Editcap is unable to work on files with injected secrets
Summary
After injecting secrets into a pcapng file with editcap --inject-secrets
the resulting file is not able to be used by editcap.
Steps to reproduce
- Inject secrets into a pcapng file:
editcap --inject-secrets tls,keylog http.pcapng http-with-secrets.pcapng
- Try to discard those secrets and write a new file:
❯ editcap --discard-all-secrets http-with-secrets.pcapng http-discarded-secrets.pcapng
editcap: The capture file being read can't be written as a "pcapng" file.
- Try any
editcap
function, like splitting into multiple files:
editcap -c 10 http-with-secrets.pcapng split.pcapng
editcap: The capture file being read can't be written as a "pcapng" file.
What is the current bug behavior?
Editcap results that "The capture file being read can't be written as a "pcapng" file." and does not produce a new file.
What is the expected correct behavior?
A new file should be written out to disk with the requested transformation.
Workaround
In tracing the error message, I discovered that if you specify the encapsulation, then editcap
is able to write the file. Note this is the same encapsulation that the file already is using. It appears to not be detected by editcap.
❯ editcap --discard-all-secrets -T ether http-with-secrets.pcapng http-discarded-secrets.pcapng
(No error)
Additionally, this behavior had been exhibited by TShark 3.6.9 when trying to use a combination of -r <infile> -w <outfile>
to filter a capture file with injected secrets. Same error message, however when retested in 4.0.1, it works now.
Relevant logs and/or screenshots
Log-Level=Debug
❯ editcap --discard-all-secrets --log-level debug http-with-secrets.pcapng http-discarded-secrets.pcapng
** (editcap:2615) 09:56:27.982371 [(none) DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wsutil/filesystem.c:303 -- set_configuration_namespace(): Using configuration namespace Wireshark.
** (editcap:2615) 09:56:27.987612 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3352 -- pcapng_open(): opening file
** (editcap:2615) 09:56:27.987644 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3391 -- pcapng_open(): got an SHB
** (editcap:2615) 09:56:27.987654 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:1115 -- pcapng_read_section_header_block(): SHB (our byte order) V1.0, len 88
** (editcap:2615) 09:56:27.987684 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:903 -- pcapng_process_options(): Options 60 bytes
** (editcap:2615) 09:56:27.987718 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3531 -- pcapng_open(): Check for more IDBs, block_type 0x0000000a
** (editcap:2615) 09:56:27.987754 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3579 -- pcapng_read(): data_offset is 88
** (editcap:2615) 09:56:27.987774 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3210 -- pcapng_read_block(): block_type 0x0000000a
** (editcap:2615) 09:56:27.987819 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3640 -- pcapng_read(): block type BLOCK_TYPE_DSB
** (editcap:2615) 09:56:27.987843 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3579 -- pcapng_read(): data_offset is 164
** (editcap:2615) 09:56:27.987865 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3210 -- pcapng_read_block(): block_type 0x00000001
** (editcap:2615) 09:56:27.987921 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:1473 -- pcapng_read_if_descr_block(): IDB link_type 1 (Ethernet), snap 65535
** (editcap:2615) 09:56:27.987956 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:903 -- pcapng_process_options(): Options 0 bytes
** (editcap:2615) 09:56:27.987968 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3633 -- pcapng_read(): block type BLOCK_TYPE_IDB
** (editcap:2615) 09:56:27.987980 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3579 -- pcapng_read(): data_offset is 184
** (editcap:2615) 09:56:27.987990 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3210 -- pcapng_read_block(): block_type 0x00000006
** (editcap:2615) 09:56:27.988232 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:1855 -- pcapng_read_packet_block(): EPB on interface_id 0, cap_len 66, packet_len 66
** (editcap:2615) 09:56:27.988260 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:1932 -- pcapng_read_packet_block(): packet data: packet_len 66 captured_len 66 interface_id 0
** (editcap:2615) 09:56:27.988284 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:1958 -- pcapng_read_packet_block(): encapsulation = 1 (Ethernet), pseudo header size = 0.
** (editcap:2615) 09:56:27.988353 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:903 -- pcapng_process_options(): Options 0 bytes
** (editcap:2615) 09:56:27.988396 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3602 -- pcapng_read(): rec_type 0
** (editcap:2615) 09:56:27.988418 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3711 -- pcapng_read(): data_offset is finally 184
** (editcap:2615) 09:56:27.988485 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:6103 -- pcapng_dump_can_write_encap(): encap = 0 (Unknown)
editcap: The capture file being read can't be written as a "pcapng" file.
** (editcap:2615) 09:56:27.988559 [Wiretap DEBUG] /Users/buildslave/builds/UfJL1hoT/0/wireshark/wireshark/wiretap/pcapng.c:3802 -- pcapng_close(): closing file
Capinfos
❯ capinfos http.pcapng
File name: http.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 65
File size: 22 kB
Data size: 19 kB
Capture duration: 11.190161 seconds
First packet time: 2009-11-22 15:03:21.779434
Last packet time: 2009-11-22 15:03:32.969595
Data byte rate: 1,769 bytes/s
Data bit rate: 14 kbps
Average packet size: 304.63 bytes
Average packet rate: 5 packets/s
SHA256: c3b919d642f96b46f4b29aae981a7eabf260fb8d7e00b45ac3e37f8da7e28750
RIPEMD160: 01ad7981b62dbddd0d51357d0cbfda90c2e80707
SHA1: fbd3cb71cfa4f9bed812e1a0f6ee49233506e468
Strict time order: True
Capture application: TShark (Wireshark) 3.6.8 (Git commit ac26cea7279e)
Number of interfaces in file: 1
Interface #0 info:
Encapsulation = Ethernet (1 - ether)
Capture length = 65535
Time precision = microseconds (6)
Time ticks per second = 1000000
Number of stat entries = 0
Number of packets = 65
❯ capinfos http-with-secrets.pcapng
File name: http-with-secrets.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 65
File size: 22 kB
Data size: 19 kB
Capture duration: 11.190161 seconds
First packet time: 2009-11-22 15:03:21.779434
Last packet time: 2009-11-22 15:03:32.969595
Data byte rate: 1,769 bytes/s
Data bit rate: 14 kbps
Average packet size: 304.63 bytes
Average packet rate: 5 packets/s
SHA256: 535447a3140d4a28984099aa6abb097d55a4c54d19fb15d55e2621b41fa15451
RIPEMD160: 6f7b7dafef04738fc777d4b8e46df32ea4304d2d
SHA1: 133c326ba01d7f0afdeed2cf3dc65eca50e070ea
Strict time order: True
Capture application: TShark (Wireshark) 3.6.8 (Git commit ac26cea7279e)
Number of interfaces in file: 1
Interface #0 info:
Encapsulation = Ethernet (1 - ether)
Capture length = 65535
Time precision = microseconds (6)
Time ticks per second = 1000000
Number of stat entries = 0
Number of packets = 65
Number of decryption secrets in file: 1
❯ capinfos http-discarded-secrets.pcapng
File name: http-discarded-secrets.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 65
File size: 22 kB
Data size: 19 kB
Capture duration: 11.190161 seconds
First packet time: 2009-11-22 15:03:21.779434
Last packet time: 2009-11-22 15:03:32.969595
Data byte rate: 1,769 bytes/s
Data bit rate: 14 kbps
Average packet size: 304.63 bytes
Average packet rate: 5 packets/s
SHA256: c3b919d642f96b46f4b29aae981a7eabf260fb8d7e00b45ac3e37f8da7e28750
RIPEMD160: 01ad7981b62dbddd0d51357d0cbfda90c2e80707
SHA1: fbd3cb71cfa4f9bed812e1a0f6ee49233506e468
Strict time order: True
Capture application: TShark (Wireshark) 3.6.8 (Git commit ac26cea7279e)
Number of interfaces in file: 1
Interface #0 info:
Encapsulation = Ethernet (1 - ether)
Capture length = 65535
Time precision = microseconds (6)
Time ticks per second = 1000000
Number of stat entries = 0
Number of packets = 65
Build information
This is the official MacOS build of 4.0.1
Editcap (Wireshark) 4.0.1 (v4.0.1-0-ge9f3970b1527).
Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using Clang 11.0.0 (clang-1100.0.33.16), with GLib 2.68.4,
with PCRE2, with zlib 1.2.11, with binary plugins.
Running on Mac OS X 10.16, build 21G115 (Darwin 21.6.0), with Intel(R) Core(TM)
i7-7567U CPU @ 3.50GHz (with SSE4.2), with 16384 MB of physical memory, with
GLib 2.68.4, with PCRE2 10.39 2021-10-29, with zlib 1.2.11, with LC_TYPE=C,
binary plugins supported.