Wireshark-dev: Re: [Wireshark-dev] Embed SSL keylog file in pcap-ng
From: Ahmad Fatoum <ahmad@xxxxxx>
Date: Sat, 5 May 2018 10:40:24 +0200
Hi,

> On 5May 2018, at 09:31, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> 
> "Support multiple protocols in a capture" in what sense?

multiple protocols with a key block each, e.g. TLS and Tibia interleaved in the same capture file. 
> On 4May 2018, at 09:21, Paul Zander <p.j.zander@xxxxxxxxxxx> wrote:
> 
> Via fields in this block we can define for which protocol the key is.


> On 5May 2018, at 09:31, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>> some authority that allocates protocol identifiers would be desirable
> 
> If this is going to be in pcapng files, the authority would be the pcapng file format maintainers.

Of course, the pcapng maintainers are the authority on the block's structure,
but the protocol identifier would be a field inside the new "Wireshark dissector preferences" block and managed by Wireshark, no?


>> and I think Wireshark protocol names are very suited for this (after renaming SSL to TLS :-).
>> 
>> Maybe:
>> - Standardize some prefs_register_key_preference API for key supplement in Wireshark that wraps existing UAT/preference use and provides key preferences in a uniform format
>> - Agree on a specific format for those key preferences inside pcapng blocks
> 
> Once they're in pcapng blocks, unless the block is Wireshark-specific, the preferences would be managed entirely by the pcapng developers, not the Wireshark developers.

The block is Wireshark-specific. Its layout is fixed and versioned. The contents vary but Wireshark would commit to a standard format for key preferences.


Thinking about it, another alternative would be a generic pcap block but with a frame number replacing the protocol name. The frame number can be used to identify the protocol "conversation" that the key is associated with and alleviates the need to centrally assign protocol identifiers.


Cheers