IPv6 is still a pretty uncommon protocol (unfortunately), but TraceWrangler can sanitize it already, if not completely. Part of IPv6 are the so called "Extension Headers" which allow extending the way the protocol works while using a fixed size IPv6 base header. Right now, TraceWrangler can sanitize the base header as well as the Fragmentation Header, but none of the others (yet). Since the IP ID field that is part of the IPv4 header is only present in the Fragmentation Header which is only included when it is really needed, there is no IP ID sanitization setting for IPv6. It is just not necessary.



Replace IP addresses by list: Any IP found in the original trace that is listed in the Original IP column will be replaced by the IP in the Replacement IP column. You can use the pop up menu to import and export comma separated lists of IP addresses in case you want to store and retrieve them for later reuse. There is also a pop up menu to help with adding address replacement pairs, which can be accessed by right-clicking the list:



    • it is possible to import and export comma separated lists from and to files, in case you want to keep and re-import a list of addresses at a later time. It is also helpful if you want to create replacement pairs in an text editor of your choice and import them.
    • the Conversation Store is available only if the capture files have been scanned for conversation details before adding/editing the anonymization task. Otherwise the menu option will be grayed out. When selected, another dialog will open to allow selecting and editing replacement IP addresses.


Replace IP addresses by subnet: Any IP that is part of the subnet lists in the original columns will be put into the network that is listed in the according replacement column. When you add networks you need to use the same mask bit count for the replacement network as for the original network. Right now, there is no setting to randomize the host bits or keep the host part, because TraceWrangler will always keep the host part from the original. This may change at a later time.


Randomize IP addresses: If the sanitized IP address was not yet determined through the address or subnet lists, this setting will randomize the IP address if checked. There are three options for the randomization mode:


    1. Randomize Prefix and keep Interface IDs intact: this setting keeps the interface ID intact and only randomizes the prefix. The new replacement prefix will be stored to the database and all further addresses with the same prefix will get the same replacement prefix. This setting should only be used if the interface IDs are random and do not expose any kind of attack vector by keeping them.
    2. Randomize both and synchronize prefixes: in this mode both prefix and interface ID are randomized, if there is no existing replacement for the prefix or both. If a replacement for the prefix exists only the interface ID will be randomized. The prefix replacement is stored to the database, keeping all IPs of the same original network in the same replacement network automatically.
    3. Randomize both in stateless mode: both prefix and interface ID will be randomized for each address. This means that most likely all IP addresses will end up in their own network since the prefix is not stored and synchronized. This usually only makes sense if used in combination with the prefix replacement list.



Randomization will generally do a couple of things automatically:


    • It will make sure that original public addresses from the range of 2000://3 will end up with a replacement address in the same address block. This means that the random result will have a first 16 bit block with a value between 0x2000 and 0x3fff.
    • Any address in the range of fc00::/8 will end up with a new random address, but in the same range. Same goes for addresses in the range of fd00://8
    • Link local addresses will stay link local addresses, so they will have a prefix of fe80::/64. Only the host 64 bits will be randomized, since it would absolutely make no sense to randomize it into any other subnet.
    • If the original IP address was based on a MAC address (EUI64), TraceWrangler will create a new address with the host part being EUI64 formatted as well. At the same time, a MAC replacement is created to match, unless the original base MAC was already replaced (in which case the new EUI64 address is based on that existing replacement automatically).
    • Multicast addresses will not be changed by randomization. If you need to sanitize Multicast addresses use the address replacement list to specify the exact substitution address.


If you check the box for Documentation Addresses any address with a prefix of 2001:db8::/32 will stay in the same range, since it is the official range for documentation purposes and thus sanitized already by design.