Add DSB type for WireGuard (0x57474b4c)

[Lekensteyn]

This permits WireGuard handshake keys to be embedded in a packet capture file to enable decryption in Wireshark. This makes it easier to share decipherable capture files for educational or debugging purposes.

Implements the functionality requested by https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15571

The identifier 0x57474b4c ("WGKL") was arbitrarily chosen. CRLF support might not be necessary, but is mentioned just in case such key log text files are processed on Windows.

---

CC @zx2c4

[Lekensteyn]

I copied the key log file format to the WIreshark wiki: https://wiki.wireshark.org/WireGuard#Key_Log_Format

Would you prefer the text to be shortened to a link or is this acceptable?

[guyharris]

You might want to briefly indicate what WireGuard is, linking to the WireGuard home page.

[guyharris]

CRLF support might not be necessary, but is mentioned just in case such key log text files are processed on Windows.

According to their home page, "Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android)...", so I wouldn't rule out the files ending with CR-LF.

[guyharris]

I copied the key log file format to the WIreshark wiki: https://wiki.wireshark.org/WireGuard#Key_Log_Format

Would you prefer the text to be shortened to a link or is this acceptable?

It should be inline, not linked to, in the pcapng spec, as pcapng isn't tied to Wireshark. The Wireshark Wiki could eventually point back here.

[Lekensteyn]

It should be inline, not linked to, in the pcapng spec, as pcapng isn't tied to Wireshark.

Sounds good to me if you are okay with this slightly larger paragraph.

I just needed a stable link to place authorative information. The TLS Key Log file format for example has a well-known place on the Mozilla wiki, it was originally created for use in Wireshark by Adam Langley (https://bugzilla.mozilla.org/show_bug.cgi?id=536474). The extract-handshakes README contains an example (self-explanatory) output, but I am not sure how stable the link will be over time. Which is why I wrote down the requirements in the pcapng spec. (And copied it later to the Wireshark wiki.)

According to their home page, "Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android)...", so I wouldn't rule out the files ending with CR-LF.

There are implementations for other platforms, but these do not dump the keys. The extract-handshakes utility uses the Linux-specific kprobes method to extract keys from a running Linux system. The only way that CRLF can appear is due to someone copying the text file from a Linux to a Windows system, or if similar support is implemented in wireguard-go.

You might want to briefly indicate what WireGuard is, linking to the WireGuard home page.

I assume that those implementing support for this will know... :) Nevertheless, good point about linking to the project, force-pushing with this diff:

--- a/draft-tuexen-opsawg-pcapng.xml
+++ b/draft-tuexen-opsawg-pcapng.xml
@@ -2050,7 +2050,9 @@ Section Header
             The key type is one of LOCAL_STATIC_PRIVATE_KEY,
             REMOTE_STATIC_PUBLIC_KEY, LOCAL_EPHEMERAL_PRIVATE_KEY,
             or PRESHARED_KEY. This matches the output of <eref
-                target="https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/README">extract-handshakes.sh</eref>.
+                target="https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/README">extract-handshakes.sh</eref>
+            which is part of the <eref
+                target="https://www.wireguard.com/">WireGuard</eref> project.
             A PRESHARED_KEY line is linked to a session matched by a previous
             LOCAL_EPHEMERAL_PRIVATE_KEY line.
             Every line MUST be properly terminated with

[packetfoo]

Looks good to me

[Lekensteyn]

@guyharris Are you also happy with the changes? If so, could it be merged?

[Lekensteyn]

Ping, the Wireshark patch has already been merged.

[Lekensteyn]

Ping could this be merged?

[Lekensteyn]

@packetfoo @guyharris @geraldcombs Could any of you merge this change?