Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2022-10-31 18:57:45 +0000

Chuckc gravatar image

Base on the RFC @ivan81 mentioned above (5.4. Header Protection), Wireshark decrypts the flag byte.

packet-quic.c:

/** Per-packet information about QUIC, populated on the first pass. */
struct quic_packet_info {
    struct quic_packet_info *next;
    guint64                 packet_number;  /** Reconstructed full packet number. */
    quic_decrypt_result_t   decryption;
    guint8                  pkn_len;        /** Length of PKN (1/2/3/4) or unknown (0). */
    guint8                  first_byte;     /** Decrypted flag byte, valid only if pkn_len is non-zero. */
    guint8                  packet_type;
    bool                    retry_integrity_failure : 1;
    bool                    retry_integrity_success : 1;
};

packet-quic.c:

  if (quic_packet->pkn_len) {
      proto_tree_add_uint(quic_tree, hf_quic_long_reserved, tvb, offset, 1, first_byte);
      proto_tree_add_uint(quic_tree, hf_quic_packet_number_length, tvb, offset, 1, first_byte);
  }

Base on the RFC @ivan81 mentioned above (5.4. Header Protection), Wireshark decrypts the flag byte.

packet-quic.c:

/** Per-packet information about QUIC, populated on the first pass. */
struct quic_packet_info {
    struct quic_packet_info *next;
    guint64                 packet_number;  /** Reconstructed full packet number. */
    quic_decrypt_result_t   decryption;
    guint8                  pkn_len;      /** Length of PKN (1/2/3/4) or unknown (0). */
    guint8                  first_byte;   /** Decrypted flag byte, valid only  if pkn_len is non-zero. */
    guint8                  packet_type;
    bool                    retry_integrity_failure : 1;
    bool                    retry_integrity_success : 1;
};

packet-quic.c:

 if (quic_packet->pkn_len) {
     proto_tree_add_uint(quic_tree, hf_quic_long_reserved, tvb, offset, 1, first_byte);
     proto_tree_add_uint(quic_tree, hf_quic_packet_number_length, tvb, offset, 1, first_byte);
 }

Base on the RFC @ivan81 mentioned above (5.4. Header Protection), Wireshark decrypts the flag byte.

packet-quic.c:

/** Per-packet information about QUIC, populated on the first pass. */
struct quic_packet_info {
    struct quic_packet_info *next;
    guint64                 packet_number;  /** Reconstructed full packet number. */
    quic_decrypt_result_t   decryption;
    guint8                  pkn_len;     /** Length of PKN (1/2/3/4) or unknown (0). */
    guint8                  first_byte;  /** Decrypted flag byte, valid only 
                                                       if pkn_len is non-zero. */
    guint8                  packet_type;
    bool                    retry_integrity_failure : 1;
    bool                    retry_integrity_success : 1;
};

packet-quic.c:

 if (quic_packet->pkn_len) {
     proto_tree_add_uint(quic_tree, hf_quic_long_reserved, tvb, offset, 1, first_byte);
     proto_tree_add_uint(quic_tree, hf_quic_packet_number_length, tvb, offset, 1, 1,
                                                    first_byte);
 }