I have nothing against a text keylog file approach, but FWIW with ESP UAT (or the run-time function I mentioned), you can configure the key in hex prefixed with 0x.
Martin On Thu, Aug 19, 2021 at 6:37 PM Nicolás Alvarez <nicolas.alva...@gmail.com> wrote: > El jue, 19 de ago. de 2021 a la(s) 08:30, Harald Welte > (lafo...@gnumonks.org) escribió: > > > > Sorry if this has been covered before, but I could only find several > > locations online where the question has been asked, but no response > anywhere: > > > > Is there already a mechanism by which a running wireshark can be > triggered to > > re-load UAT tables at runtime, in my specific use case those for IKEv2 > and ESP SA? > > > > I tried to grep for uat_load in the source but couldn't find any specific > > externally-triggered place other than doing a manual change and then > pressing > > the cancel button, which will do a uat_load(). > > > > I guess it should be relatively simple to add at least something like a > SIGHUP > > or SIGUSR1 handler which would trigger the reload of the tables? The > proper/fancy > > approach on Linux would of course be to use inotify/dnotfiy to get a > notification > > from the kernel whenever some external program has updated those tables. > > > > The use case, in case it's not obvious, is to use an IPsec > implementation that > > has been instrumented to update those tables automatically "in > real-time" as new > > IKE handshakes or SAs are established. This is alerady possible e.g. > from strongswan > > with a related plugin. > > > > Saving a pcap and opening it later on is of course always possible, but > it seems > > rather clumsy to me, if there's no good reason against the good old > "signal to re-read > > config files" approach. > > The TLS dissector uses a text file with the keys, and I never had to > worry about manually reloading it. Apparently the way it works is that > every time a TLS packet is dissected, it checks again if there's new > lines in the file since the previous read. I'm not sure if it works if > a packet with decryptable data is captured before the corresponding > key appears in the text file though. > > Isn't a main advantage of UATs that you get a GUI to edit it? How > common is it to use IPsec with pre-shared keys? If nowadays "everyone" > uses ephemeral randomly-generated keys, maybe using the GUI to > configure IKE/ESP keys is too cumbersome anyway, and the IPsec > dissector could use a text keylog file like the TLS and SSH dissectors > do instead of a UAT. > > If there is a good reason to use UATs for this kind of encryption > keys, I'd wonder why the TLS and SSH dissectors don't use them ;) > > (By the way, last time I tried this stuff, the ESP UAT expected me to > enter the raw key, not encoded in hex or anything, which doesn't work > if the key doesn't use printable ASCII characters, because it was > randomly generated and negotiated with IKE :/ ) > > -- > Nicolás > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe