TCPurify is a packet sniffer/capture program similar to tcpdump, but
with much reduced functionality. What sets TCPurify apart from other,
similar programs is its focus on privacy. TCPurify is designed from
the ground up to protect the privacy of users on the sniffed network
as much as possible.
In order to accomplish this goal, TCPurify truncates almost all
packets immediately after the last recognized header (IP or Ethernet),
removing all data payload before storing the packet. (There are some
notable exceptions, such as ICMP packets, chargen, daytime, etc. Some
of these protocols are left in because they are useful for security
auditing (ICMP) and others merely because they should be
uninteresting) Furthermore, it has the capability of randomizing some
or all IP addresses (based on the network portion of the address) to
mask exactly where packets are where or to while still retaining some
general idea. This randomization is reversible with the help of a
one-shot generated file which is created at capture time.
TCPurify is intended to be a security auditing and intrusion detection
tool, and as such makes a poor general-purpose packet sniffer. If you
need a general-purpose TCP packet sniffer, check out the excellent
Please remember that privacy and security are two
completely different things; TCPurify is designed to protect the
privacy of users on the sniffed network, not to securely sniff the
network. TCPurify does require root privileges to operate and should
be treated with caution. It is not setuid safe and
is not intended to be executed by non-root users.
TCPurify requires libpcap-0.4 or newer, which can currently be
retrieved from the tcpdump web site.
Also required for tcpurify-0.9.4 or older is the fabulous
version 1.1 or greater.
tcpurify 0.11.2, 01/25/2008
The maximum number of networks for encode_table had a bug
restricting it to NETWORKS - 1 instead of NETWORKS; fixed.
(Thanks to Mathieu Davy.)
The creation of temporary files has been changed to use mkstemp
instead of the process pid. Named temporary files have been
changed to ensure a tighter permissions mask.
'nullify' encoding added, which simply changes all IP addresses
Bug fix in TCP sanitization code. TCP packets which were
truncated in the middle of their TCP options would be 'extended'
to cover their (probably invalid) missing options. (Thanks to
NOTE: tcpurify 0.9.4 and older are affected by a
serious privacy-related bug. They should NOT be used if you
really wish to have "sanitized" dumps.
tcpurify 0.11.1, 05/13/2004
tcpurify 0.11.0, 09/16/2002
-r has been renamed to -R, so that -r and -w may take on the
same meanings as tcpdump. -f and -o will likely be removed
in a future release so that they may be recycled if logical.
The newly added -V option encodes some information about the
original packet's checksum for later analysis.
tcpurify 0.9.6, 04/24/2002
Major restructuring. The minor changes are too numerous to
list, but the basic thrust of things is that the method of
obfuscating IP addresses is now selectable. The old method is
known as "table". All those "minor" changes add up to a
completely different approach, and I think I like this one a lot
better. Adding new encoding methods is as simple as filling in
a structure in an array to bind the encoding functions to a
name, and then implementing three functions.
I'm not sure encode_table reverse mappings have ever worked
right... Apparently I was convinced they did at some time, but
they sure don't look like they did to me. Fixed.
Drop short or malformed packets out of hand, rather than passing
them on. This may be undesirable for IDS work, I don't know...
May have to revisit this later.
tcpurify 0.9.5, 02/28/2001
Moved to autoconf/automake ... This greatly improves the
portability (well, not yet but it will) and simplifies setup for
platforms dissimilar to my everyday devel platform. Note that
at this point, basically the only thing it affects is -lnsl and
-lsocket... Plus it'll bomb out if you don't have pcap and it
will let you specify where pcap lives.
Checksum calculation on SPARC (maybe other) systems was *not*,
in fact, correct... These systems require a cast to short for a
bitwise NOT of a short value, or they seem to return a long
value with the upper two bytes stuffed with 1's. Hmm.
Checksum recalculating is in general cleaner and better.
ICMP packets are now truncated after the IP header, as their
payload likely contains the first N (where N is likely to be 64)
bytes of an unsanitized IP packet; eventually I guess I should
truncate after the ICMP header, but I'll need to look into which
options may need further cleaning.
Increased packet capture default length to 144 bytes; 64 will
not get all of the TCP options on a TCP header.
Removed a reference to zlib.h from tcpurify.h
Added ETHERTYPE_REVARP in the case where the host operating
system does not define it; this should probably be in the
configure script, but for now it goes in capture.c.
zlib support has been removed. Now that pcap is under active
development again, it does not seem prudent to be tied to a
particular version of the library. Since dump files created
with versions of pcap newer than 0.4 are binary incompatible
with pcap 0.4 on Linux and zlib requires binary compatibility,
The ability to sanitize files repeatedly with the same mapping
has been added. This necessitated a change to the meaning of
-r and the addition of -m ... Read the docs.
Checksum recalculation is now implemented and correct; The
sanitized packets' checksums (IP, TCP, and UDP) should all
check out correctly if the original dumpfile did.
The Makefile is generally more friendly than the old
one. Nothing big here.
Apparently one of those "Other stuff" things that I forgot in
0.9.4 involved completely breaking the program to the
point that it was completely useless for anything but reversing
previous dumps, and I'm not even really confident it did that
right. Fortunately no one seemed to be using it, as I got no
bug reports until a few days ago.
There is a serious sanitization bug in ALL previous releases
of tcpurify which has been fixed. ARP/RARP packets were being
left in the dumps, which means that a patient hacker (or
one with the skills to write a reasonably trivial packet
parsing program) could have neatly reversed any IP mappings
from the network immediately local to the capture point.
This guy makes tcpurify 0.9.5 compile on systems which do not have
inet_pton (), by using inet_addr () instead.
tcpurify 0.9.4, 01/31/2001
tcpurify 0.9.3, 05/15/2000
- Changed header includes to be sane for non-Linux systesm
- Changed address handling to use inet_pton
- Other stuff, I forget
tcpurify 0.9.2, 04/24/2000
- Fixed stdout dumping bug
- Fixed version info
- Various cleanups
- Added realtime packet delay ceiling via the -T option
tcpurify 0.9, 04/17/2000
- Fixes to timed output calculation code
- Added a fflush() (or gzflush()) into timed output
- Fixed some typos