SafePcap is a GDPR and NISTIR 8053 solution for Pcap files
GDPR and NISTIR 8053 Compliance for your Pcap files

Pcap files often contain personal data of network users, information about networks internal structure and other sensitive data. GDPR and NISTIR 8053 privacy rules make it impossible to share Pcap files with suppliers, customers, and even internally.

SafePcap allows automated scrambling of Pcap data in situ for any network stack at any stack layer while fully preserving the binary integrity of the data. Data modifications are done in a break-proof manner with the lengths, checksums, offsets and all other service fields recalculated on-the-fly for all affected packets and protocol layers.

Key Features
All Protocols, All Stacks

Many network protocols/stacks are supported. Support for any new network protocol could be added quickly.

Guaranteed Data Integrity

A file processed with SafePcap allows for effective forensic analysis with commonly used Pcap analysis tools like Wireshark™.

Anonymization ALGOS

Pre-programmed anonymization algorithms. Auto scrambling of IP addresses at all layers, phone and IMSI numbers, texts, email addresses, etc.

NISTIR 8053 Pseudonymization

NISTIR 8053 specified reversable anonymization algoriths are supported.

Easy Customization

Flexible and mature architeture allows easy customisation per individual customer reqs.

Frequently Asked Questions
What is SafePcap?

SafePcap is a scriptable L2-L7 Pcap anonymizer, sanitizer, scrambler, and a GDPR/NISTIR 8053 Compliance Solution. A file sanitized with SafePcap allows for effective forensic analysis with commonly used Pcap analysis tools like Wireshark™. Automation is fully supported via SafePcap CLI and an API.

What GDPR and NISTIR 8053 related issue SafePcap is addressing?

A Packet Capture (Pcap) file holds "bits on the wire" networking data, a time-stamped collection of captured packet binaries. While sharing of Pcap files is essential for development, monitoring, and troubleshooting of computer networks, the proprietary data often found in the files makes sharing "as is" problematic. The files have to be sanitized first.

Selectively scrambling captured network traffic while fully preserving the binary integrity of the data is a complex task due to a variety of protocols involved and the intricacy of packets' intra and inter-dependencies. Historically the Pcap sharing problem has been addressed by having NDAs between the parties involved. Without the NDA in place the most popular approach is to dump the decoded Pcap file into text, obfuscate the sensitive parts there, and share the resulted text file with 3rd parties. Another approach is to zero out the packet data above TCP/UDP. The big downside of both approaches is loss of information about the binary structure of the captured traffic. This loss makes effective analysis of networking issues much harder and often impossible.

The arrival of GDPR and NISTIR 8053 has made sharing of Pcap files even more problematic. Users personal data can no longer be easily sent outside EU and having an NDA is no longer enough. SafePcap is built to address this problem.

Can SafePcap wipe out a packet field no matter what the content is?

Yes. This is similar to wiping out a patient name from a medical record, no matter what the name is. We can target any packet field for anonymization at any stack layer by its name only (which includes the field position in the decode tree). The field will be overwritten by dummy data or pseudonymized according to user preferences. The integrity of the packet and the Pcap file as a whole remains intact after the operation, so you can still analyze it with Wireshark™.

Can SafePcap support anonymization of any networking stack?

Yes. All stacks, all layers, any encoding, binary and text based. All the layers dissected by Wireshark™ before the anonymization are guaranteed to be dissected after. Having specs helps.

Does SafePcap support pseudonymization according to NISTIR 8053?

Yes. We support format preserving encryption of sensitive data at all stack layers. A customer holds a secret key which makes the pseudonymization reversible.

Does SafePcap use Wireshark™ dissectors code?

No.

Does SafePcap support 3GPP Mobile Core Protocols?

Full support for all 4G/LTE 3GPP Mobile Core protocols and interfaces including SS7, RANAP, DIAMETER, and VoLTE.

What data is considered sensitive in Pcap files?

IP Addresses, port numbers, phone numbers, IMSI numbers, email addresses, passwords, texts, HTTP headers, etc. In fact, data at any stack layer could be considered sensitive in some use cases. SafePcap allows anonymizing data of any type at any stack layer of the captured network traffic while fully preserving the packets binary integrity. Specific values in specifically named data fields at a specific network stack layer could be targeted for bulk anonymization.

What is the difference between SafePcap and other Pcap anonymizers?

Other tools can't anonymize binary encoded stack layers above UDP/TCP. Instead, they take a simplistic approach of zeroing them out. This approach is far from ideal in many use cases. For example, it makes an effective analysis of anonymized 3GPP Mobile Core Pcap files impossible.

A popular opinion on the Subj is expressed here. Our response is here. SafePcap by design allows obfuscation of any field at any stack layer above TCP/UDP without breaking packets' binary integrity.

What language SafePcap is written on?

Optimized C++. One needs every CPU cycle one can get to process large Pcap files.

Do you support anonymizarion of ASN.1 based protocol layers?

Yes.

What protocols are supported by SafePcap today?

New protocols are added all the time. Here is the partical list:

IP, Ethernet II, IEEE 802.1Q, IPv4, IPv6, UDP, TCP, SCTP, GRE, TLS, TPKT, VXLAN, NetBIOS, SMB, HTTP, HTTP2, FTP, IMAP, POP3, DNS, NTP, OpenFlow, MODBUS, FIXT, ICMPv4, ICMPv6, IGMP Ver 1, IGMP Ver 2, IGMP Ver 3, TELNET, SSH, DHCP, DHCPv6, ARP, RARP, LLDP, XMPP, LDAP, SNMPv1, SNMPv2c, SNMPv2u, SNMPv3, RSVP, BGP, OSPF, CAPWAP, DTLS, SoupBinTCP, NASDAQ OUCH 4.2, CPE-WAN over SOAP, HNCP, Radiotap, IEEE 802.11, L2TPv2, L2TPv3, 802.3/LLC, Cisco AN, Cisco AN, ESP, ISAKMP, CESoPSN, PPPoE, PPPoE, PPP, PPP LCP, PPP IPCP, PPP PAP, SIP, RTP, RTCP, RFC 2833, CISCO Skinny, MSRP, DIAMETER, H.248.1 v1 Text, H.248.1 v1 BER, H.248.1 v2 Text, H.248.1 v2 BER, H.248.1 v3 Text, H.248.1 v3 BER, Q.931/H.225, MGCP, H.323, H.245, RADIUS, SDP, IMS XML App part, T.38, SCSI, iSCSI, SCSI, MODBUS, Bluetooth, HCI, L2CAP, DNP3, MPEG2 TS, DOCSIS, MTP3b ITU, MTP3 ITU, MTP T&M ITU, BICC ITU, ISUP ITU, SCCP ITU, SCMG ITU, TCAP/INAP-CS1, TCAP/INAP-CS2, TCAP/INCS1-PLUS-C, TUP ITU, TCAP/INAP-CS2-ETSI, TCAP/SINAP6i, TCAP/SINAP7M, MTP2 ANSI, MTP3b ANSI, MTP3 ANSI, MTP T&M ANSI, ISUP ANSI, SCCP ANSI, SCMG ANSI, ISUP China, TUP China, ISDN, QSIG, DPNSS, IUA, M2UA, M3UA, SUA, M2PA, DUA, IUP UK, ISUP UK, ISUP Rus, ISUP Israel, ISUP France, T-ISUP, TCAP/T-INAP, GSM Abis L3, GSM Abis O&M, GSM TRAU 16k, GSM TRAU 8k, GSM TFO, GSM BSSAP, GSM DTAP, GSM BSSMAP, SGsAP, GSM BSSAP-LE, GSM DTAP-LE, GSM BSSMAP-LE, GSM Radio L3, GSM Radio SS, GSM Radio GMM/SM, GSM Radio LCS, GSM RRLP, GSM Radio SM-CP, GSM SM-RP, BSSAP PLUS, GSM LLP, GSM BSSLAP, TCAP/MAP Ph1, TCAP/MAP Ph2, TCAP/MAP R96, TCAP/MAP R97, TCAP/MAP R98, TCAP/MAP R4, TCAP/MAP R7, TCAP/MAP R9, TCAP/CAP1, TCAP/CAP2, TCAP/CAP3, TCAP/CAP4, GSM SM-TP, SMPP, UCP, CIMD, GPRS, GSM Gb NS, GSM BSSGP, GSM Gb LLC, TOM, SNDCP, GTPv1, GTPv0, GTP PRIME, GTPv2-C, RANAP, NBAP, LTE S1AP, LTE NAS, LTE EMM, LTE ESM, LTE X2AP, IuUP, IS-41, TCAP/IS-41-D, TCAP/IS-41-E, CDMA PDS IS-801, CDMA PDS IS-801, CDMA SMS IS-637, SMS EIA-136-710, SMS EIA-136-710, CDMA, CDMA A11, CDMA A1 BSAP, CDMA A1 BSMAP, CDMA A1 DTAP, CDMA A9.