Scripts for "sanitizing" tcpdump traces --------------------------------------- This package includes five (simple) scripts for reducing tcpdump traces in order to address security and privacy concerns, by renumbering hosts and stripping out packet contents. Each script takes as input a tcpdump trace file and generates to stdout a reduced, ASCII file in fixed-column format: sanitize-tcp Reduces TCP traffic. Output is six columns: - timestamp of packet arrival. For the first packet in the trace, this is the raw tcpdump timestamp. For the remaining packets, this is the offset from the integer part of that first timestamp. For example, if the first timestamp is 187.2, the second is 188.9, and the third is 191.3, then the first three timestamps in the ASCII file will be 187.2, 1.9 (= 188.9-187), and 4.3 (=191.3-187). Note that sanitize-syn-fin uses as its base time the arrival of the first TCP packet in the file, not the first TCP SYN/FIN/RST packet (this helps when comparing sanitize-syn-fin times with those produces by sanitize-tcp). - (renumbered) source host - (renumbered) destination host Note that the renumbering process loses any IP network information. - source TCP port - destination TCP port - number of data bytes in the packet, or 0 if none (this can happen for packets that only ack data sent by the other side) sanitize-syn-fin Reduces TCP SYN/FIN/RST traffic. Output is eight columns. The first five correspond to the same columns as for sanitize-tcp, using the same host renumbering. The remaining three columns are: - TCP flags (e.g., "FP" for a packet with FIN and PSH set) - sequence number - acknowledgement sequence number. For the initial SYN sent to set up a connection, this will be zero. Experience has shown not to trust the sequence numbers used in RST packets. sanitize-udp Reduces UDP traffic. Output is five columns, corresponding to the first five columns for sanitize-tcp. (That is, packet size is not reported.) sanitize-encap Reduces encapsulated IP packets (these usually are MBone packets). Output is a single column, giving the arrival timestamps. sanitize-other All non-TCP, non-UDP, non-encapsulated traffic. Only a timestamp is reported.