You know what I'd like to see? (WHAT? I'm sure you're all saying)
The ability to decrypt some of the encrypted protocols if you know the
keys.
I've been thinking of how this should be done sort of "generically"
inside of ethereal, and here are my thoughts:
1) Encrypted hex is printed to the various buffers as a new "type".
This type would be shown in, um, red. Callbacks would be
registered to "decrypt" this if keys were passed to it. Callbacks
would be registered that could accept keys in a dialog box, or
strings (for str->key conversions), etc.
2) (right-?) Clicking on the portion would prompt for key information
and call the appropriate callback. Assuming a true response, it
would then call the decrypt-handler callback to finish parsing (and
updating the window with) the rest of the message.
3) if a key was already present, it could try to decrypt it using the
known keys for that protocol?
For many of the encrypted protocols this shouldn't be too hard
(snmpv3, ...). For some protocols you could even try to pull the keys
from the local disk if the target was to/from them (krb5, snmpv3, isakmp?,
...). For public/private key protocols you're more out of luck unless
you have the private key. However, you might be able to decrypt one
half of the traffic at least.
Now, who has the time to implement it? (he says chuckling)
--
"Ninjas aren't dangerous. They're more afraid of you than you are of them."
