Skip to content

traceanon

Jump to bottom
Shane Alcock edited this page Oct 1, 2015 · 5 revisions

traceanon is a libtrace tool that anonymises the IP addresses found in the IP and ICMP headers of packets within a trace. It will also updates the checksums of packets inside the TCP and UDP headers.

Usage

    traceanon
            [ -s | --encrypt-source ]
            [ -d | --encrypt-dest ]
            [ -p prefix | --prefix=prefix ]
            [ -c key | --cryptopan=key ]
            [ -Z method | --compress-type=method ]
            [ -z level | --compress-level=level ]
            [ -t threadcount | --threads=threadcount ]
            sourceuri desturi

Options

-s, --encrypt-source Encrypt source IP addresses.

-d, --encrypt-dest Encrypt destination IP addresses.

-p, --prefix Substitute the high bits of the IP addresses with the provided prefix.

-c, --cryptopan Anonymise IPs using the cryptopan method using the provided key.

-z, --compress-level Compress the output trace using the given compression level. Compression level can range from 0 (no compression) through to 9. Higher compression levels require more CPU to compress data. Default is no compression.

-Z, --compress-type Compress the output trace using the given compression algorithm. Options are "gzip", "bzip2", "lzo", "xz" or "none". Default is "none".

-t, --threads Use threadcount processing threads. Defaults to 4 processing threads. Bear in mind that setting this number too high will decrease performance if there is not enough work to keep all the threads occupied.

Applications

Anonymising traces using cryptopan:

    traceanon -Z gzip -z 1 -sd -c "I like bears" erf:unanonymised.erf.gz erf:anonymised.erf.gz

Anonymising traces using prefix substitution:

    traceanon -Z gzip -z 1 -sd -p 192.168.0.0/16 erf:unanonymised.erf.gz erf:anonymised.erf.gz

Details

Prefix substitution

Prefix substitution is the simpler of the two anonymisation schemes. It works by replacing the prefix of the IP addresses in the trace with the prefix provided on the command line. Obviously, this can result in multiple different IP addresses in the original trace becoming the same IP address in the anonymised trace. As a result, prefix substitution is only useful in certain circumstances and using cryptopan encryption is recommended for regular anonymisation.

Cryptopan encryption

Cryptopan is a prefix preserving encryption scheme based on AES. Under cryptopan, every IP address will map to a unique new IP address and IP addresses within the same subnet will share the same encrypted prefix. Generally, cryptopan is the anonymisation scheme that should be used with traceanon. Cryptopan encryption requires an encryption key that may be up to 32 bytes long and will be padded with NULLs. The same encryption key will produce the same mappings of real IPs to encrypted IPs.

Checksum Update

In addition to IP anonymisation, traceanon also updates the checksums within the TCP and UDP headers to be correct once the IP addresses have been replaced with their anonymised counterparts.

Notes

  • The output trace format does not have to match the input formats, e.g.

     traceanon pcapfile:unanonymised.pcap.gz erf:anon.erf.gz

    will work. This property holds true for all libtrace applications, although format header information can be lost converting from one format to another, e.g. pcap headers have no space to store the ERF rxerror variable.

  • IP addresses within ARP packets are currently not anonymised - this may be added in a future version of libtrace.

  • Currently, we do not support anonymising IP addresses based on packet direction - this may be added in a future version of libtrace.

Clone this wiki locally