Wireshark-dev: Re: [Wireshark-dev] [pcap-ng-format] Proposal for storing decryption secrets in

From: Jasper Bongertz <jasper@xxxxxxxxxxxxxx>
Date: Mon, 1 Oct 2018 17:37:24 +0200
Michael Richardson wrote:
> Peter Wu <peter@xxxxxxxxxxxxx> wrote:
>     > Requirements for block placement:
>     > - No requirement. Producers are allowed to write the block anywhere.
>     > Disadvantages for consumers: requires a two-pass scan to collect
>     > secrets before they are used.

> I prefer this, but I would support having a flag in the block that says that no other blocks exist in the file until at least X-bytes.
> So, a producer (or something downstream of it), could scan for the blocks, move them to the front, and indicate how far into the file it cover. Naturally, if X >= file size, then the work is done.

I agree that this would be nice but I see technical difficulties with this. When
writing a block you have to assume that you don't know what's going to be
written next, so you don't know how far it is to the next block. pcap-ng files
are usually written by the producer as a stream of blocks, so you can't go back
to update a previous block when you write the next one.

Also, moving blocks around while writing a live capture is not an option when
it comes to heavy loads. Or did I misunderstand your idea?