Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block

[Jasper Bongertz <jasper () packet-foo com>]

Michael Richardson wrote:
> Peter Wu <peter () lekensteyn nl> wrote:
>     > Requirements for block placement:
>     > - No requirement. Producers are allowed to write the block anywhere.
>     > Disadvantages for consumers: requires a two-pass scan to collect
>     > secrets before they are used.

> I prefer this, but I would support having a flag in the block that says that no other blocks exist in the file until 
> at least X-bytes.
> So, a producer (or something downstream of it), could scan for the blocks, move them to the front, and indicate how 
> far into the file it cover. Naturally, if X >= file size, then the work is done.

I agree that this would be nice but I see technical difficulties with this. When
writing a block you have to assume that you don't know what's going to be
written next, so you don't know how far it is to the next block. pcap-ng files
are usually written by the producer as a stream of blocks, so you can't go back
to update a previous block when you write the next one.

Also, moving blocks around while writing a live capture is not an option when
it comes to heavy loads. Or did I misunderstand your idea?




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe