Ask Your Question

[ws 3.2.0] quic handshake is decrypted but subsequent packets are not

asked 2019-12-25 06:54:17 +0000

magesh gravatar image

updated 2019-12-25 07:03:15 +0000

I'm trying to get an understanding of the QUIC protocol using wireshark (and other material from various sources).

Steps that I followed:

  1. captured (using tshark) QUIC traffic between a local client server (generated using mozilla/neqo, with SSLKEYLOGFILE env to store traffic secrets).
  2. set the captured traffic secrets path in wireshark preferences (Protocols -> TLS [(Pre)-Master-Secret log filename])
  3. open the pcap file


  1. decrypted payloads for QUIC handshakes
  2. decrypted payloads for subsequent QUIC packets


  1. [PASS] decrypted payloads for QUIC handshakes
  2. [FAIL] decrypted payloads for subsequent QUIC packets

Are there any additional steps that I need to follow to decrypt all QUIC packets?

screenshot showing the issue: wireshark-quic-screenshot

edit retag flag offensive close merge delete


Lekensteyn gravatar imageLekensteyn ( 2020-01-03 13:52:45 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2020-01-03 13:55:49 +0000

Lekensteyn gravatar image

From my reply at

In your screenshot, the visible frames are:

1. C->S Protected Payload
2. S->C Handshake, PKN:0, CRYPTO
3. C->S Handshake, PKN:0, ACK, CRYPTO
4. S->C Handshake, PKN:1, ACK
5. C->S Protected Payload
11. S->C Protected Payload

The selected packet (frame 4) shows that draft 24 is in use. I would have expected an Initial Packet message to be present. Perhaps frame 1 has additional data.

Do frames 5-11 actually mention that decryption failed? If so, it should describe the reason. If you were expecting HTTP/3, note that it is still work in progress, and not supported in the current Wireshark 3.2 release nor the development version, v3.3.0rc0-225-g76dfe6004b.

For better analysis, please attach the original packet capture and the SSLKEYLOGFILE file. For the current state of QUIC support in Wireshark, please refer to and find capture samples at

edit flag offensive delete link more

answered 2020-01-02 06:38:48 +0000

Alexis La Goutte gravatar image


Please open a issue on bugtracker and attach pcap and SSLKEYLOGFILE

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-12-25 06:54:17 +0000

Seen: 96 times

Last updated: Jan 03