Regular failure to capture HTTP2

asked 2019-08-06 19:24:16 +0000

BanksySan
1 ●1 ●2 ●2

updated 2019-08-06 19:30:41 +0000

Wireshark will, at times, capture the HTTP/2 traffic (over TLS) without any trouble. However, more often it fails to capture it at all or will only cature .

I suspect that it's unable to unwrap the TLS, however it it can work and then, when refreshing the same page, fail to capture anything above TLS. I can reproduce it from https://example.com.

First time it might just capture the HEADERS, second time nothing.

I'm using Chrome, and have Disable cache ticked in the F12 tooling.

I can prove that Wireshark is capturing traffic because I can filter on the IP and see traffic captures (i.e. ip.dst == 93.184.216.34 || ip.src == 93.184.216.34):

| No. | Delta    | Protocol | Info                                                 |
|-----|----------|----------|------------------------------------------------------|
| 31  | 0.000000 | TLSv1.2  | Application Data                                     |
| 32  | 0.000068 | TLSv1.2  | Application Data                                     |
| 33  | 0.086955 | TLSv1.2  | Application Data, Application Data, Application Data |
| 34  | 0.000555 | TLSv1.2  | Application Data                                     |
| 35  | 0.003173 | TCP      | 51213 → 443 [ACK] Seq=87 Ack=784 Win=516 Len=0       |
| 36  | 0.000270 | TCP      | 51213 → 443 [ACK] Seq=87 Ack=823 Win=515 Len=0       |
| 37  | 0.012623 | TLSv1.2  | Application Data                                     |
| 38  | 0.087451 | TLSv1.2  | Application Data, Application Data, Application Data |
| 44  | 0.111776 | TCP      | 51213 → 443 [ACK] Seq=149 Ack=1576 Win=513 Len=0     |

Without changing any settings, just refreshing the page again it might capture everything (as it has just now).

I really want to show a live demo of HTTP/2 via Wireshark, but without reliably being able to capture it it's not going to be possible.

Any help would be greatly appreciated. It's really giving me a headache.

edit retag flag offensive close merge delete

Comments

Looks like a TLS decryption failure, I'm presuming that you're exporting the pre-master secret from Chrome into an SSLKEYLOGFILE?

This works for me on Win 10, Chrome 76 and Wireshark 3.0.3

grahamb ( 2019-08-06 19:54:56 +0000 )edit

@grahamb Aye, exactly that.

BanksySan ( 2019-08-06 19:57:14 +0000 )edit

I think you will need to create a TLS Debug log file and wade through that to determine what's up with the decryption. Not a trivial exercise.

grahamb ( 2019-08-07 09:21:47 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2019-08-19 18:27:06 +0000

ErikH
1 ●1 ●1

updated 2019-08-19 18:47:49 +0000

I did a live HTTP/2 demo at annual FIRST conference in Edinburgh earlier this year. However, instead of sniffing with Wireshark I proxied the TLS traffic through PolarProxy and redirected the decrypted HTTP/2 pcap to Wireshark in real-time like this:

./PolarProxy -p 10443,80,443 --certhttp 10080 -w - | wireshark -k -i -

It worked out great! (phew, there were only a few hundred security experts in the audience...)

edit flag offensive delete link

add a comment

answered 2019-08-13 20:22:35 +0000

Lekensteyn
2346 ●3 ●19 ●29 https://lekensteyn.nl

updated 2019-08-13 20:26:49 +0000

There are several possible reasons why you do not always see decryped HTTP/2 traffic:

Your capture started while the TLS session was already established. Since the TLS handshake is not captured, Wireshark will be unable to decrypt it.
Disabling cache ensures that the browser performs a new request, but it will not ensure that new requests go through a fresh TLS handshake due to connection reuse. Connections are typically kept alive for some more seconds, the exact timing will depend on the Keep-Alive header. To ensure that the connection is closed, you can for example use the "File" -> "Work Offline" option in Firefox.
The network might cause packet re-ordering, resulting in out-of-order TCP segment. The default configuration of Wireshark does not handle this well, this breaks TLS decryption. Be sure to enable the Reassemble out-of-order segments option at the TCP protocol preferences (added in Wireshark 3.0). This and the above issue are the most common reason reasons why decryption could fail assuming correctly configured keys.
If the key log file is not created, ensure that the environment variable or command line flag is correctly set. If you are not using the latest version of Firefox, do so. Official builds of Firefox 65 to 67 had this functionality disabled.
Upgrade to the latest Wireshark version. Sometimes there are bugs or missing features that could also prevent TLS decryption from happening in some edge cases.

Comments

Thanks, I'll give those things a try.

BanksySan ( 2019-08-13 21:52:51 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Regular failure to capture HTTP2

Comments

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

Regular failure to capture HTTP2 edit

Comments

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

Regular failure to capture HTTP2