Wireshark · Wireshark-dev: Re: [Wireshark-dev] Embed SSL keylog file in pcap-ng

[Ben Higgins <ben@xxxxxxxxxxxx>]

Hey folks,

Here's what I'm thinking at this point: a new block type for SSL/TLS keylogs and another block type for DTLS keylogs. The contents of each will be the format as described here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format

Any number of these blocks can be included. For each block encountered, ssl_load_keyfile will be called, with the correct per-protocol master key map included. Some code refactoring to ssl_load_keyfile will likely be required since we're dealing with an array of bytes instead of a FILE.

One thing I'm unclear on is how to trigger a reparse of previously processed packets when a keylog block is encountered at e.g. the end of the file. Is that possible?

Thanks,

Ben

On Sat, May 5, 2018 at 2:19 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On May 5, 2018, at 2:07 AM, Ahmad Fatoum <ahmad@xxxxxx> wrote:

>> On 5May 2018, at 10:47, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>>
>> That doesn't require "some authority that allocates protocol identifiers", because it doesn't require protocol identifiers; all that needs to be done is to allocate pcapng block types to those protocols that require some additional information to decrypt its traffic.
>
> I like the idea of a "universal"  key pcapng block more than requiring each interested protocol to request its own block.

Each protocol's key format has to be documented, to allow arbitrary programs to use the block, so they'll have to request it *anyway*, supplying the key format as part of the request.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe