Wireshark mailing list archives
Re: Embed SSL keylog file in pcap-ng
From: Ben Higgins <ben () extrahop com>
Date: Fri, 18 May 2018 20:07:53 -0700
On Fri, May 18, 2018 at 7:49 PM, Jim Young <jim.young.ws () gmail com> wrote:
Hello Ben, Similar to the way that IDBs must be preceded by any EPBs that reference it, Apple's tcpdump can augment pcpang files with proprietary process information blocks. EPBs are augmented with proprietary options that can reference any preceding process information blocks. Unfortunately Apple in their infinite wisdom opted not to register reserved values for their packet information blocktype number nor for the various process information related EPB option numbers. Instead Apple opted to go the lazy route and simply used "local use" values. Please do not Apple's mistake of using "local use" values in pcapng capture files that will be publicly available. Late last year I submitted a hacky and currently stalled WIP attempt to process these proprietary Apple blocks and options in change 24641. The fact that Apple used "local use" values (and choose specific "local use" values that arguably are more likely to be used by others) it is not likely my patch or anything better will be merged unless parsing and processing of the Apple propriety block and options pcapng are optional and disabled by default. I'll be looking forward to seeing how you implement the SSL keylog info into pcapng.
Thanks for the background, Jim. I don't think it makes sense for there to be anything proprietary in this block. The contents of this block will be what Wireshark already supports for key log files, described here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format The big win is that a single pcapng file can contain everything needed for Wireshark to decrypt its contents. Today, the user has to jump through some hoops (either clicking through dialog boxes or knowing the (perhaps undocumented?) command-line option) to select a keylog file. We want to improve on that experience. Ben Good luck and best regards,
Jim Y. On Fri, May 18, 2018 at 10:05 PM, Ben Higgins <ben () extrahop com> wrote:On Friday, May 18, 2018, Guy Harris <guy () alum mit edu> wrote:On May 18, 2018, at 6:08 PM, Ben Higgins <ben () extrahop com> wrote:Sounds like it'd still be fine for there to be multiple keylog blocks,Yes.but, as you say, they must occur before any packets that require thesecrets contained therein. Is that correct? Yes.Great, thanks. I plan to have us implement this feature accordingly. Should we file a new ticket along these lines or will the existing ticket suffice? ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscr ibe____________________________________________________________ _______________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscr ibe____________________________________________________________ _______________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject= unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Embed SSL keylog file in pcap-ng, (continued)
- Re: Embed SSL keylog file in pcap-ng Guy Harris (May 05)
- Re: Embed SSL keylog file in pcap-ng Ahmad Fatoum (May 05)
- Re: Embed SSL keylog file in pcap-ng Guy Harris (May 05)
- Re: Embed SSL keylog file in pcap-ng Ben Higgins (May 18)
- Re: Embed SSL keylog file in pcap-ng Peter Wu (May 18)
- Re: Embed SSL keylog file in pcap-ng Guy Harris (May 18)
- Re: Embed SSL keylog file in pcap-ng Ben Higgins (May 18)
- Re: Embed SSL keylog file in pcap-ng Guy Harris (May 18)
- Re: Embed SSL keylog file in pcap-ng Ben Higgins (May 18)
- Re: Embed SSL keylog file in pcap-ng Jim Young (May 18)
- Re: Embed SSL keylog file in pcap-ng Ben Higgins (May 18)
- Re: Embed SSL keylog file in pcap-ng Ben Higgins (May 18)