[pcap-ng-format] Proposal for storing decryption secrets in a pcapng block

Guy Harris guy at alum.mit.edu
Sat Oct 6 18:37:16 UTC 2018


On Oct 5, 2018, at 6:47 AM, Michael Richardson <mcr at sandelman.ca> wrote:

> Guy Harris <guy at alum.mit.edu> wrote:
>> The second and third option require either the producer, or some
>> post-processor, to write a new version of the file putting the secrets
>> before the packets that require them.  The producer isn't necessarily
>> responsible for doing so; one might have tcpdump, or dumpcap (or some
>> program using dumpcap, such as TShark or Wireshark) write out a capture
>> with no secrets, and then have another program (a utility, or Wireshark
>> after having read in the file and then given the secret in question)
>> write out a new file with the secrets early enough in the file ("before
>> all the packet blocks" is probably the simplest implementation).
> 
> I'm in favour of this option, and providing a signal early in the file that
> the indicates if that process has occured yet.

"That process" being the process of adding all relevant secrets to the file?

For what would that indication be used?


More information about the pcap-ng-format mailing list