[pcap-ng-format] "Hardware, OS, User application" - separate options for "what did the capture?" and "what's processed the file"?

[Guy Harris]

On Jun 1, 2016, at 9:33 PM, Anders Broman <anders.broman at ericsson.com> wrote:

> At some point someone raised concerns about privacy issues with the pcap-ng options present and the ability to track a file back to the machine creating it. If not somthing for the specification at least somthing to think about when creating a program using pcap-ng. E.g add ability to turn off writing some options.

You might also want to turn off writing of the IP addresses in IPv4 and IPv6 headers. :-)

I.e., that could perhaps be handled by anonymization; a capture anonymizer should, at minimum, anonymize the addresses and names in IDBs and NRBs, and should perhaps just remove NRBs entirely.  It should probably also offer an option to strip the shb_ options giving descriptions, and perhaps to strip interface names (I don't know what algorithm Windows uses to generate UUIDs for interfaces, but if it's one that uses a MAC address, the machine might be identifiable from the UUIDs of interfaces on it).

The "PCAPng settings" page in Jasper's documentation for TraceWrangler:

	https://www.tracewrangler.com/documentation/TraceWrangler.html?PCAPngSettings.html

mentions those, and also mentions removing the capture filter option (as it might contain IP addresses, host names, port numbers, etc.).

Whether the capturing application needs to include the ability not to write those options, or whether an anonymizer is sufficient, is another question.