Wireshark mailing list archives
Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block
From: ronnie sahlberg <ronniesahlberg () gmail com>
Date: Sat, 6 Oct 2018 19:37:43 +1000
What Guy said. On Fri, Oct 5, 2018 at 4:11 PM Guy Harris <guy () alum mit edu> wrote:
On Sep 30, 2018, at 10:47 AM, Peter Wu <peter () lekensteyn nl> wrote:Requirements for block placement: - No requirement. Producers are allowed to write the block anywhere. Disadvantages for consumers: requires a two-pass scan to collect secrets before they are used. - Place secrets before the packet blocks that require them. Consumers can read and decrypt in one pass. Disadvantage: producers cannot always guarantee availability of secrets while writing the capture. - Place a single secret block before the first packet block. Consumers can read and decrypt in one pass. Disadvantage: requires producers to post-process (rewrite) the capture file to insert secrets.The third of those appears to be a special case of the second of those. I don't see any need to require the secrets to be before the *first* packet block if the first packet block doesn't require the secret; presumably "before the packet blocks that require them" just means "*somewhere* before the packet blocks that require them", which is *allowed* to be "before all packet blocks in the file" but not *required* to be "before all packet blocks in the file". If the secret isn't available by the time the first packet requiring the secret for decryption is ready to be written to the capture, *somebody* will have to do some form of two-pass processing. The first option says the consumer must do so; that's inconvenient for a consumer doing one-pass processing (tcpdump, TShark without the -2 option), and isn't even really good for at least some consumers doing two-pass processing (Wireshark, TShark with the -2 option), because dissection is done on the first pass. The second and third option require either the producer, or some post-processor, to write a new version of the file putting the secrets before the packets that require them. The producer isn't necessarily responsible for doing so; one might have tcpdump, or dumpcap (or some program using dumpcap, such as TShark or Wireshark) write out a capture with no secrets, and then have another program (a utility, or Wireshark after having read in the file and then given the secret in question) write out a new file with the secrets early enough in the file ("before all the packet blocks" is probably the simplest implementation). A producer that *does* happen to have the secret available before seeing any packets that require the secret *could* write it directly. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Ben Higgins (Oct 04)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Peter Wu (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Anders Broman (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Guy Harris (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Anders Broman (Oct 06)
- <Possible follow-ups>
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Guy Harris (Oct 04)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Michael Richardson (Oct 05)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Guy Harris (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block ronnie sahlberg (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Michael Richardson (Oct 05)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Peter Wu (Oct 06)