Guy Harris wrote:
On Mar 6, 2007, at 4:00 PM, Shehjar Tikoo wrote:
Heres the first version of the NFS anonymizer as a tshark tap.
http://www.gelato.unsw.edu.au/~shehjart/patches/nfs_anonymizer_tap.diff
Wireshark doesn't support overwriting the contents of a tvbuff; it's
read-only, and there are parts of Wireshark that expect it not to be
modified. You *might* be able to get away with it in TShark.
TShark is what I need.
Furthermore, even if you do cheat by converting the "const char *"
that "tvb_get_ptr()" returns into a "char *", and then overwrite what
the "char *" points to, all you're doing is overwriting an in-memory
buffer - that would "anonymize" in the sense of not displaying the
actual value of the field, but if you try to save the file, the
resulting file won't be anonymized. If all you're doing is taking a
capture and dissecting it with TShark, and just want the dissection to
be anonymized, that might be sufficient.
I haven't tested it with wireshark since I do not need a GUI
anonymizer, so yes, it might not work if I save the file from wireshark.
It does work in TShark but only when the output is being dumped to file
using -w option. The display on stdout is not the anonymized data but
I'd like to determine if I can do something to fix that later.
1) I don't know what type of benchmarking you're doing, but if it
involves knowing what's being done to specific files, a fancier
anonymizer could build a table mapping "real" file names to
"anonymized" file names, so that all references to a file name "foo"
would be mapped to the same anonymized name;
Yes, thats being done already. For reference, see the use of:
/* Filename to Anonymized filename map */
static GHashTable *fname2afname_map = NULL;
/* File handle to anonymized file handle map */
static GHashTable *fh2afh_map = NULL;
2) nothing about this code restricts it to pcap files - nothing in
Wireshark/TShark above the wiretap level knows or cares what the file
format is, they just see the packet data;
Didnt know that. Will keep in mind.
Thanks
Shehjar
