Adding upstream version 4.4.0.upstream/4.4.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 325 insertions, 76 deletions

diff --git a/docbook/wsug_src/wsug_customize.adoc b/doc/wsug_src/wsug_customize.adoc
index 9ca4a473..21b95ef2 100644
--- a/docbook/wsug_src/wsug_customize.adoc
+++ b/doc/wsug_src/wsug_customize.adoc
@@ -273,6 +273,20 @@ _value_ is the value to which it should be set. Multiple instances of `-o
 <preference settings> ` can be given on a single command line.
 +
 --
+
+[NOTE]
+.Preferences and Profiles
+====
+The preferences you specify on the command line will override any settings
+you have changed in any of your profiles; this includes when switching from
+one profile to another.
+
+If you change a setting using the Preferences dialog
+(see <<ChCustPreferencesSection>>) that you have also set on the command line,
+the command line option will then be ignored, and the setting will change
+as normal when you switch profiles.
+====
+
 An example of setting a single preference would be:
 
 ----
@@ -287,8 +301,8 @@ wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
 You can get a list of all available preference strings from the
 preferences file. See <<AppFiles>> for details.
 
-User access tables can be overridden using “uat,” followed by
-the UAT file name and a valid record for the file:
+<<ChUserTable,User Accessible Tables>> can be overridden using “uat,”
+followed by the UAT file name and a valid record for the file:
 
 ----
 wireshark -o "uat:user_dlts:\"User 0 (DLT=147)\",\"http\",\"0\",\"\",\"0\",\"\""
@@ -514,7 +528,7 @@ image::images/ws-coloring-fields.png[{screenshot-attrs}]
 
 [#ChCustProtocolDissectionSection]
 
-=== Control Protocol dissection
+=== Control Protocol Dissection
 
 The user can control how protocols are dissected.
 
@@ -651,6 +665,7 @@ These window title strings can contain variables which will be replaced by their
 
 The following variables are available.
 
+* %C = Capture comment from command line
 * %F = File path of the capture file
 * %P = Currently selected profile name
 * %S = Conditional separator (dash) that only shows when surrounded by variables with values or static text
@@ -690,12 +705,12 @@ The _Field Occurrence_ setting is count of the given field in the frame, for fie
 
 Selecting _Resolved_ causes name resolution to be applied to the field value, when available.
 
-==== Fonts and Color
+==== Font and Colors
 
 These preferences give you the option to select the font and colors used in the various packet panes.
 Most usable is to select a mono spaced font, which allows for a cleaner presentation, but using a proportional font is possible too.
 
-.Font and color preferences
+.Font and colors preferences
 image::images/ws-pref-appearance-fonts-and-colors.png[{screenshot-attrs}]
 
 ==== Layout
@@ -706,7 +721,7 @@ These preferences allow you to define the layout of the GUI once a capture file
 image::images/ws-pref-appearance-layout.png[{screenshot-attrs}]
 
 Make sure that you have at least one pane configured to contain the Packet list.
-Three panes can be active at the same time and they can be layed out as shown in the top layer.
+Three panes can be active at the same time and they can be laid out as shown in the top layer.
 The exact sizes of these panes can be changed as needed once a capture file is opened.
 
 Selecting _Show packet list separator_ causes the packet list entries to be slightly set apart, which may improve readability at the cost of the amount of packets shown in the packet list.
@@ -756,6 +771,8 @@ The interface list can always be populated after Wireshark is started via menu:C
 Selecting _Disable external capture interfaces_ prevents Wireshark from spawning extcap programs to list off their capture interfaces.
 This might be a time consuming operation delaying the start of the program, however on most systems this is not an issue.
 
+[#ChCustPrefsExpertSection]
+
 ==== Expert Items
 
 These preferences allow you to modify the severity set for expert items.
@@ -806,14 +823,17 @@ btn:[Copy from]:: Copy the list of user specified display filter buttons from an
 
 The columns in the entries are as follows.
 
-Selecting _Show in toolbar_ causes the column to be shown in the toolbar besides the display filter text entry.
+Selecting _Show in toolbar_ causes the button to be shown in the toolbar besides the display filter text entry.
 
 The _Button Label_ is the text shown on the button in the toolbar.
+The use of a double slash causes the button to create a dropdown list to allow grouping of multiple buttons, e.g. TCP//Syn and TCP//Res.
 
 The _Filter Expression_ is the <<ChWorkBuildDisplayFilterSection,display filter expression>> entered into the display filter text entry when the button is clicked.
 
 The _Comment_ is the comment text which appears in a bubble when the mouse hovers over the button.
 
+[#ChCustPrefsNameSection]
+
 ==== Name Resolution
 
 These preferences allow you to configure which numeric identifiers in protocols are translated into human readable text.
@@ -857,8 +877,12 @@ The _SMI (MIB and PIB) paths_ btn:[Edit...] button provides access to the dialog
 
 The _SMI (MIB and PIB) modules_ btn:[Edit...] button provides access to the dialog to manage the MIB/PIB modules to be loaded.
 
+Selecting _Enable IP geolocation_ causes the background MaxMind database IP geolocation resolver to be used to attempt to geolocate IP addresses in the packets.
+
 The _MaxMind database directories_ btn:[Edit...] button provides access to the dialog to manage the directories where the MaxMind database files can be found. See <<ChMaxMindDbPaths>>.
 
+[#ChCustPrefsProtocolsSection]
+
 ==== Protocols
 
 Wireshark supports quite a few protocols, which is reflected in the long list of child entries of the “Protocols” pane.
@@ -890,8 +914,15 @@ Currently only the IPv4, ICMP and ICMPv6 dissector use this preference.
 Selecting _Ignore duplicate frames_ causes a duplicate frame to appear in the packet list, but flagged as ignored, hence not dissected.
 The determination of a duplicate frame is made based on the SHA256 hash of the bytes in the frame.
 
+The preference _Deinterlacing conversations key_ gives you options for deinterlacing the conversations. While _NONE_ keeps the historical behaviour, the other options
+are built on three keys with the following meanings: _V_ (VLAN), _M_ (Mac Address), _I_ (Interface). Packets which seem identical because they have the
+same payload but have a different value for their VLAN Tag, a MAC Address, or were captured on different interfaces, will then be part of different conversations
+if the respective deinterlacing key is activated.
+
 The preference _The max number of hashes to keep in memory for determining duplicate frames_ allows you to set how large the set of frames to consider for duplication is.
 
+[#ChCustPrefsRSASection]
+
 ==== RSA Keys
 
 For more information see {wireshark-wiki-url}TLS.
@@ -969,47 +1000,13 @@ Configuration files stored in each profile include:
 
 * Display Filters (dfilters) (<<ChWorkDefineFilterSection>>)
 
+* Display Filter Macros (dmacros) (<<ChWorkDefineFilterMacrosSection>>)
+
 * Coloring Rules (colorfilters) (<<ChCustColorizationSection>>)
 
 * Disabled Protocols (disabled_protos) (<<ChAdvEnabledProtocols>>)
 
-* User Accessible Tables:
-+
---
-* Custom HTTP headers (custom_http_header_fields)
-
-* Custom IMF headers (imf_header_fields)
-
-* Custom LDAP AttributeValue types (custom_ldap_attribute_types)
-
-* Display Filter Macros (dfilter_macros) (<<ChDisplayFilterMacrosSection>>)
-
-* ESS Category Attributes (ess_category_attributes)
-  (<<ChEssCategoryAttributes>>)
-
-* MaxMind Database Paths (maxmind_db_paths) (<<ChMaxMindDbPaths>>)
-
-* K12 Protocols (k12_protos) (<<ChK12ProtocolsSection>>)
-
-* Object Identifier Names and Associated Syntaxes (<<ChObjectIdentifiers>>)
-
-* PRES Users Context List (pres_context_list) (<<ChPresContextList>>)
-
-* SCCP Users Table (sccp_users) (<<ChSccpUsers>>)
-
-* SNMP Enterprise Specific Trap Types (snmp_specific_traps)
-  (<<ChSNMPEnterpriseSpecificTrapTypes>>)
-
-* SNMP Users (snmp_users) (<<ChSNMPUsersSection>>)
-
-* User DLTs Table (user_dlts) (<<ChUserDLTsSection>>)
-
-* IKEv2 decryption table (ikev2_decryption_table) (<<ChIKEv2DecryptionSection>>)
-
-* Protobuf Search Paths (protobuf_search_paths) (<<ChProtobufSearchPaths>>)
-
-* Protobuf UDP Message Types (protobuf_udp_message_types) (<<ChProtobufUDPMessageTypes>>)
---
+* Most User Accessible Tables (<<ChUserTable>>)
 
 * Changed dissector assignments (__decode_as_entries__), which can be set in the “Decode
   As...” dialog box (<<ChAdvDecodeAs>>).
@@ -1053,6 +1050,10 @@ profile currently selected in the list. The name of the created profile
 is the same as the copied profile, with the text “(copy)” and is
 highlighted so that you can more easily change it.
 
+Auto switch packet limit::
+The number of packets to check for automatic profile switching, described below.
+Setting this to zero disables automatic profile switching.
+
 btn:[Import]::
 Profiles can be imported from zip-archives as well as directly from directory
 structures. Profiles, which already exist by name will be skipped, as well as
@@ -1074,46 +1075,92 @@ added and deleted profiles will not be deleted.
 btn:[Help]::
 Show this help page.
 
+==== Automatic Profile Switching
+
+You can configure Wireshark to automatically change configuration profiles by adding a display filter to the "Auto Switch Filter" setting for a profile.
+When you open a capture file, Wireshark will check each filter against a limited number of packets and will switch to the first profile with a matching filter.
+The number of packets is determined by the "Auto switch packet limit" setting, and a limit of 0 will disable this feature.
+Manually changing your profile will disable this behavior until you open a different capture file.
+
 [#ChUserTable]
 
-=== User Table
+=== User Accessible Tables
 
-The User Table editor is used for managing various tables in Wireshark. Its main
-dialog works very similarly to that of <<ChCustColorizationSection>>.
+User Accessible Tables are a type of preference table which may be
+associated with particular <<ChCustPrefsProtocolsSection,protocols>> or
+with the application as a whole.
 
-[#ChDisplayFilterMacrosSection]
+User Accessible Tables have a common editor dialog which works as described
+in <<ChCustPrefsExpertSection>> and <<ChCustFilterButtons>>. Note that
+the name of the file appears in the lower right corner of the dialog.
 
-=== Display Filter Macros
+The files are saved in a CSV format, where values are either double quoted
+ASCII strings (using C-style backslash escapes for non-printable characters)
+or unquoted hexstrings, depending on the field type. They can be edited directly
+when Wireshark is not running, though this is discouraged. Entries can
+also be appended to the table by passing an appropriate CSV formatted
+record string <<ChCustCommandLine,on the command line>>.
 
-Display Filter Macros are a mechanism to create shortcuts for complex filters.
-For example, defining a display filter macro named _$$tcp_conv$$_ whose text is
+// There's a number of newer dissector UATs that aren't mentioned here
+// and could use help sections.
 
-----
-(ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4)
-or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3)
-----
+Most UATs are stored in the
+<<ChCustConfigProfilesSection,configuration profile>>:
+
+--
+* Custom HTTP headers (custom_http_header_fields)
 
-would allow to use a display filter like
+* Custom IMF headers (imf_header_fields)
 
-----
-${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}
-----
+* Custom LDAP AttributeValue types (custom_ldap_attribute_types)
 
-instead of typing the whole filter. Once defined, a macro can
-be used in <<ChWorkDefineFilterSection,saved display (but not
-capture) filters>> and <<ChCustFilterButtons,filter buttons>>.
+* <<ChCustFilterButtons,Display Filter Buttons>> (dfilter_buttons)
 
-Display Filter Macros can be managed with a user table, as described in
-<<ChUserTable>>, by selecting menu:Analyze[Display Filter Macros] from
-the menu.  The User Table has the following fields:
+* <<ChWorkDefineFilterMacrosSection,Display Filter Macros>> (dfilter_macros), prior to Wireshark 4.4
 
-Name::
-The name of the macro. The name must consist of ASCII alphanumerics or
-the '_' character. (Note that the presence of a '.' character would
-indicate a <<_field_references,field reference>>.)
+* <<ChCustPrefsNameSection,DNS Servers>> (addr_resolve_dns_servers)
+
+* <<ChEssCategoryAttributes,ESS Category Attributes>> (ess_category_attributes)
+
+* <<ChCustPrefsExpertSection,Expert Item Severity>> (expert_severity)
+
+* <<Ch80211Keys,IEEE 802.11 WLAN Decryption Keys>> (80211_keys)
+
+* <<ChIKEv2DecryptionSection,IKEv2 decryption table>> (ikev2_decryption_table)
+
+* <<ChStatIOGraphs,I/O Graphs>> (io_graphs)
+
+* <<ChK12ProtocolsSection,K12 Protocols>> (k12_protos)
+
+* <<ChObjectIdentifiers,Object Identifier Names and Associated Syntaxes>> ()
+
+* <<ChStatPacketLengths,Packet Lengths>> (packet_lengths)
+
+* <<ChPresContextList,PRES Users Context List>> (pres_context_list)
+
+* <<ChSccpUsers,SCCP Users Table>> (sccp_users)
+
+* <<ChSNMPEnterpriseSpecificTrapTypes,SNMP Enterprise Specific Trap Types>> (snmp_specific_traps)
+
+* <<ChSNMPUsersSection,SNMP Users>> (snmp_users)
+
+* <<ChUserDLTsSection,User DLTs Table>> (user_dlts)
+
+* <<ChProtobufSearchPaths,Protobuf Search Paths>> (protobuf_search_paths)
+
+* <<ChProtobufUDPMessageTypes,Protobuf UDP Message Types>> (protobuf_udp_message_types)
+--
+
+Other UATs are stored in the personal configuration directory and are
+common to all profiles:
+
+--
+* <<ChMaxMindDbPaths,MaxMind Database Paths>> (maxmind_db_paths)
+
+* <<ChCustPrefsRSASection,RSA Private Keys>> (rsa_keys) and <<ChCustPrefsRSASection,PKCS #11 Provider Libraries>> (pkcs11_libs)
 
-Text::
-The replacement text for the macro it uses $1, $2, $3, ... as the input arguments.
+* <<ChCustPrefsNameSection,SMI Modules>> (smi_modules) and <<ChCustPrefsNameSection,SMI Paths>> (smi_paths)
+--
 
 [#ChEssCategoryAttributes]
 
@@ -1148,9 +1195,18 @@ Database pathname::
 This specifies a directory containing MaxMind data files. Any files
 ending with _.mmdb_ will be automatically loaded.
 
-The locations for your data files are up to you, but `/usr/share/GeoIP`
-and `/var/lib/GeoIP` are common on Linux and `C:\ProgramData\GeoIP`,
-`C:\Program Files\Wireshark\GeoIP` might be good choices on Windows.
+By default Wireshark will always search for data files in
+`/usr/share/GeoIP` and `/var/lib/GeoIP` on non-Windows platforms
+and in `C:\ProgramData\GeoIP` and `C:\GeoIP` on Windows. You can
+put any additional search paths here, e.g. `C:\Program Files\Wireshark\GeoIP`
+might be a good choice on Windows.
+
+[NOTE]
+====
+While the default search paths are not listed in the user table, they
+are in the list viewable by opening menu:Help[About Wireshark] and
+selecting the "Folders" tab.
+====
 
 [#ChGeoIPDbPaths]
 
@@ -1160,6 +1216,191 @@ except GeoIP files must begin with _Geo_ and end with _.dat_. They are
 no longer supported and MaxMind stopped distributing GeoLite Legacy
 databases in April 2018.
 
+[#Ch80211Keys]
+
+=== IEEE 802.11 WLAN Decryption Keys
+
+Wireshark can decrypt WEP and WPA/WPA2/WPA3 in pre-shared (or personal) mode,
+as well as in enterprise mode. Security improvements in more recent 802.11
+releases require distinct session keys, instead of being able to decipher
+all traffic to a given access point with a single known password and SSID.
+
+You can add decryption keys using Wireshark's IEEE 802.11 preferences.
+Up to 64 keys are supported.
+
+==== Adding Keys
+
+Go to menu:Edit[Preferences >Protocols >IEEE 802.11], or, from the pop-up menu
+in the "Packet List" or "Packet Details" pane from a frame that contains IEEE
+802.11, menu:Protocol Preferences[IEEE 802.11 wireless LAN].
+You should see a window that looks like this:
+
+."IEEE 802.11 wireless LAN" preferences
+image::images/ws-wireless-ieee-80211-pref.png[{screenshot-attrs}]
+
+Click on the "Edit..." button next to "Decryption Keys" to add keys.
+You should see a window that looks like this:
+
+.802.11 Decryption Key Types
+image::images/ws-wireless-key-type.png[{screenshot-attrs}]
+
+When you click the **+** button to add a new key, there are five key types you
+can choose from: **wep**, **wpa-pwd**, **wpa-psk**, **tk**, or **msk**.
+The correct key type(s) depend on the Cipher Suite and Authentication and
+Key Management Suite (AKMS) used to encrypt the wireless traffic.
+
+wep:: The key must be provided as a string of hexadecimal numbers, with or
+without colons, and will be parsed as a WEP key. WEP keys can be 40-bit
+(5 bytes, or 10 hexadecimal characters), 104-bit, or occasionally 128-bit:
+
+ a1:b2:c3:d4:e5
+
+ 0102030405060708090a0b0c0d
+
+wpa-pwd:: The password and SSID are used to create a raw pre-shared WPA key.
+The password can be between 8 and 63 characters, and the SSID can be up to
+32 bytes. (Typically both are printable ASCII, but that is not a hard
+limitation of the specification, only a recommendation.)
+
+ MyPassword:MySSID
+
+You can optionally omit the colon and SSID, and Wireshark will try to decrypt
+packets using the last-seen SSID. This may not work for captures taken in busy
+environments, since the last-seen SSID may not be correct.
+
+ MyPassword
+
+[NOTE]
+====
+The WPA passphrase and SSID let you encode non-printable or otherwise troublesome
+characters using URI-style percent escapes, e.g., `%20` for a space. As a result
+you have to escape the percent characters themselves using `%25`. You also *must*
+escape colons in the passphrase or SSID themselves as `%3a`, in order to
+distinguish them from a colon as a separator between the passphrase and SSID.
+====
+
+[WARNING]
+====
+The WPA pass-phrase and SSID method is for WPA/WPA2-Personal only. It will
+not work for WPA3-Personal, which uses SAE (Simultaneous Authentication of
+Equals), nor for the Enterprise / 802.1X / EAP modes.
+====
+
+wpa-psk:: The key must be provided as a hexadecimal string, and is parsed as a
+PSK (Pre-Shared Key) or PMK (Pairwise Master Key). For WPA/WPA2-Personal,
+the PSK and the PMK are identical, and directly derived from the passphrase
+and SSID above. The keys can be 256 bits (32 bytes, 64 hex characters) or
+384 bits (48 bytes, 96 hex characters).
+
+ 0102030405060708091011...6061626364
+
+tk:: The key must be provided as a hexadecimal string, and is parsed as a
+PTK (Pairwise Transient Key) or GTK (Group Temporal Key). The keys can
+be 16 or 32 bytes (128 or 256 bits), depending on the cipher suite used.
+(5 and 13 byte WEP TKs are not yet supported.)
+
+msk:: The key must be provided as a hexadecimal string, and is parsed as
+a MSK (Master Session Key). This is used for FT-EAP (IEEE 802.11r
+Fast BSS Transition with EAP authentication). The key can be 64 or 128
+bytes.
+
+.802.11 Decryption Key Examples
+image::images/ws-wireless-key-examples.png[{screenshot-attrs}]
+
+////
+AirPcap was discontinued so this sections from the Wiki isn't relevant for many people currently
+==== Adding Keys: Wireless Toolbar
+
+If you are using the Windows version of Wireshark and you have an [AirPcap](/AirPcap) adapter you can add decryption keys using the wireless toolbar. If the toolbar isn't visible, you can show it by selecting *View-\>Wireless Toolbar*. Click on the *Decryption Keys...* button on the toolbar:
+
+![dot11-wireless-toolbar.png](uploads/__moin_import__/attachments/HowToDecrypt802.11/dot11-wireless-toolbar.png "dot11-wireless-toolbar.png")
+
+This will open the decryption key management window. As shown in the window you can select between three decryption modes: **None**, **Wireshark**, and **Driver**:
+
+![dot11-key-management.png](uploads/__moin_import__/attachments/HowToDecrypt802.11/dot11-key-management.png "dot11-key-management.png")
+
+Selecting **None** disables decryption. Selecting **Wireshark** uses Wireshark's built-in decryption features. **Driver** will pass the keys on to the [AirPcap](/AirPcap) adapter so that 802.11 traffic is decrypted before it's passed on to Wireshark. Driver mode only supports WEP keys.
+////
+
+==== Gotchas
+
+Along with decryption keys there are other preference settings that affect decryption.
+
+  - Make sure *Enable decryption* is selected.
+
+  - You may have to toggle *Assume Packets Have FCS* and *Ignore the Protection bit* depending on how your 802.11 driver delivers frames.
+
+===== Capturing the 4-way Handshake
+
+WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. Unless **all four** handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter **eapol** to locate EAPOL packets in your capture.
+
+In order to capture the handshake for a machine, you will need to force the machine to (re-)join the network while the capture is in progress. One way to do this is to put the machine to sleep (for smartphones and tablets, "turning off" the machine puts it to sleep) before you start the capture, start the capture, and then wake the machine up. You will need to do this for all machines whose traffic you want to see.
+
+If a TK is provided as a key, then the EAPOL 4-way handshake is not necessary,
+as the TK is what the handshake derives. However, all available TKs will be
+tried agi
+
+===== Too Many Associations
+
+WPA and WPA2 use individual keys for each device. Wireshark is able to handle
+up to 256 active associations, which should be enough in most circumstances.
+Nevertheless, if a capture has too many devices and too many associations, then
+while the packet list may show all packets decoded on the first pass, randomly
+accessing different packets in the packet details will result in some packets
+failing to be properly deciphered.
+
+Filtering out only the relevant packets (e.g. with "wlan.addr") and saving into
+a new file should get decryption working in all cases, though it may require
+editing keys in the preferences or restarting Wireshark in order to free used
+associations. For the same reason, it is possible to be able to decode packets
+in a capture file without any EAPOL packets in it, as long as Wireshark did see
+the handshake for this communication in another capture without being
+restarted or editing keys. This can sometimes lead to exporting selected
+packets to a new file, opening that file and decoding seeming to work, but
+then decoding suddenly fail on the new file after Wireshark is restarted or keys
+are edited. If decoding suddenly stops working on a capture make sure the needed
+EAPOL packets are still in it.
+
+===== WPA/WPA2 Enterprise/Rekeys
+
+As long as you can somehow extract the PMK from either the client or the Radius
+Server and configure the key (as PSK) all supported Wireshark versions will decode
+the traffic just fine up to the first EAPOL rekey.
+
+EAPoL rekey is often enabled for WPA/WPA2 enterprise and will change the used
+encryption key similar to the procedure for the initial connect, but it can also
+be configured and used for pre-shared (personal) mode.
+
+Decrypting IEEE 802.11r Fast BSS Transition roaming requires capturing
+reassociation frames for similar reasons, and is supported by recent
+Wireshark versions.
+
+===== WPA3 Per-Connection Decryption
+
+In WPA3, a different PMK is used for each connection in order to achieve forward
+secrecy. Capturing the 4-way handshake and knowing the network password is not
+enough to decrypt packets; you must obtain the PMK from either the client or
+access point (typically by enabling logging in `wpa_supplicant` or `hostapd`
+with the `-d -K` flags) and use this as the decryption key in Wireshark. Even
+then, the decryption will only work for packets between that client and access
+point, not for all devices on that network.
+
+===== TKs and Performance
+
+The TKs are the actual transient keys used to encrypt packets, which are derived
+during the handshake. If known, they can decrypt packets without having the
+handshake packets in a capture. However, having TKs as encryption keys in the
+table will affect IEEE 802.11 dissector performance as each encrypted
+packet will be tested against every TK until decryption is successful.
+If the table is configured with many TKs, none of which match any
+encrypted frame in the capture, performance can be slow.
+
+Once a match is found, an association is formed similar to in the usual
+method and decryption of other frames with the same key should be on
+par with normal decryption flow. Thus, if most frames in the capture
+match TKs (or other keys), and only a limited number of TKs are configured,
+the performance impact is slight.
+
 [#ChIKEv2DecryptionSection]
 
 === IKEv2 decryption table
@@ -1212,6 +1453,9 @@ Integrity algorithm of the IKE_SA.
 
 === Object Identifiers
 
+// This table appears under the BER dissector, perhaps it should be moved
+// to the "Name Resolution" preference section?
+
 Many protocols that use ASN.1 use Object Identifiers (OIDs) to uniquely identify
 certain pieces of information. In many cases, they are used in an extension
 mechanism so that new object identifiers (and associated values) may be defined
@@ -1346,7 +1590,7 @@ different SNMP-engines the first entry to match both is taken, if you need a
 catch all engine-id (empty) that entry should be the last one.
 
 Authentication model::
-Which auth model to use (either “MD5” or “SHA1”).
+Which auth model to use (either “MD5”, “SHA1”, "SHA2-224", "SHA2-256", "SHA2-384" or "SHA2-512").
 
 Password::
 The authentication password. Use _\xDD_ for unprintable characters. A
@@ -1356,7 +1600,7 @@ _\x01\x02\x03\x04\x05\x06_. The _\_ character must be treated as an unprintable
 character, i.e., it must be entered as _\x5C_ or _\x5c_.
 
 Privacy protocol::
-Which encryption algorithm to use (either “DES” or “AES”).
+Which encryption algorithm to use (either “DES”, “AES”, "AES192" or "AES256").
 
 Privacy password::
 The privacy password. Use _\xDD_ for unprintable characters. A hexadecimal
@@ -1365,6 +1609,11 @@ password 010203040506 must be entered as _\x01\x02\x03\x04\x05\x06_. The _\_
 character must be treated as an unprintable character, i.e., it must be entered
 as _\x5C_ or _\x5c_.
 
+Key expansion method::
+Which method to use to expand the key when the generated key provides too few bytes
+for the selected encryption method (either based on "draft-reeder-snmpv3-usm-3desede-00" or
+as implemented in AGENT++).
+
 [#ChK12ProtocolsSection]
 
 === Tektronix K12xx/15 RF5 protocols Table