PCAP Anonymizer

Remove sensitive data from network captures before sharing

LogScrub's PCAP anonymizer helps you sanitize Wireshark captures, tcpdump output, and other packet capture files. Remove IP addresses, MAC addresses, hostnames, and protocol-specific data while maintaining the capture's usefulness for debugging.

📸 Screenshot placeholder: PCAP Anonymizer interface showing analysis results

What Gets Anonymized

✓ IPv4 addresses
✓ IPv6 addresses
✓ MAC addresses
✓ Port numbers
✓ DNS queries & responses
✓ ARP packets
✓ TLS SNI (server names)
✓ HTTP headers
✓ DHCP hostnames
✓ NetBIOS/SMB names
✓ Packet timestamps
✓ Payload truncation

Before & After Examples

IP Address Anonymization

All IP addresses are consistently replaced. The same original IP always maps to the same anonymized IP, preserving traffic patterns.

IPv4 Address Mapping

Before

192.168.1.100 → 8.8.8.8
192.168.1.100 → 1.1.1.1
10.0.0.50 → 8.8.8.8

After

10.0.0.1 → 10.0.0.2
10.0.0.1 → 10.0.0.3
10.0.0.4 → 10.0.0.2

DNS Query Anonymization

Domain names in DNS queries and responses are replaced with anonymous placeholders while maintaining consistency.

DNS Query/Response

Before

Query: api.mycompany.com
Query: secret-internal.corp.net
Response: api.mycompany.com → 52.1.2.3

After

Query: anon00001.example.com
Query: anon00002.example.com
Response: anon00001.example.com → 10.0.0.5

HTTP Header Scrubbing

Sensitive HTTP headers are redacted to remove cookies, authentication tokens, and identifying information.

HTTP Request Headers

Before

Host: api.example.com
Cookie: session=abc123xyz
Authorization: Bearer eyJhbGc...
Referer: https://internal.corp/

After

Host: [REDACTED]
Cookie: [REDACTED]
Authorization: [REDACTED]
Referer: [REDACTED]

TLS SNI Anonymization

Server Name Indication in TLS ClientHello messages reveals which domains are being accessed, even in encrypted traffic.

TLS ClientHello SNI

Before

SNI: login.internal-app.com
SNI: api.secret-service.net

After

SNI: anon00003.example.com
SNI: anon00004.example.com

Advanced Features

Packet Filtering

Remove entire packets matching specific criteria before anonymization. Uses Wireshark-style display filter syntax.

Filter	Description
`tcp.port == 22`	Remove all SSH traffic
`ip.addr == 192.168.1.0/24`	Remove traffic to/from a subnet
`http`	Remove all HTTP traffic
`tcp.port == 443 and ip.addr == 10.0.0.50`	Remove HTTPS to specific host

Mapping Consistency

Export the address mapping as JSON to apply the same anonymization to related PCAP files. This ensures that 192.168.1.100 always becomes 10.0.0.1 across all your captures.

Payload Truncation

Optionally truncate packet payloads to a maximum size (e.g., keep only first 64 bytes). This removes application-layer data while preserving headers for protocol analysis.

Timestamp Shifting

Shift all packet timestamps by a fixed offset to obscure when the capture was taken.

Protocol-Specific Scrubbing

Protocol	Data Removed
DNS	Query names, response records, hostnames
DHCP	Hostname options, client identifiers
HTTP	Host, Cookie, Authorization, Referer headers
TLS	Server Name Indication (SNI)
NetBIOS/SMB	Computer names, usernames, share names
ARP	IP-to-MAC mappings (consistent with IP/MAC anonymization)

Output Options

Download anonymized PCAP — Get the sanitized capture file
Export mapping report — Human-readable text report with all mappings
Export mappings as JSON — Machine-readable format for applying to other files
Side-by-side comparison — View original vs anonymized packets in hex/ASCII

Ready to anonymize your network captures?

Drop your PCAP/PCAPNG file into LogScrub to get started.

Launch LogScrub