SCRUB-tcpdump is a set of functions, maintained by CAIDA, that are used to anonymize packetflow traces in libpcap or tcpdump format so that they can be used to collaborate or release without jeopardizing the anonymity of the network represented by the capture traces. SCRUB-tcpdump allows the user to select from a variety of options for anonymizing fields like the ports, IP addresses, time-stamps, transport protocols, flags, options, and so on. More details about SCRUB-tcpdump can be found in the following paper:
Yurcik, William; Woolam, Clay; Hellings, Greg; Khan, Latifur; Thuraisingham, Bhavani; , “SCRUB-tcpdump: A multi-level packet anonymizer demonstrating privacy/analysis tradeoffs,” In Prof. of International Conference on Security and Privacy in Communications Networks (SecureComm’07), pp.49-56, 17-21 Sept. 2007.
We patched SCRUB-tcpdump to enhance its capability on anonymizing transport payload, so as to improve the protection of user privacy. In particularly, we implement an encryption function that takes two integers as keys for hashing. One of the keys is randomly generated, while the other one is chosen by the user at run time. By encrypting the payload of all packets in packetflow traces, the concern of violating personal privacy is minimized.
scrub-tcpdump is a utility which reads an input pcap file (generated by tcpdump), anaymizes it, and writes it to an output pcap file.
./scrub-tcpdump -r [input_file] -w [output_file] -k [user_key] -o “srcip rp dscip rp payload [h1|h2]”
where [user_key] is an integer key specified by the user. It is also used for randomizing IP addresses.