at tools that can help with getting reasonable results.

Talk ID
7294
Event:
32c3
Day
2
Room
Hall 6
Start
11 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Jasper Bongertz