Tag Archives: network traces

A Jolly Trick

Sometimes in the course of my job it is necessary to sanitise evidence before passing it on to other parties for comment. The recent upgrade of wireshark, and change of file format, has made this a little tricky (basically i can’t get traceWrangler or BitTwiste to work with pcapng files), so I’ve had to go back to the old ways. a hex editor. Sigh.

EDIT: tracewrangler does work. i am, apparently, an idiot. Soz, bois.

So… how to sanitise a packet trace with a hex editor – take it away!

First – get yourself a hex editor – I’m using HxD

Make a note of the ip addresses you need to change – mostly i don’t need to lose the whole address, just the first few octets, which is nice.

Open your pcapng file in HxD

image

Open calc also, unless you can do dec to hex conversion in your head. i know a guy who can, but no-one talks to him much.

Use calc to convert the octets you need to bowdlerize:  172.16.1.8 becomes ac.10.1.8. write this down. Hopefully, you’ll not have too many subnets in your trace, eh?

Open search and replace in the hex editor:

image

Type in the octets you need to replace as character pairs, with spaces between – e.g. AC 10 01 08. Put in something obvious, like 65 65 65 01. Set the type to Hex-values – text won’t work – and hit replace. Oh wow. Look how lovely that is:

image

 

Truly, a thing of beauty. The other truly beautiful thing is that this method edits ALL references, not just the headers.

image