SafePcap

Make your Pcap files GDPR and NISTIR 8053 compliant today!

GDPR and NISTIR 8053 solution for Pcap files
GDPR and NISTIR 8053 Compliance for your Pcap files

Pcap files often contain personal data of network users, information about networks internal structure and other sensitive data. GDPR and NISTIR 8053 privacy rules make it difficult to share Pcap files with suppliers, customers, and even internally.

SafePcap allows automated scrambling of Pcap data in situ for any network stack at any stack layer while fully preserving the binary integrity of the data. Data modifications are done in a break-proof manner with the lengths, checksums, offsets and all other service fields recalculated on-the-fly for all affected packets and protocol layers.

Key Features
All Protocols, All Stacks

Many network protocols/stacks are supported. Support for any new network protocol could be added quickly.

Guaranteed Data Integrity

A file processed with SafePcap allows for effective forensic analysis with commonly used Pcap analysis tools such as Wireshark™.

Anonymization ALGOS

Pre-programmed anonymization algorithms. Auto scrambling of IP addresses at all layers, phone and IMSI numbers, texts, email addresses, etc.

Pseudonymization

NISTIR 8053 specified reversable anonymization algorithms are supported.

Easy Customization

Flexible and mature architeture allows easy customisation per individual customer reqs.

Frequently Asked Questions
What is SafePcap?

SafePcap is a scriptable L2-L7 Pcap anonymizer, sanitizer, scrambler, and a GDPR/NISTIR 8053 Compliance Solution. A file sanitized with SafePcap allows for effective forensic analysis with commonly used Pcap analysis tools like Wireshark™. Automation is fully supported via SafePcap CLI and an API.

What GDPR and NISTIR 8053 related issue SafePcap is addressing?

A Packet Capture (Pcap) file holds "bits on the wire" networking data, a time-stamped collection of captured network packet binaries. While sharing of Pcap files is essential for development, monitoring, and troubleshooting of computer networks, the proprietary data often found there makes sharing "as is" problematic. The files have to be sanitized first.

Selectively scrambling captured network traffic while fully preserving the binary integrity of the data is a complex task due to a variety of protocols involved and the intricacy of packets' intra and inter-dependencies. Historically the Pcap sharing problem has been addressed by having NDAs between the parties involved. Without the NDA in place the most popular approach is to dump the decoded frames into text format, obfuscate the sensitive data there, then share the resulted text file with 3rd parties. Yet another approach is to zero out the packet data above TCP/UDP. The big downside of the described technical approaches is loss of information about the binary structure of the captured traffic. This loss makes effective analysis of networking issues much harder and often impossible.

GDPR and NISTIR 8053 make sharing of Pcap files even more problematic. Users personal data can no longer be sent outside EU area and having an NDA in place is no longer enough. SafePcap was built to address this problem.

What protocols are supported by SafePcap today?

Any protocol you can decode/dissect with WireEdit today can be anonymized with SafePcap today.

What Linux versions are supported by SafePcap?

Ubuntu 16.04/18.04/20.04, RHEL 7/8, CentOS 7/8.

Can SafePcap wipe out a packet field no matter what the content is?

Yes. This is similar to wiping out a patient name from a medical record, no matter what the name is. We can target for anonymization any packet field at any stack layer by the field name only. The field value will be replaced by dummy data or pseudonymized according to user preferences. The integrity of the anonymized packets and the anonymized Pcap file as a whole remains intact. The file can be analyzed with Wireshark™ as usual.

Can SafePcap anonymize data such as MSISDN numbers broken into multiple TCP segments?

Yes. Suppose one wants to anonymize a phone number 14085121212. The trouble with a direct approach: there is no single packet with the whole sequence. Instead one TCP segment carries 140851 and another 21212. Safepcap will detect it, edit the segments and recalculate TCP REQ/ACK values accordingly.

Can SafePcap support anonymization of any networking stack?

Yes. All stacks, all layers, any encoding, binary and text based. All the layers dissected by Wireshark™ before the anonymization are guaranteed to be dissected after. Having specs helps.

Does SafePcap support pseudonymization according to NISTIR 8053?

Yes. We support format preserving encryption of sensitive data at all stack layers. A customer holds a secret key which makes the pseudonymization reversible.

Does SafePcap use Wireshark™ dissectors code?

No.

Does SafePcap support 3GPP Mobile Core Protocols?

Full support for all 4G/LTE 3GPP Mobile Core protocols and interfaces including SS7, RANAP, DIAMETER, and VoLTE.

What data is considered sensitive in Pcap files?

IP Addresses, port numbers, IMSI and MSISDN numbers, texts, email addresses, passwords, HTTP headers, etc. In fact, data at any stack layer could be considered sensitive in some use case. SafePcap allows anonymizing data of any type at any stack layer of the captured network traffic while fully preserving the packets binary integrity. Specific values in specifically named data fields at a specific network stack layer could be targeted for bulk anonymization.

What is the difference between SafePcap and other Pcap anonymizers?

Other tools can't anonymize binary encoded stack layers above UDP/TCP. Instead, they take a simplistic approach of zeroing them out. This approach is far from ideal in many use cases. For example, it makes an effective analysis of anonymized 3GPP Mobile Core Pcap files impossible.

A popular opinion on the Subj is expressed here. Our response is here. SafePcap by design allows obfuscation of any field at any stack layer above TCP/UDP without breaking packets' binary integrity.

What language SafePcap is written on?

Optimized C++.

Do you support anonymizarion of ASN.1 based protocol layers?

Yes.