One of the things that we have to do when capturing packets is save the packet captures to a file, so we can study them, or even send them to someone else who can help us to understand what is happening, or to send them the manufacturers as evidence of what went wrong with an application or a protocol. The problem with this is that these capture files (or trace files) contain possibly private information from a user or system that we really don’t want to share or accidentally leak to someone who may be a bad actor.
One of the principles we have always taught in our Wireshark classes is to presume that all your personal information: Drivers License, Passport, Birth Certificate, Bank Accounts, Usernames and passwords, are all in the packet capture. Consider how you would handle that information.
One of the nice things about TCPdump in the early days was that it basically on captured packet header information, and did not save the packet contents. With today’s capture tools, like Wireshark, they copy/trace everything. Granted, most of the data is encrypted, and without the keys to unencrypt, the user data is likely protected, but can we 100% guarantee that?
So, Tracewrangler is a tool that can anonymize packet captures by modifying some of the content, without modifying the sequence of events in a packet capture. It can also perform other tasks like carving larger packet captures to isolate certain communications for examination. Unfortunately, it is only available for Windows environments (it works in Linux using WINE).
Let’s take a brief look at Tracewrangler:
I just want to publicly that Jasper Bongertz for a great tool. You can download Tracewrangler here.
Have you used Tracewrangler? If so, how and tell us about your experience below in the comments.
I hope you find this article and its content helpful. Comments are welcomed below. If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!