Re: [Wireshark-dev] [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block

[Ben Higgins]

On Sun, Sep 30, 2018 at 10:47 AM Peter Wu  wrote:

> Hi all,
>
> Earlier this year, Ben Higgins proposed a new pcapng block to store
> SSL/TLS session secrets that would allow users to enable decryption of
> packet traces without further configuration. I would like to solicit for
> some feedback on this proposed specification update:
> https://github.com/pcapng/pcapng/pull/54
>
> Among the open spec issues:
> - Are you happy with the chosen identifiers (10 for block type and
>   0x544c534b ("TLSK") for the TLS key log secret type).
> - Rename the block from the original proposal (it seems based on "IDB",
>   but "Decryption Secrets Block (DSB)" sounds better to me).
>

Both these sound good to me.

- Is there a use case for multiple secret blocks?
>

Certainly if you have different secret block types (so you might need one
of each). Even for the same type it'd make it easier on producers that
might not know the length of all secrets up front (i.e. it's filling up a
buffer as it goes and spitting out a secret block once the buffer's full).

- For multiple secret blocks, is concatenation a good merge strategy?
>

Concatenation should work fine among TLSK blocks assuming all blocks have a
final newline (or one is inserted if missing during concat; perhaps that
needs to be specified).

- Is this format future-proof and usable for other formats like ZigBee?
>

Not sure if the merge strategy could be uniform among other secret formats,
but otherwise this spec seems future-proof since a new secret type can
entail a new secret format.


> Advantages of allowing multiple blocks:
> - Producers can write secrets directly while writing packets.
> - Merging multiple capture files is simpler.
>
> Requirements for block placement:
> - No requirement. Producers are allowed to write the block anywhere.
>   Disadvantages for consumers: requires a two-pass scan to collect
>   secrets before they are used.
> - Place secrets before the packet blocks that require them. Consumers
>   can read and decrypt in one pass. Disadvantage: producers cannot
>   always guarantee availability of secrets while writing the capture.
>
- Place a single secret block before the first packet block. Consumers
>   can read and decrypt in one pass. Disadvantage: requires producers to
>   post-process (rewrite) the capture file to insert secrets.
>

I'm fine with the second option given that, as you note, "No requirement"
is more challenging on consumers.

As these blocks contain sensitive (session) secrets, they should be
> carefully handled, but that's probably a different discussion. The
> current Wireshark patches that implement *read-only* support is at
> https://code.wireshark.org/review/29901
>
> Your feedback is welcome.
> --
> Kind regards,
> Peter Wu
> https://lekensteyn.nl
> ___
> pcap-ng-format mailing list
> pcap-ng-for...@winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] New linker warnings compiling Wireshark on Windows

[Guy Harris]

On Oct 4, 2018, at 11:19 AM, Guy Harris  wrote:

> doesn't help, and there doesn't appear to *be* any documentation for the 
> alleged "CMAKE_C_FLAGS_*" flags.

What they meant was "CMAKE__FLAGS_* flags".

And I've filed a bug against CMake complaining about the opacity of the 
documentation.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] New linker warnings compiling Wireshark on Windows

[Guy Harris]

If anybody in the audience knows how CMake determines the flags to be used when 
linking a particular executable target, based on:

the setting of CMAKE_EXE_LINKER_FLAGS;

the setting of CMAKE_EXE_LINKER_FLAGS_ for the configuration 
being built;

the LINK_FLAGS property of the target being built;

any *other* variables and properties that affect the linker flags;

it would be appreciated if they'd let us know *and* convince the CMake people 
to document this in some fairly obvious place; the documentation for 
CMAKE_EXE_LINKER_FLAGS:

https://cmake.org/cmake/help/v3.12/variable/CMAKE_EXE_LINKER_FLAGS.html

"Linker flags to be used to create executables.

These flags will be used by the linker when creating an executable."

CMAKE_EXE_LINKER_FLAGS_:


https://cmake.org/cmake/help/v3.12/variable/CMAKE_EXE_LINKER_FLAGS_CONFIG.html

"Flags to be used when linking an executable.

Same as CMAKE_C_FLAGS_* but used by the linker when creating 
executables."

LINK_FLAGS:

https://cmake.org/cmake/help/v3.12/prop_tgt/LINK_FLAGS.html

"Additional flags to use when linking this target.

The LINK_FLAGS property can be used to add extra flags to the link step 
of a target.  LINK_FLAGS_ will add to the configuration , for 
example, DEBUG, RELEASE, MINSIZEREL, RELWITHDEBINFO, …"

LINK_FLAGS_:

https://cmake.org/cmake/help/v3.12/prop_tgt/LINK_FLAGS_CONFIG.html

"Per-configuration linker flags for a target.

This is the configuration-specific version of LINK_FLAGS."

doesn't help, and there doesn't appear to *be* any documentation for the 
alleged "CMAKE_C_FLAGS_*" flags.

Until then, I'll just go back to doing things the old way, even if that's not 
how you're supposed to set link flags that are to be used with all executables.

(And then explain the behaviors of linker flags for *other* types of targets, 
if they're similar, *mutatis mutandis*.)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] New linker warnings compiling Wireshark on Windows

[Graham Bloice]

See change 30004: https://code.wireshark.org/review/#/c/30004/

On Thu, 4 Oct 2018 at 18:20, Maynard, Chris 
wrote:

> With master, I’m seeing 16 new linker warnings of the form, “LINK :
> warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' specification”.
>
> It seems the buildbot is seeing them too.  From
> *https://buildbot.wireshark.org/wireshark-master/builders/Windows%20Server%202016%20x64/builds/3776/steps/compile_1/logs/warnings%20%2816%29*
> 
> :
>
> 74>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\tools\lemon\lemon.vcxproj]
> 76>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\mmdbresolve.vcxproj]
> 91>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\idl2wrs.vcxproj]
> 93>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\text2pcap.vcxproj]
> 89>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\dumpcap.vcxproj]
> 97>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\captype.vcxproj]
> 98>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\capinfos.vcxproj]
>104>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\editcap.vcxproj]
>100>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\reordercap.vcxproj]
>103>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\mergecap.vcxproj]
>101>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\randpkt.vcxproj]
>108>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\dftest.vcxproj]
>115>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\tshark.vcxproj]
>119>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\rawshark.vcxproj]
>118>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\sharkd.vcxproj]
>122>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE'
> specification
> [C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\wireshark.vcxproj]
>
> - Chris
>
>
>

-- 
Graham Bloice
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Windows dumpcap -i TCP@

[James Ko]

Thanks.  I've been a bit confused myself from a concussion.

Any chance I can push for this fix to be reviewed and backported in time for 
the scheduled October 10 release of 2.6.4?

James



From: Wireshark-dev  on behalf of Graham 
Bloice 
Sent: Wednesday, October 3, 2018 11:03
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Windows dumpcap -i TCP@



On Wed, 3 Oct 2018 at 18:58, James Ko 
mailto:ko_2...@hotmail.com>> wrote:
Can I petition for this as a fix rather than a feature since the -i TCP@ works 
in the Linux builds but not in Windows?

James


Sure, as I replied, I was a bit too hasty (it's been a long day) and confused 
this change with another, to me it seems to be fix suitable for backport.


From: Wireshark-dev 
mailto:wireshark-dev-boun...@wireshark.org>>
 on behalf of Graham Bloice 
mailto:graham.blo...@trihedral.com>>
Sent: Wednesday, October 3, 2018 10:38
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Windows dumpcap -i TCP@

Ignore my last, I was confusing the change with another.  The Release policy 
still applies though.
On Wed, 3 Oct 2018 at 18:36, Graham Bloice 
mailto:graham.blo...@trihedral.com>> wrote:


On Wed, 3 Oct 2018 at 18:31, James Ko 
mailto:ko_2...@hotmail.com>> wrote:
Just to follow up.  I created bug 
#15149 and submitted 
a fix for review 29894 based on 
master.

Do I need to create a separate patch if I need this included in the next 2.6.x 
release?


Arguably this is a feature and so would not be a candidate for backport to 2.6. 
 See the Release Policy wiki page: 
https://wiki.wireshark.org/Development/ReleasePolicy

Core devs handle the backport if there is one.

James


From: James Ko mailto:jim.l...@hotmail.com>>
Sent: Wednesday, September 19, 2018 00:42
To: Developer support list for Wireshark
Subject: Re: Windows dumpcap -i TCP@

Actually wireshark is not running on the Linux side and this is not using rpcap.

I am using the TCP@ sockets stream support built in to dumpcap rather than 
extcap or rpcap.

On the linux side I have a TCP server which generates PCAPNG data with SHB and 
IDB sent to any client connecting followed by EPBs.

I have wireshark/dumpcap 2.6.2 on Windows and Linux (Ubuntu 18.04) clients.


James



From: Anders Broman
Sent: Tuesday, September 18, 00:27
Subject: Re: [Wireshark-dev] Windows dumpcap -i TCP@
To: Developer support list for Wireshark


What version of Wireshark and what Linux version on the remote side? I think 
some work has ben done on rpcap recently so trying out the development version
is an option. https://www.wireshark.org/download/automated/win64/
Regards
Anders

From: Wireshark-dev 
mailto:wireshark-dev-boun...@wireshark.org>>
 On Behalf Of James Ko
Sent: den 18 september 2018 02:22
To: wireshark-dev@wireshark.org
Subject: [Wireshark-dev] Windows dumpcap -i TCP@

Hi,

I am trying to connect to a remote PCAPNG stream from Windows using the TCP@ 
socket interface but the connection closes immediately after connecting.  The 
same dumpcap command on linux works just fine to the remote TCP socket.

No errors indicating any failure are printed from dumpcap.exe
C:\>"\Program Files\Wireshark\dumpcap.exe" -i 
TCP@192.168.1.100 -w -
Capturing on 'TCP@192.168.1.100'
dumcap:

C:\>

On the remote end running in linux I see a connect and disconnect with EPOLLHUP 
event.

Has anyone else tried or have remote TCP socket connections working with 
dumpcap in Windows?

James






--
Graham Bloice
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] New linker warnings compiling Wireshark on Windows

[Maynard, Chris]

With master, I'm seeing 16 new linker warnings of the form, "LINK : warning 
LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' specification".

It seems the buildbot is seeing them too.  From 
https://buildbot.wireshark.org/wireshark-master/builders/Windows%20Server%202016%20x64/builds/3776/steps/compile_1/logs/warnings%20%2816%29:

74>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\tools\lemon\lemon.vcxproj]
76>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\mmdbresolve.vcxproj]
91>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\idl2wrs.vcxproj]
93>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\text2pcap.vcxproj]
89>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\dumpcap.vcxproj]
97>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\captype.vcxproj]
98>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\capinfos.vcxproj]
   104>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\editcap.vcxproj]
   100>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\reordercap.vcxproj]
   103>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\mergecap.vcxproj]
   101>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\randpkt.vcxproj]
   108>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\dftest.vcxproj]
   115>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\tshark.vcxproj]
   119>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\rawshark.vcxproj]
   118>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\sharkd.vcxproj]
   122>LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
specification 
[C:\buildbot\wireshark\wireshark-master-64\windows-2016-x64\build\cmbuild\wireshark.vcxproj]

- Chris











CONFIDENTIALITY NOTICE: This message is the property of International Game 
Technology PLC and/or its subsidiaries and may contain proprietary, 
confidential or trade secret information. This message is intended solely for 
the use of the addressee. If you are not the intended recipient and have 
received this message in error, please delete this message from your system. 
Any unauthorized reading, distribution, copying, or other use of this message 
or its attachments is strictly prohibited.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Merging two pcap files from GUI broken?

[Anders Broman]

Hi,
Merging two pcap files from GUI broken? W hen tying I get "Wireshark can't save 
this capture in that format."
Regards
Anders
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe