Guy Harris wrote:
> On Mar 6, 2007, at 4:00 PM, Shehjar Tikoo wrote:
>> Heres the first version of the NFS anonymizer as a tshark tap.
>>
>> http://www.gelato.unsw.edu.au/~shehjart/patches/nfs_anonymizer_tap.diff
> Wireshark doesn't support overwriting the contents of a tvbuff; it's
> read-only, and there are parts of Wireshark that expect it not to be
> modified. You *might* be able to get away with it in TShark.
TShark is what I need.
> Furthermore, even if you do cheat by converting the "const char *"
> that "tvb_get_ptr()" returns into a "char *", and then overwrite what
> the "char *" points to, all you're doing is overwriting an in-memory
> buffer - that would "anonymize" in the sense of not displaying the
> actual value of the field, but if you try to save the file, the
> resulting file won't be anonymized. If all you're doing is taking a
> capture and dissecting it with TShark, and just want the dissection to
> be anonymized, that might be sufficient.
I haven't tested it with wireshark since I do not need a GUI
anonymizer, so yes, it might not work if I save the file from wireshark.
It does work in TShark but only when the output is being dumped to file
using -w option. The display on stdout is not the anonymized data but
I'd like to determine if I can do something to fix that later.
> 1) I don't know what type of benchmarking you're doing, but if it
> involves knowing what's being done to specific files, a fancier
> anonymizer could build a table mapping "real" file names to
> "anonymized" file names, so that all references to a file name "foo"
> would be mapped to the same anonymized name;
Yes, thats being done already. For reference, see the use of:
/* Filename to Anonymized filename map */
static GHashTable *fname2afname_map = NULL;
/* File handle to anonymized file handle map */
static GHashTable *fh2afh_map = NULL;
> 2) nothing about this code restricts it to pcap files - nothing in
> Wireshark/TShark above the wiretap level knows or cares what the file
> format is, they just see the packet data;
Didnt know that. Will keep in mind.
Thanks
Shehjar
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev
