[pcap-ng-format] [Wireshark-dev] Proposal for storing decryption secrets in a pcapng block

Jasper Bongertz jasper at packet-foo.com
Mon Oct 1 15:37:24 UTC 2018


Michael Richardson wrote:
> Peter Wu <peter at lekensteyn.nl> wrote:
>     > Requirements for block placement:
>     > - No requirement. Producers are allowed to write the block anywhere.
>     > Disadvantages for consumers: requires a two-pass scan to collect
>     > secrets before they are used.

> I prefer this, but I would support having a flag in the block that says that no other blocks exist in the file until at least X-bytes.
> So, a producer (or something downstream of it), could scan for the blocks, move them to the front, and indicate how far into the file it cover. Naturally, if X >= file size, then the work is done.

I agree that this would be nice but I see technical difficulties with this. When
writing a block you have to assume that you don't know what's going to be
written next, so you don't know how far it is to the next block. pcap-ng files
are usually written by the producer as a stream of blocks, so you can't go back
to update a previous block when you write the next one.

Also, moving blocks around while writing a live capture is not an option when
it comes to heavy loads. Or did I misunderstand your idea?






More information about the pcap-ng-format mailing list