Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block

[Guy Harris <guy () alum mit edu>]

On Oct 5, 2018, at 6:47 AM, Michael Richardson <mcr () sandelman ca> wrote:

> Guy Harris <guy () alum mit edu> wrote:
> > The second and third option require either the producer, or some
> > post-processor, to write a new version of the file putting the secrets
> > before the packets that require them.  The producer isn't necessarily
> > responsible for doing so; one might have tcpdump, or dumpcap (or some
> > program using dumpcap, such as TShark or Wireshark) write out a capture
> > with no secrets, and then have another program (a utility, or Wireshark
> > after having read in the file and then given the secret in question)
> > write out a new file with the secrets early enough in the file ("before
> > all the packet blocks" is probably the simplest implementation).
>
> I'm in favour of this option, and providing a signal early in the file that
> the indicates if that process has occured yet.

"That process" being the process of adding all relevant secrets to the file?

For what would that indication be used?
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe