Ask Your Question
0

Regular failure to capture HTTP2

asked 2019-08-06 19:24:16 +0000

BanksySan gravatar image

updated 2019-08-06 19:30:41 +0000

Wireshark will, at times, capture the HTTP/2 traffic (over TLS) without any trouble. However, more often it fails to capture it at all or will only cature .

I suspect that it's unable to unwrap the TLS, however it it can work and then, when refreshing the same page, fail to capture anything above TLS. I can reproduce it from https://example.com.

First time it might just capture the HEADERS, second time nothing.

I'm using Chrome, and have Disable cache ticked in the F12 tooling.

I can prove that Wireshark is capturing traffic because I can filter on the IP and see traffic captures (i.e. ip.dst == 93.184.216.34 || ip.src == 93.184.216.34):

| No. | Delta    | Protocol | Info                                                 |
|-----|----------|----------|------------------------------------------------------|
| 31  | 0.000000 | TLSv1.2  | Application Data                                     |
| 32  | 0.000068 | TLSv1.2  | Application Data                                     |
| 33  | 0.086955 | TLSv1.2  | Application Data, Application Data, Application Data |
| 34  | 0.000555 | TLSv1.2  | Application Data                                     |
| 35  | 0.003173 | TCP      | 51213 → 443 [ACK] Seq=87 Ack=784 Win=516 Len=0       |
| 36  | 0.000270 | TCP      | 51213 → 443 [ACK] Seq=87 Ack=823 Win=515 Len=0       |
| 37  | 0.012623 | TLSv1.2  | Application Data                                     |
| 38  | 0.087451 | TLSv1.2  | Application Data, Application Data, Application Data |
| 44  | 0.111776 | TCP      | 51213 → 443 [ACK] Seq=149 Ack=1576 Win=513 Len=0     |

Without changing any settings, just refreshing the page again it might capture everything (as it has just now).

I really want to show a live demo of HTTP/2 via Wireshark, but without reliably being able to capture it it's not going to be possible.

Any help would be greatly appreciated. It's really giving me a headache.

edit retag flag offensive close merge delete

Comments

Looks like a TLS decryption failure, I'm presuming that you're exporting the pre-master secret from Chrome into an SSLKEYLOGFILE?

This works for me on Win 10, Chrome 76 and Wireshark 3.0.3

grahamb gravatar imagegrahamb ( 2019-08-06 19:54:56 +0000 )edit

@grahamb Aye, exactly that.

BanksySan gravatar imageBanksySan ( 2019-08-06 19:57:14 +0000 )edit

I think you will need to create a TLS Debug log file and wade through that to determine what's up with the decryption. Not a trivial exercise.

grahamb gravatar imagegrahamb ( 2019-08-07 09:21:47 +0000 )edit
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2019-08-19 18:27:06 +0000

ErikH gravatar image

updated 2019-08-19 18:47:49 +0000

I did a live HTTP/2 demo at annual FIRST conference in Edinburgh earlier this year. However, instead of sniffing with Wireshark I proxied the TLS traffic through PolarProxy and redirected the decrypted HTTP/2 pcap to Wireshark in real-time like this:

./PolarProxy -p 10443,80,443 --certhttp 10080 -w - | wireshark -k -i -

It worked out great! (phew, there were only a few hundred security experts in the audience...)

edit flag offensive delete link more
add a comment
0

answered 2019-08-13 20:22:35 +0000

Lekensteyn gravatar image

updated 2019-08-13 20:26:49 +0000

There are several possible reasons why you do not always see decryped HTTP/2 traffic:

  • Your capture started while the TLS session was already established. Since the TLS handshake is not captured, Wireshark will be unable to decrypt it.
  • Disabling cache ensures that the browser performs a new request, but it will not ensure that new requests go through a fresh TLS handshake due to connection reuse. Connections are typically kept alive for some more seconds, the exact timing will depend on the Keep-Alive header. To ensure that the connection is closed, you can for example use the "File" -> "Work Offline" option in Firefox.
  • The network might cause packet re-ordering, resulting in out-of-order TCP segment. The default configuration of Wireshark does not handle this well, this breaks TLS decryption. Be sure to enable the Reassemble out-of-order segments option at the TCP protocol preferences (added in Wireshark 3.0). This and the above issue are the most common reason reasons why decryption could fail assuming correctly configured keys.
  • If the key log file is not created, ensure that the environment variable or command line flag is correctly set. If you are not using the latest version of Firefox, do so. Official builds of Firefox 65 to 67 had this functionality disabled.
  • Upgrade to the latest Wireshark version. Sometimes there are bugs or missing features that could also prevent TLS decryption from happening in some edge cases.

See also:

If you would like to do a live demo of HTTPS decryption and HTTP/2, you could also start a browser with a new browsing profile. That way, your normal browsing session can continue while you visit a specific site in the new browsing profile. See slide 8 of https://lekensteyn.nl/files/wireshark-tls-debugging-sharkfest19us.pdf.

edit flag offensive delete link more

Comments

Thanks, I'll give those things a try.

BanksySan gravatar imageBanksySan ( 2019-08-13 21:52:51 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-08-06 19:24:16 +0000

Seen: 2,585 times

Last updated: Aug 19 '19

Related questions

Can't capture TLS certificate

Capture Filter for TLS

How to get TLSv1.2 to decode

How to verify what protocol was used in an encrypted file transfer?

cannot find "Compare two capture files"

Is it possible to test a capture filter with already captured traffic?

aix iptrace capture filters

How would I map this display filter to a capture filter?

SSL/TLS Handshake Immediately Fails

Can I create a capture filter on a pcap file