Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > tools : taxonomy : anontaxonomy.xml
Anonymization Tools Taxonomy
co-sponsored by:
Cisco Systems
This section gives more detailed information about specific anonymization tools.

This listing has not been actively maintained since 2004. These pages are made available for historical purposes.

|   Index    Anonymization    Topology    Workload    Performance    Routing    Multicast    Measurement Infrastructures   |

Subcategory: Anonymization

Anonymization tools and methods have become particularly important as they provide cricital infrastructure for pursuing solutions to some of the top problems of the Internet.

AAPI and AnonTool

Contact:mfukar at and antonat at

AnonTool provides an open-source implementation of the Anonymization API developed by Distributed Computing Systems Laboratory at the Institute of Computer Science (ICS) of the Foundation for Research and Technology -- Hellas (FORTH). Developed and tested on Debian Linux, the package provides command-line tools for accomplishing prefix-preserving anonymization of TCP and UDP packets as well as Netflow traces from Cisco routers in tcpdump format.


Contact:Katherine Luo ( or Yifan Li ( or Bill Yurcik ( or Adam J Slagell (

CANINE addresses the issue of anonymization of multiple incompatible NetFlow formats. It acts as converter amongst various NetFlow formats as well as an anonymizer of the embedded data.



CoralReef is a comprehensive software suite developed by CAIDA to collect and analyze data from passive Internet traffic monitors, in real time or from trace files. Realtime monitoring support includes system network interfaces (via libpcap), FreeBSD drivers for Apptel POINT (OC12 and OC3 ATM) and FORE ATM (OC3 ATM) cards, and support for Linux and FreeBSD drivers for Endace DAG (POS and ATM) cards. The package also includes programming APIs for C and perl, and applications for capture, analysis, and web report generation.


Contact:Jinliang Fan <>

Crypto-PAn is a cyrptography-based sanitization library that contains panonymizer.cpp, the C++ implentation of the prefix-preserving IP anonymizer using the Rijndael cipher(now AES) as its pseudorandom function. Crypto-PAn maintains one-to-one mappings of original to anonymized IP addresses, maintains consistency across multiple traces through the use of secret cryptographic keys.

Lucent's extensions to Crypto-PAn


This version claims several improvements over the original Crypto-PAn:

  • improved randomness
  • improved performance, using OpenSSL
  • three levels of anonymization can be stored compactly, with access controlled through keys: with no keys, only the random permution is available; with one key, the prefix-preserving permution is also available; with two keys, the original address can be recovered.


Contact:Adam Slagell
Overview: FLAIM is a general framework, created to support the anonymization of heterogeneous logs to multiple levels. Its main contributions are to provide (1) the anonymization engine containing a broad set of anonymization algorithms for various datatypes, (2) the XML based policy engine which validates and parses users' XML policies against a variety of schemas (we incorporate Relax NG, Schematron, XML and XSLT technologies here), and (3) a simple yet strict API governing how parsing modules (loaded dynamically at run-time) can pass records back and forth with FLAIM's anonymization engine.


Contact:John Kristoff <>

IP::Anonymous, a Perl module port of Crypto-PAn, originally designed and implemented in C++ by Jinliang Fan. The package accomplishes one-to-one mapping from original IP addresses to anonymized IP addresses, preserves prefixes, provides consistency across traces, and uses cryptographic methods to preserve secrecy. The module reuires the Crypt::Rijndael Perl package, an XS-based implementation of the Advanced Encryption Standard (AES) algorithm Rijndael by Joan Daemen and Vincent Rijmen.


Contact:Eddie Kohler

The ipsumdump program summarizes TCP/IP dump files into a self-describing ASCII format easily readable by humans and programs. Ipsumdump can read packets from network interfaces, from tcpdump files, and from existing ipsumdump files. It will transparently uncompress tcpdump or ipsumdump files when necessary. It can randomly sample traffic, filter traffic based on its contents, anonymize IP addresses, and sort packets from multiple dumps by timestamp. Also, it can optionally create a tcpdump file containing actual packet data.


Contact:Peter Haag

NFDUMP provides a suite of tools that support netflow v5, v7, and v9 including: nfcapd - netflow capture daemon, nfdump - netflow dump, nfprofile - netflow profiler, nfreplay - netflow replay, - cleanup old data, and ft2nfdump - Read and convert flow-tools data.

The goal of the design is to able to analyze netflow data from the past as well as to track interesting traffic patterns continuously. The amount of time back in the past is limited only by the disk space available for all the netflow data. The tools are optimized for speed for efficient filtering. The filter rules look familiar to the syntax of tcpdump ( pcap like ).


Overview:SCRUB-tcpdump is a set of functions that are used to anonymize a packetflow trace in libpcap or tcpdump format so that it can be used to collaborate or release without jeapordizing the anonymity of the network represented by the capture flow. SCRUB-tcpdump allows the user to select from a variety of options for anonymizing fields like the ports, IP addresses, time-stamps, transport protocols, flags, options, etc. For more information on how to download and use SCRUB-tcpdump see our Download page. If you would like to see the results of studies about SCRUB-tcpdump and its impacts and uses in security analysis, please see Papers and read about it there.


Contact:Francesco Gringoli (
Overview: tcpanon is a TCP trace anonymizer written in Python. Referring to the TCP/IP stack, what's new is the capability to work at level 7: the TCP stream of each flow in a traffic trace is first interpreted and reassembled at the application layer. Then, sensitive information, according to the rules set in a configuration file, are either erased or camouflaged. The current version works with some of the most common "clear text" protocols: HTTP, SMTP, POP3, IMAP4, FTP, FTP-data, but it can be easily extended to other protocols.


Contact:Greg Minshall
Overview: Tcpdpriv is program for eliminating confidential information from packets collected on a network interface (or, from trace files created using the -w argument to tcpdump).


Contact:Vern Paxson
Overview: tcpmkpub is a tool for anonymizing packet headers in trace files. It requires a site-specific anonymization policy that gets compiled into the program.


Contact:Ethan Blanton

TCPurify is a packet sniffer/capture program similar to tcpdump, but with much reduced functionality. What sets TCPurify apart from other, similar programs is its focus on privacy. TCPurify is designed from the ground up to protect the privacy of users on the sniffed network as much as possible.

In order to accomplish this goal, TCPurify truncates almost all packets immediately after the last recognized header (IP or Ethernet), removing all data payload before storing the packet. (There are some notable exceptions, such as ICMP packets, chargen, daytime, etc. Some of these protocols are left in because they are useful for security auditing (ICMP) and others merely because they should be uninteresting) Furthermore, it has the capability of randomizing some or all IP addresses (based on the network portion of the address) to mask exactly where packets are where or to while still retaining some general idea. This randomization is reversible with the help of a one-shot generated file which is created at capture time.

  Last Modified: Tue Oct-13-2020 22:21:59 UTC
  Page URL: