[pcap-ng-format] [Wireshark-dev] Proposal for storing decryption secrets in a pcapng block
Jasper Bongertz
jasper at packet-foo.com
Mon Oct 1 15:37:24 UTC 2018
Michael Richardson wrote:
> Peter Wu <peter at lekensteyn.nl> wrote:
> > Requirements for block placement:
> > - No requirement. Producers are allowed to write the block anywhere.
> > Disadvantages for consumers: requires a two-pass scan to collect
> > secrets before they are used.
> I prefer this, but I would support having a flag in the block that says that no other blocks exist in the file until at least X-bytes.
> So, a producer (or something downstream of it), could scan for the blocks, move them to the front, and indicate how far into the file it cover. Naturally, if X >= file size, then the work is done.
I agree that this would be nice but I see technical difficulties with this. When
writing a block you have to assume that you don't know what's going to be
written next, so you don't know how far it is to the next block. pcap-ng files
are usually written by the producer as a stream of blocks, so you can't go back
to update a previous block when you write the next one.
Also, moving blocks around while writing a live capture is not an option when
it comes to heavy loads. Or did I misunderstand your idea?
More information about the pcap-ng-format
mailing list