[pcap-ng-format] Proposal for storing decryption secrets in a pcapng block
Michael Richardson
mcr at sandelman.ca
Fri Oct 5 13:47:43 UTC 2018
Guy Harris <guy at alum.mit.edu> wrote:
> The second and third option require either the producer, or some
> post-processor, to write a new version of the file putting the secrets
> before the packets that require them. The producer isn't necessarily
> responsible for doing so; one might have tcpdump, or dumpcap (or some
> program using dumpcap, such as TShark or Wireshark) write out a capture
> with no secrets, and then have another program (a utility, or Wireshark
> after having read in the file and then given the secret in question)
> write out a new file with the secrets early enough in the file ("before
> all the packet blocks" is probably the simplest implementation).
I'm in favour of this option, and providing a signal early in the file that
the indicates if that process has occured yet.
> A producer that *does* happen to have the secret available before
> seeing any packets that require the secret *could* write it directly.
Agreed.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
More information about the pcap-ng-format
mailing list