Wireshark-dev: Re: [Wireshark-dev] [pcap-ng-format] Proposal for storing decryption secrets in
From: Guy Harris <[email protected]>
Date: Sat, 6 Oct 2018 11:37:16 -0700
On Oct 5, 2018, at 6:47 AM, Michael Richardson <[email protected]> wrote:

> Guy Harris <[email protected]> wrote:
>> The second and third option require either the producer, or some
>> post-processor, to write a new version of the file putting the secrets
>> before the packets that require them.  The producer isn't necessarily
>> responsible for doing so; one might have tcpdump, or dumpcap (or some
>> program using dumpcap, such as TShark or Wireshark) write out a capture
>> with no secrets, and then have another program (a utility, or Wireshark
>> after having read in the file and then given the secret in question)
>> write out a new file with the secrets early enough in the file ("before
>> all the packet blocks" is probably the simplest implementation).
> I'm in favour of this option, and providing a signal early in the file that
> the indicates if that process has occured yet.

"That process" being the process of adding all relevant secrets to the file?

For what would that indication be used?