[pcap-ng-format] [Wireshark-dev] Proposal for storing decryption secrets in a pcapng block
ronnie sahlberg
ronniesahlberg at gmail.com
Sat Oct 6 09:37:43 UTC 2018
What Guy said.
On Fri, Oct 5, 2018 at 4:11 PM Guy Harris <guy at alum.mit.edu> wrote:
>
> On Sep 30, 2018, at 10:47 AM, Peter Wu <peter at lekensteyn.nl> wrote:
>
> > Requirements for block placement:
> > - No requirement. Producers are allowed to write the block anywhere.
> > Disadvantages for consumers: requires a two-pass scan to collect
> > secrets before they are used.
> > - Place secrets before the packet blocks that require them. Consumers
> > can read and decrypt in one pass. Disadvantage: producers cannot
> > always guarantee availability of secrets while writing the capture.
> > - Place a single secret block before the first packet block. Consumers
> > can read and decrypt in one pass. Disadvantage: requires producers to
> > post-process (rewrite) the capture file to insert secrets.
>
> The third of those appears to be a special case of the second of those. I don't see any need to require the secrets to be before the *first* packet block if the first packet block doesn't require the secret; presumably "before the packet blocks that require them" just means "*somewhere* before the packet blocks that require them", which is *allowed* to be "before all packet blocks in the file" but not *required* to be "before all packet blocks in the file".
>
> If the secret isn't available by the time the first packet requiring the secret for decryption is ready to be written to the capture, *somebody* will have to do some form of two-pass processing.
>
> The first option says the consumer must do so; that's inconvenient for a consumer doing one-pass processing (tcpdump, TShark without the -2 option), and isn't even really good for at least some consumers doing two-pass processing (Wireshark, TShark with the -2 option), because dissection is done on the first pass.
>
> The second and third option require either the producer, or some post-processor, to write a new version of the file putting the secrets before the packets that require them. The producer isn't necessarily responsible for doing so; one might have tcpdump, or dumpcap (or some program using dumpcap, such as TShark or Wireshark) write out a capture with no secrets, and then have another program (a utility, or Wireshark after having read in the file and then given the secret in question) write out a new file with the secrets early enough in the file ("before all the packet blocks" is probably the simplest implementation).
>
> A producer that *does* happen to have the secret available before seeing any packets that require the secret *could* write it directly.
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev at wireshark.org>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request at wireshark.org?subject=unsubscribe
More information about the pcap-ng-format
mailing list