Make your Pcap files GDPR and NISTIR 8053 compliant today!

GDPR and NISTIR 8053 solution for Pcap files
GDPR and NISTIR 8053 Compliance for your Pcap files

Pcap files often contain personal data of network users, information about networks internal structure and other sensitive data. GDPR and NISTIR 8053 privacy rules make it difficult to share Pcap files with suppliers, customers, and even internally.

SafePcap allows automated scrambling of Pcap data in situ for any network stack at any stack layer while fully preserving the binary integrity of the data. Data modifications are done in a break-proof manner with the lengths, checksums, offsets and all other service fields recalculated on-the-fly for all affected packets and protocol layers.

Key Features
All Protocols, All Layers

Many network protocols/stacks are supported. Support for any new network protocol could be added quickly.

Guaranteed Data Integrity

A file processed with SafePcap allows for effective forensic analysis with commonly used Pcap analysis tools such as Wireshark™.

Anonymization ALGOS

Pre-programmed anonymization algorithms. Auto scrambling of IP addresses at all layers, phone and IMSI numbers, texts, email addresses, etc.


NISTIR 8053 specified reversable anonymization algorithms are supported.

Easy Customization

Flexible and mature architeture allows easy customisation per individual customer reqs.

Frequently Asked Questions
What is SafePcap?

SafePcap is a scriptable L2-L7 Pcap anonymizer, sanitizer, scrambler, and a GDPR/NISTIR 8053 Compliance Solution. A file sanitized with SafePcap allows for effective forensic analysis with commonly used Pcap analysis tools like Wireshark™. Automation is fully supported via SafePcap CLI and an API.

Can SafePcap anonymize any packet field at any stack layer? Even for mobile core protocols?!

Yes and yes.

What GDPR and NISTIR 8053 related issue SafePcap is addressing?

A Packet Capture (Pcap) file holds "bits on the wire" networking data, a time-stamped collection of captured network packet binaries. While sharing of Pcap files is essential for development, monitoring, and troubleshooting of computer networks, the sensetive/proprietary info often found there makes sharing Pcap files "as is" problematic. The files have to be sanitized first.

Selectively scrambling captured network traffic while fully preserving the binary integrity of the data is a complex task due to a variety of protocols involved and the intricacy of packets' intra- and inter-dependencies. Historically the Pcap sharing problem has been addressed by having NDAs between the parties involved. Without the NDA in place the most popular approach is to dump the decoded frames into text format, obfuscate the sensitive data there, then share the resulted text file with 3rd parties. Yet another approach is to zero out the packet data above TCP/UDP. The big downside of the described technical approaches is loss of information about the binary structure of the captured traffic. This loss makes effective analysis of many networking issues much harder and often impossible.

GDPR and NISTIR 8053 make sharing of Pcap files even more problematic. Users personal data can no longer be sent outside EU area and having an NDA in place is no longer enough. SafePcap was built from the ground up to address this problem.

What protocols are supported by SafePcap today?

Any protocol one can decode/dissect with WireEdit today can be anonymized with SafePcap today.

What Linux versions are supported by SafePcap?

Ubuntu 16.04/18.04/20.04, RHEL 7/8, CentOS 7/8.

Can SafePcap wipe out a packet field no matter what the field content is?

Yes. This is similar to wiping out a patient name from a medical record, no matter what the name is. We can target for anonymization any packet field at any stack layer by the field name only. The field value will be replaced by dummy data or pseudonymized according to user preferences. The integrity of the anonymized packets and the anonymized Pcap file as a whole remains intact. The file can be analyzed with Wireshark™ as usual.

What if SafePcap doesn't anonymize properly but I'm unable to share the pcap file?

If SafePcap doesn't support the protocol involved, or the issue is in a specific field of a supported protocol, just telling us may be enough. As the last resort we may ask for a Pcap example file with at least one packet. You can anomymize the packet manually with WireEdit and share the anonymized copy.

Can SafePcap anonymize data such as MSISDN numbers broken into multiple TCP segments?

Yes. Suppose one wants to anonymize a phone number 14085121212. The trouble with a direct approach: there is no single packet with the whole sequence. Instead one TCP segment carries 140851, another 21212. Safepcap detects it, edits the segments and recalculates TCP REQ/ACK values accordingly.

Can SafePcap support anonymization of any networking stack?

Yes. All stacks, all layers, any encoding, binary and text based. If a layer is encrypted, the decription keys can be extracted from the captured traffic and the algorithm allows for encryption of the anonymized data back, we can support it. All the stack layers dissected by Wireshark™ before the anonymization are dissected after without errors. Packets' binary integrity is fully preserved. Support for a new network stack can be added quickly. Having specs helps.

Does SafePcap support pseudonymization according to NISTIR 8053?

Yes. We support format preserving encryption of sensitive data at all stack layers. A customer holds a secret key which makes the pseudonymization reversible.

Does SafePcap use Wireshark™ dissectors code?


Does SafePcap support 3GPP Mobile Core Protocols?

Full support for all 5G/4G/LTE 3GPP Mobile Core protocols and interfaces including SS7, RANAP, DIAMETER, and VoLTE.

What data is considered sensitive in Pcap files?

IP Addresses, port numbers, IMSI and MSISDN numbers, texts, email addresses, passwords, domain names, etc. In fact, data at any stack layer could be considered sensitive in some use case. SafePcap allows targeted anonymization of captured network traffic at any stack layer while fully preserving the packets' binary integrity. Specific values in specific data fields at specific network layers could be easily targeted for bulk anonymization.

What is the difference between SafePcap and other Pcap anonymizers?

Other tools can't anonymize binary encoded stack layers above UDP/TCP. Instead, they take a simplistic approach of zeroing them out. This approach is far from ideal in many use cases. For example, it makes effective analysis of anonymized 3GPP Mobile Core Pcap files impossible.

A good analysis of the difficulty involved is expressed here. Our response is here. SafePcap by design allows obfuscation of any field at any stack layer above TCP/UDP without breaking packets' binary integrity.

What language SafePcap is written on?

Optimized C++.

Do you support anonymizarion of ASN.1 based protocol layers?