[pcap-ng-format] reserving blocks for decryption?

Anders Broman anders.broman at ericsson.com
Mon Feb 10 11:44:26 UTC 2014 

Hi,
> Question is - is this urgent or can we call another round table for PCAPng at Sharkfest, discussing procedures for the adding of new block types and block options?
It's not urgent at the moment but that might change...

It would be good if we could have some initial discussions here before Sharkfest to be more prepared. I feel we haven't made much progress since the original draft unfortunately.

I'm not too fond of the proposed fragmentation of the "Block IDs". I'm also wondering if we should have vendor blocks and vendor options so that say Wireshark can make its own block or option  without having to update the "standard". A Wireshark block or option could contain conversation information, IP port to protocol mapping , RTP payload mapping etc.

Best regards
Anders 


-----Original Message-----
From: pcap-ng-format-bounces at winpcap.org [mailto:pcap-ng-format-bounces at winpcap.org] On Behalf Of Jasper Bongertz
Sent: den 10 februari 2014 11:54
To: Pcap-ng file format
Subject: Re: [pcap-ng-format] reserving blocks for decryption?

Hi Anders,

I agree, having SSL decryption info stored as a comment is a workaround, but not a smart solution. Having a decryption block is certainly an interesting idea, especially since it would allow to strip it if necessary, or even do some sort of password protection for the block. I would call such a block a PROTOCOL DECRYPTION block (or something similar), because we might have an file level encryption block at some point, too.

A protocol decryption block could be designed to be universal for WLAN encryption, IPSec, OpenVPN, SSL etc. with different sub options, as you proposed.

Question is - is this urgent or can we call another round table for PCAPng at Sharkfest, discussing procedures for the adding of new block types and block options?

Cheers,
Jasper

Monday, February 10, 2014, 10:02:09 AM, you wrote:

> Hi,
> On the topic of new blocks how about "decryption blocks" the bug
> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9616 uses the 
> comments to store SSL decryption details.
> I feel it would be better in a pcap-ng block. I'm also looking into 
> IPsec ESP where it could be useful to have a decryption block. I 
> haven't really thought about the format of such blocks.
> Perhaps a generic decryption block with sub options per encryption protocol?

> Regards
> Anders

> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format

More information about the pcap-ng-format mailing list