ANT Packet Processing

dag scrubber

Dag Scrubber is our tool for scrubbing packets of user data and optionally doing IP address anonymization. It supports both pcap and ERF format ("dag", giving the legacy name).

dag_scrubber-0.5.tar.gz [SRPM] (2023-03-28); current release
- Added --no-scramble option for leaving some IP blocks unscrambled
- Enabled transparent recognition and processing of raw IP captures (DLT_RAW)
dag_scrubber-0.4.tar.gz [SRPM] (2020-07-01)
- Added --pnat option for ip address translation
- Made PCAP default input/output format, so -P option is obsolete
- Added --erf option for ERF/DAG input/output format
- Cleanups and packaging changes
- Latest version of cryptopANT is compiled in
dag_scrubber-0.3.tar.gz (2016-01-25)
dag_scrubber-0.2.tgz (2005-09-20)
dag_scrubber-0.1.tgz (2005-10-11)

About Dag_scrubber

DAG scrubber anonymizes network packet traces.

Input formats are pcap and ERF (“dag”) format.

It can do the following kinds of scrubbing:

remove payloads, leaving only network and transport headers
anonymize all or part of IP addresses (v4 and v6) using cryptopan (prefix-preserving)
anonymize VLAN tags and MAC addresses

All are optional.

Sample Use Cases

To use it, first we generate a random key (used for any anonymization):

./dag_scrubber -m -s test.keyfile

Then to process pcaps of DNS traffic (only), anonymization IP addresses and preserving payloads, do:

./dag_scrubber -P -m -s ./test.keyfile -n 'port 53' --pass4=24 --pass6=64

Where the options are to specify pcap input (-P), scramble MAC addresses (-m), use the keyfile we just generated (-s ./test.keyfile), filter traffic for just dns (-n 'port 53'), and anonymize only the low 8 bits of IPv4 and low 64 bits of IPv6 (--pass4=24 --pass6=64).

Network address translation:

dag_scrubber -n "" --pnat '1.1.1.1-2.2.2.2,1::-2::' input.pcap output.pcap

Will rewrite network addresses in input.pcap replacing all ips 1.1.1.1 with 2.2.2.2 and all ipv6 1:: with 2:: (Warning: ipv6 transport checksums (udp, tcp) may be wrong).