TCPurify

Overview

TCPurify is a packet sniffer/capture program similar to tcpdump, but with much reduced functionality. What sets TCPurify apart from other, similar programs is its focus on privacy. TCPurify is designed from the ground up to protect the privacy of users on the sniffed network as much as possible.

In order to accomplish this goal, TCPurify truncates almost all packets immediately after the last recognized header (IP or Ethernet), removing all data payload before storing the packet. (There are some notable exceptions, such as ICMP packets, chargen, daytime, etc. Some of these protocols are left in because they are useful for security auditing (ICMP) and others merely because they should be uninteresting) Furthermore, it has the capability of randomizing some or all IP addresses (based on the network portion of the address) to mask exactly where packets are where or to while still retaining some general idea. This randomization is reversible with the help of a one-shot generated file which is created at capture time.

TCPurify is intended to be a security auditing and intrusion detection tool, and as such makes a poor general-purpose packet sniffer. If you need a general-purpose TCP packet sniffer, check out the excellent tcpdump package.

Please remember that privacy and security are two completely different things; TCPurify is designed to protect the privacy of users on the sniffed network, not to securely sniff the network. TCPurify does require root privileges to operate and should be treated with caution. It is not setuid safe and is not intended to be executed by non-root users.

Requirements

  • TCPurify requires libpcap-0.4 or newer, which can currently be retrieved from the tcpdump web site.
  • Also required for tcpurify-0.9.4 or older is the fabulous zlib library, version 1.1 or greater.

Latest Release:

tcpurify 0.11.2, 01/25/2008 (signature)
Changes:
  • The maximum number of networks for encode_table had a bug restricting it to NETWORKS - 1 instead of NETWORKS; fixed. (Thanks to Mathieu Davy.)
  • The creation of temporary files has been changed to use mkstemp instead of the process pid. Named temporary files have been changed to ensure a tighter permissions mask.
  • 'nullify' encoding added, which simply changes all IP addresses to 0.0.0.0.
  • Bug fix in TCP sanitization code. TCP packets which were truncated in the middle of their TCP options would be 'extended' to cover their (probably invalid) missing options. (Thanks to Shawn Ostermann.)

Previous Releases:

NOTE: tcpurify 0.9.4 and older are affected by a serious privacy-related bug. They should NOT be used if you really wish to have "sanitized" dumps.

tcpurify 0.11.1, 05/13/2004 (signature)
Changes:
  • -r has been renamed to -R, so that -r and -w may take on the same meanings as tcpdump. -f and -o will likely be removed in a future release so that they may be recycled if logical.
  • The newly added -V option encodes some information about the original packet's checksum for later analysis.
tcpurify 0.11.0, 09/16/2002 (signature)
Changes:
  • Major restructuring. The minor changes are too numerous to list, but the basic thrust of things is that the method of obfuscating IP addresses is now selectable. The old method is known as "table". All those "minor" changes add up to a completely different approach, and I think I like this one a lot better. Adding new encoding methods is as simple as filling in a structure in an array to bind the encoding functions to a name, and then implementing three functions.
  • I'm not sure encode_table reverse mappings have ever worked right... Apparently I was convinced they did at some time, but they sure don't look like they did to me. Fixed.
  • Drop short or malformed packets out of hand, rather than passing them on. This may be undesirable for IDS work, I don't know... May have to revisit this later.
tcpurify 0.9.6, 04/24/2002 (signature)
Changes:
  • Moved to autoconf/automake ... This greatly improves the portability (well, not yet but it will) and simplifies setup for platforms dissimilar to my everyday devel platform. Note that at this point, basically the only thing it affects is -lnsl and -lsocket... Plus it'll bomb out if you don't have pcap and it will let you specify where pcap lives.
  • Checksum calculation on SPARC (maybe other) systems was *not*, in fact, correct... These systems require a cast to short for a bitwise NOT of a short value, or they seem to return a long value with the upper two bytes stuffed with 1's. Hmm.
  • Checksum recalculating is in general cleaner and better.
  • ICMP packets are now truncated after the IP header, as their payload likely contains the first N (where N is likely to be 64) bytes of an unsanitized IP packet; eventually I guess I should truncate after the ICMP header, but I'll need to look into which options may need further cleaning.
  • Increased packet capture default length to 144 bytes; 64 will not get all of the TCP options on a TCP header.
  • Removed a reference to zlib.h from tcpurify.h
  • Added ETHERTYPE_REVARP in the case where the host operating system does not define it; this should probably be in the configure script, but for now it goes in capture.c.
tcpurify 0.9.5, 02/28/2001 (signature)
Changes:
  • zlib support has been removed. Now that pcap is under active development again, it does not seem prudent to be tied to a particular version of the library. Since dump files created with versions of pcap newer than 0.4 are binary incompatible with pcap 0.4 on Linux and zlib requires binary compatibility, zlib goes.
  • The ability to sanitize files repeatedly with the same mapping has been added. This necessitated a change to the meaning of -r and the addition of -m ... Read the docs.
  • Checksum recalculation is now implemented and correct; The sanitized packets' checksums (IP, TCP, and UDP) should all check out correctly if the original dumpfile did.
  • The Makefile is generally more friendly than the old one. Nothing big here.
  • Apparently one of those "Other stuff" things that I forgot in 0.9.4 involved completely breaking the program to the point that it was completely useless for anything but reversing previous dumps, and I'm not even really confident it did that right. Fortunately no one seemed to be using it, as I got no bug reports until a few days ago.
  • There is a serious sanitization bug in ALL previous releases of tcpurify which has been fixed. ARP/RARP packets were being left in the dumps, which means that a patient hacker (or one with the skills to write a reasonably trivial packet parsing program) could have neatly reversed any IP mappings from the network immediately local to the capture point.
Patch:inet_addr.diff, 02/28/2001
Description: This guy makes tcpurify 0.9.5 compile on systems which do not have inet_pton (), by using inet_addr () instead.

tcpurify 0.9.4, 01/31/2001
Changes:
  • Changed header includes to be sane for non-Linux systesm
  • Changed address handling to use inet_pton
  • Other stuff, I forget
tcpurify 0.9.3, 05/15/2000
Changes:
  • Fixed stdout dumping bug
  • Fixed version info
  • Various cleanups
tcpurify 0.9.2, 04/24/2000
Changes:
  • Added realtime packet delay ceiling via the -T option
tcpurify-0.9.1, 04/17/2000
Changes:
  • Fixes to timed output calculation code
  • Added a fflush() (or gzflush()) into timed output
  • Fixed some typos
tcpurify 0.9, 04/17/2000