Wireshark mailing list archives
Re: re-load IKEv2 / ESP UAT during wireshark gui runtime
From: Martin Mathieson via Wireshark-dev <wireshark-dev () wireshark org>
Date: Thu, 19 Aug 2021 18:43:13 +0100
I have nothing against a text keylog file approach, but FWIW with ESP UAT (or the run-time function I mentioned), you can configure the key in hex prefixed with 0x. Martin On Thu, Aug 19, 2021 at 6:37 PM Nicolás Alvarez <nicolas.alvarez () gmail com> wrote:
El jue, 19 de ago. de 2021 a la(s) 08:30, Harald Welte (laforge () gnumonks org) escribió:Sorry if this has been covered before, but I could only find several locations online where the question has been asked, but no responseanywhere:Is there already a mechanism by which a running wireshark can betriggered tore-load UAT tables at runtime, in my specific use case those for IKEv2and ESP SA?I tried to grep for uat_load in the source but couldn't find any specific externally-triggered place other than doing a manual change and thenpressingthe cancel button, which will do a uat_load(). I guess it should be relatively simple to add at least something like aSIGHUPor SIGUSR1 handler which would trigger the reload of the tables? Theproper/fancyapproach on Linux would of course be to use inotify/dnotfiy to get anotificationfrom the kernel whenever some external program has updated those tables. The use case, in case it's not obvious, is to use an IPsecimplementation thathas been instrumented to update those tables automatically "inreal-time" as newIKE handshakes or SAs are established. This is alerady possible e.g.from strongswanwith a related plugin. Saving a pcap and opening it later on is of course always possible, butit seemsrather clumsy to me, if there's no good reason against the good old"signal to re-readconfig files" approach.The TLS dissector uses a text file with the keys, and I never had to worry about manually reloading it. Apparently the way it works is that every time a TLS packet is dissected, it checks again if there's new lines in the file since the previous read. I'm not sure if it works if a packet with decryptable data is captured before the corresponding key appears in the text file though. Isn't a main advantage of UATs that you get a GUI to edit it? How common is it to use IPsec with pre-shared keys? If nowadays "everyone" uses ephemeral randomly-generated keys, maybe using the GUI to configure IKE/ESP keys is too cumbersome anyway, and the IPsec dissector could use a text keylog file like the TLS and SSH dissectors do instead of a UAT. If there is a good reason to use UATs for this kind of encryption keys, I'd wonder why the TLS and SSH dissectors don't use them ;) (By the way, last time I tried this stuff, the ESP UAT expected me to enter the raw key, not encoded in hex or anything, which doesn't work if the key doesn't use printable ASCII characters, because it was randomly generated and negotiated with IKE :/ ) -- Nicolás ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- re-load IKEv2 / ESP UAT during wireshark gui runtime Harald Welte (Aug 19)
- Re: re-load IKEv2 / ESP UAT during wireshark gui runtime Martin Mathieson via Wireshark-dev (Aug 19)
- Re: re-load IKEv2 / ESP UAT during wireshark gui runtime Nicolás Alvarez (Aug 19)
- Re: re-load IKEv2 / ESP UAT during wireshark gui runtime Martin Mathieson via Wireshark-dev (Aug 19)
- Re: re-load IKEv2 / ESP UAT during wireshark gui runtime Dr. Matthias St. Pierre (Aug 20)
- Re: re-load IKEv2 / ESP UAT during wireshark gui runtime Martin Mathieson via Wireshark-dev (Aug 19)