What Guy said.
On Fri, Oct 5, 2018 at 4:11 PM Guy Harris <g...@alum.mit.edu> wrote:
>
> On Sep 30, 2018, at 10:47 AM, Peter Wu <pe...@lekensteyn.nl> wrote:
>
> > Requirements for block placement:
> > - No requirement. Producers are allowed to write the block anywhere.
> > Disadvantages for consumers: requires a two-pass scan to collect
> > secrets before they are used.
> > - Place secrets before the packet blocks that require them. Consumers
> > can read and decrypt in one pass. Disadvantage: producers cannot
> > always guarantee availability of secrets while writing the capture.
> > - Place a single secret block before the first packet block. Consumers
> > can read and decrypt in one pass. Disadvantage: requires producers to
> > post-process (rewrite) the capture file to insert secrets.
>
> The third of those appears to be a special case of the second of those. I
> don't see any need to require the secrets to be before the *first* packet
> block if the first packet block doesn't require the secret; presumably
> "before the packet blocks that require them" just means "*somewhere* before
> the packet blocks that require them", which is *allowed* to be "before all
> packet blocks in the file" but not *required* to be "before all packet blocks
> in the file".
>
> If the secret isn't available by the time the first packet requiring the
> secret for decryption is ready to be written to the capture, *somebody* will
> have to do some form of two-pass processing.
>
> The first option says the consumer must do so; that's inconvenient for a
> consumer doing one-pass processing (tcpdump, TShark without the -2 option),
> and isn't even really good for at least some consumers doing two-pass
> processing (Wireshark, TShark with the -2 option), because dissection is done
> on the first pass.
>
> The second and third option require either the producer, or some
> post-processor, to write a new version of the file putting the secrets before
> the packets that require them. The producer isn't necessarily responsible
> for doing so; one might have tcpdump, or dumpcap (or some program using
> dumpcap, such as TShark or Wireshark) write out a capture with no secrets,
> and then have another program (a utility, or Wireshark after having read in
> the file and then given the secret in question) write out a new file with the
> secrets early enough in the file ("before all the packet blocks" is probably
> the simplest implementation).
>
> A producer that *does* happen to have the secret available before seeing any
> packets that require the secret *could* write it directly.
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
