This work addresses the gap between privacy guarantees and actual risks in synthetic network traffic generators (SynNetGens). We introduce the first packet-trajectory–level privacy evaluation framework and reveal that existing SynNetGens leak user identities at an average rate of 59%. To quantify this risk, we propose TraceBleed, a novel membership inference attack that combines contrastive learning with temporal block modeling to extract fine-grained behavioral fingerprints from packet trajectories. We further design TracePatch, a general-purpose defense that jointly employs adversarial training and Satisfiability Modulo Theories (SMT) constraints to suppress leakage while preserving traffic fidelity. Experiments show TraceBleed improves attack accuracy by 172% over baselines, and TracePatch effectively mitigates privacy risk without degrading generation quality. This is the first systematic study to expose user-level privacy vulnerabilities in trajectory-level synthetic network data and to provide a verifiable, deployable framework for privacy assessment and protection.

Current synthetic traffic generators (SynNetGens) promise privacy but lack comprehensive guarantees or empirical validation, even as their fidelity steadily improves. We introduce the first attack-grounded benchmark for assessing the privacy of SynNetGens directly from the traffic they produce. We frame privacy as membership inference at the traffic-source level--a realistic and actionable threat for data holders. To this end, we present TraceBleed, the first attack that exploits behavioral fingerprints across flows using contrastive learning and temporal chunking, outperforming prior membership inference baselines by 172%. Our large-scale study across GAN-, diffusion-, and GPT-based SynNetGens uncovers critical insights: (i) SynNetGens leak user-level information; (ii) differential privacy either fails to stop these attacks or severely degrades fidelity; and (iii) sharing more synthetic data amplifies leakage by 59% on average. Finally, we introduce TracePatch, the first SynNetGen-agnostic defense that combines adversarial ML with SMT constraints to mitigate leakage while preserving fidelity.