PcapNg Decryption Secrets block

Posted byAndrey Egorov Leave a comment on PcapNg Decryption Secrets block

PcapNg is a new file format to store captured packets. Decryption Secrets block is one of the most interesting features of it.

Decryption Secrets block allows Wireshark and other similar tools to decrypt TLS traffic. Specifying Key log file or RSA keys is not needed in this case. The block is effectively is a key log file embedded in a pcapng file. Details can be read in the pcapng format document: https://github.com/pcapng/pcapng

To support the feature in my android application, I developed a simple lib for writing pcapng blocks, that has only 4 functions. The lib can be found here: https://github.com/egorovandreyrm/pcapng_dsb
An example of using the lib is included in the repository.

The API of the lib looks the following way:

size_t write_section_header_block(uint8_t *out_buffer, size_t out_buffer_len);

size_t write_network_interfaces_description_block(
    uint32_t snapshot_max_len, uint8_t *out_buffer, size_t out_buffer_len);

size_t write_enhanced_packet_block(
    const uint8_t *packet,
    const size_t packet_len,
    uint8_t *out_buffer,
    size_t out_buffer_len);

size_t write_decryption_secrets_block(
   const uint8_t *tls_key_log,
   const size_t tls_key_log_len,
   uint8_t *out_buffer,
   size_t out_buffer_len);

if out_buffer is NULL, the functions do nothing but return the size that out_buffer is required to have.

Decryption secrets block has to be written prior to any packet blocks that require the secrets.

A typical usage would be:

write_section_header_block(); // every pcap file needs this block 
write_network_interfaces_description_block() // every pcap file needs this block 

write_enhanced_packet_block() // syn
write_enhanced_packet_block() // syn ask
write_enhanced_packet_block() // ask
write_enhanced_packet_block() // client hello
write_enhanced_packet_block() // ask
write_enhanced_packet_block() // server hello
write_enhanced_packet_block() // ask

write_decryption_secrets_block() // tls key log file

// any packets that are written after Decryption Secrets block can be decrypted
write_enhanced_packet_block()
write_enhanced_packet_block()

Leave a comment

Your email address will not be published. Required fields are marked *