Hello Ben,
Similar to the way that IDBs must be preceded by any EPBs that reference it, Apple's tcpdump can augment pcpang files with proprietary process information blocks. EPBs are augmented with proprietary options that can reference any preceding process information blocks.
Unfortunately Apple in their infinite wisdom opted not to register reserved values for their packet information blocktype number nor for the various process information related EPB option numbers. Instead Apple opted to go the lazy route and simply used "local use" values.
Please do not Apple's mistake of using "local use" values in pcapng capture files that will be publicly available.
Late last year I submitted a hacky and currently stalled WIP attempt to process these proprietary Apple blocks and options in change 24641. The fact that Apple used "local use" values (and choose specific "local use" values that arguably are more likely to be used by others) it is not likely my patch or anything better will be merged unless parsing and processing of the Apple propriety block and options pcapng are optional and disabled by default.
I'll be looking forward to seeing how you implement the SSL keylog info into pcapng.
Good luck and best regards,
Jim Y.
