TCPDPRIV(1) UNIX Reference Manual TCPDPRIV(1) NAME tcpdpriv - remove private information from a tcpdump -w file SYNOPSIS tcpdpriv [-a [[hh:]mm:]ss] [-A {0|1|2|50|99}] [-c count] [-C ------------ ------------- ----- {0|1|2|3|4|...|32|99}] [-F file] [-i interface] [-M --------------------- ---- --------- {0|10|20|70|80|90|99}] [-O] [-p] [-P {0|1|99}] [-q] [-r --------------------- -------- inputfile] [-s snaplen] [-T {0|1|99}] [-U {0|1|99}] [-w --------- ------- -------- -------- outputfile] [expression] ---------- ---------- tcpdpriv [-C 4] [-M 20] [-P 99] [-w outputfile] [-r inputfile] - -- -- ---------- --------- DESCRIPTION Tcpdpriv removes sensitive information from a packet trace, replacing it with contrived information from which the sensitive information cannot be reconstructed. By removing the sensitive information, the output of tcpdpriv may be shared with others (for debugging or network analysis, say). In general, data which is not otherwise processed by tcpdpriv is deleted. For example, the data portion of a datagram is not included in the output file. IP and/or TCP options that are not otherwise specifically enabled are re- placed with NOPs (0x01, in both cases). When a header is changed, the checksum for that header is also updated to reflect the change in header data values. The various options provide different levels of privacy/security for dif- ferent portions of IP datagrams. The numbers refer to the different lev- els of security -- in general, smaller numbers are more secure. The number zero (0) is the default for each of the options. This pro- vides the most secure output file, but may delete information helpful to those interested in using the output. The number ninety-nine (99) generally means "release the information as is". This level is available for IP unicast and multicast addresses, classness and TCP and UDP port numbers. The payload inside an IP protocol type 4 ("ipip" or "ip-encaps") datagram is assumed to be an encapsulated IP datagram and is transformed in the same manner as the outer (encapsulating) IP datagram. The second form is an example that protects IP address information, but releases TCP and UDP port numbers as well as retaining information about which packets were (IP-level) multicast packets. This is a safe manner in which to run tcpdpriv. -a Exit after [[hh:]mm:]ss time has expired. ------------ -A How IP addresses should be treated. Level 0 maps different addresses to integers (counting from 1). Level 1 maps the upper and lower 16 bits, separately, to integers (counting from 1); the upper and lower maps are independent (so, the address 128.130.128.130 may be mapped to something like 0.3.0.28, eg, with the upper and lower 16 bits having differ- ent values). Level 2 maps each byte of the address separate- ly (again, counting from 1); each byte map is independent. Level 50 is more complicated (though more useful in certain situations). With level 50, if two of the original addresses were equal in the most significant N bits, then these two ad- dresses will map to private addresses that are similarly equal in the most significant N bits. (This feature can be useful for using trace datasets to study the dynamics of var- ious data structures for forwarding tables, for example.) NOTE: level 50 reveals more information about a site's local network topology than the other levels. This could be of concern to some sites (but is probably not a concern for most sites). (The document 'Thoughts on How to Mount an Attack on tcpdpriv's "-A50" Option...', included with the tcpdpriv source distribution, discusses some of the issues related to level 50.) Level 99 passes IP addresses through unchanged. -c Exit after receiving count packets. ----- -C How the "classness" of input and output IP addresses should be related. (In "classic IP", there was a notion of "class- ness" associated with IP addresses; an IP address was class A, class B, class C, or class D depending on the first most significant bits of the IP header.) Level 0 implies that no class information is carried through. Level 1 implies that class A addresses are mapped into class A addresses; Level 2 implies that in addition, class B addresses are mapped into class B addresses; Level 3 implies that in addition, class C addresses are mapped into class C addresses; Level 4 implies that in addition, class D addresses (multicast) are mapped into class D addresses. (In fact, the -C flag actually preserves leading one (1) --- --- bits; thus, level 32, for example, will map class A, B, C, and D (respectively) addresses in to class A, B, C, and D (respectively) addresses and will also map the all-ones IP broadcast address into in an all-ones IP addresss. Level 99 is a synonym for level 32.) -F Use file as input for the filter expression. An additional ---- expression given on the command line is ignored. -i Listen on interface. If unspecified, tcpdpriv searches the --------- system interface list for the lowest numbered, configured up interface (excluding loopback). -M How multicast addresses are mapped: level 0 implies map us- ing the -A and -C option values; level 99 passes multicast addresses through unchanged. The rest of the levels relate to the scoping of multicast datagrams: level 10 passes multi- cast addresses in globally-scoped datagrams through un- changed; level 20 passes multicast addresses in continent- local datagrams through unchanged; level 70 passes multicast addresses in site-local datagrams through unchanged; level 80 passes multicast addresses in link-local datagrams through unchanged; level 90 passes multicast addresses in node-local datagrams through unchanged. (Note that in IPv4, "scoping" is determined by TTL values.) -O Do not run the packet-matching code optimizer. This is use- ful only if you suspect a bug in the optimizer. -p Do not put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host {localhost} or broadcast'. -P Set the mapping for both TCP and UDP port numbers. Level 0 maps the 16-bit port numbers to a single integer (see the -A option above). Level 1 maps each 8-bit byte in the port num- ber to a single integer. -q Normally, tcpdpriv logs its command-line parameters and a summary at the end of execution to standard error. The -q flag suppresses these messages. -r Read packets from inputfile (which was created with the -w --------- option of tcpdump(1)). Standard input is used if inputfile --------- is ``-''. -s Snarf snaplen bytes of data from each packet rather than the ------- default of 88 (with NIT, the minimum is actually 96). See the tcpdump(1) man page for more information. -T Set the mapping for just the TCP port numbers. See the -P option for details. -U Set the mapping for just the UDP port numbers. See the -P option for details. -w outputfile ---------- Specifies the output file, which will look as if it had been generated by the tcpdump(1) command, using its -w option. If this argument is not provided, the output will be written to standard output (which is not allowed to be a terminal de- vice). expression selects which packets will be processed (packets not matching ---------- expression will be deleted). See the tcpdump(1) man page for ---------- details on the format of expression. ---------- SEE ALSO netstat(1), tcpdump(1), tcpslice(1), pcap(3), mount(8). 'Thoughts on How to Mount an Attack on tcpdpriv's "-A50" Option...' (included with the tcpdpriv source distribution). HISTORY The tcpdpriv command was written at Ipsilon Networks in 1996. Many thanks to Vern Paxson for his help/suggestions during tcpdpriv's development. Thanks also to K. Claffy and Tatu Ylonen for contributions and clarifications to the securi- ty aspects of tcpdpriv. Notwithstanding the help from these people, all bugs remain the responsibility of the author (but, see the disclaimer be- low). Portions of tcpdpriv (and this man page) are extracted from tcpdump(1) (available from ftp://ftp.ee.lbl.gov/tcpdump.tar.Z). DIAGNOSTICS Various, including complaining if "netstat -in" or "mount" are not acces- sible (these are used in seeding the random number generator). DISCLAIMER THIS SOFTWARE IS PROVIDED BY IPSILON NETWORKS, INC., ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL IPSILON NETWORKS, INC., BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAM- AGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEV- ER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LI- ABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. BUGS Link-level headers are passed through unchanged. Tcpdpriv should probably preserve the all-zeroes and all-ones addresses. It would be nice if tcpdpriv could retain subnet broadcast information. Tcpdpriv supports only SLIP, PPP, Ethernet, FDDI, and the NULL data links. FDDI is only supported on systems that have the include file . - There should be some way to allow the various pre-defined multicast ad- dresses (such as "all-nodes", etc.) to be passed through unchanged. There is a bug in tcpdump(1) which makes it unable to filter a 0.x.y.z address. Tcpdpriv attempts to avoid generating addresses in this format. However, with "-A50", it is possible that tcpdpriv will, in fact, gener- -------- ate such an address. 4.3 Berkeley Distribution July 4, 1996 4