Ask Your Question
0

[ws 3.2.0] quic handshake is decrypted but subsequent packets are not

asked 2019-12-25 06:54:17 +0000

magesh gravatar image

updated 2019-12-25 07:03:15 +0000

I'm trying to get an understanding of the QUIC protocol using wireshark (and other material from various sources).

Steps that I followed:

  1. captured (using tshark) QUIC traffic between a local client server (generated using mozilla/neqo, with SSLKEYLOGFILE env to store traffic secrets).
  2. set the captured traffic secrets path in wireshark preferences (Protocols -> TLS [(Pre)-Master-Secret log filename])
  3. open the pcap file

Expected:

  1. decrypted payloads for QUIC handshakes
  2. decrypted payloads for subsequent QUIC packets

Observed:

  1. [PASS] decrypted payloads for QUIC handshakes
  2. [FAIL] decrypted payloads for subsequent QUIC packets

Are there any additional steps that I need to follow to decrypt all QUIC packets?

screenshot showing the issue: wireshark-quic-screenshot

edit retag flag offensive close merge delete

Comments

(This question was cross-posted at https://www.wireshark.org/lists/wireshark-users/201912/msg00009.html)

Lekensteyn gravatar imageLekensteyn ( 2020-01-03 13:52:45 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-01-03 13:55:49 +0000

Lekensteyn gravatar image

From my reply at https://www.wireshark.org/lists/wireshark-users/202001/msg00000.html:

In your screenshot, the visible frames are:

1. C->S Protected Payload
2. S->C Handshake, PKN:0, CRYPTO
3. C->S Handshake, PKN:0, ACK, CRYPTO
4. S->C Handshake, PKN:1, ACK
5. C->S Protected Payload
...
11. S->C Protected Payload

The selected packet (frame 4) shows that draft 24 is in use. I would have expected an Initial Packet message to be present. Perhaps frame 1 has additional data.

Do frames 5-11 actually mention that decryption failed? If so, it should describe the reason. If you were expecting HTTP/3, note that it is still work in progress, and not supported in the current Wireshark 3.2 release nor the development version, v3.3.0rc0-225-g76dfe6004b.

For better analysis, please attach the original packet capture and the SSLKEYLOGFILE file. For the current state of QUIC support in Wireshark, please refer to https://github.com/quicwg/base-drafts/wiki/Tools#wireshark and find capture samples at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13881

edit flag offensive delete link more
add a comment
0

answered 2020-01-02 06:38:48 +0000

Alexis La Goutte gravatar image

Hi,

Please open a issue on bugtracker and attach pcap and SSLKEYLOGFILE

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-12-25 06:54:17 +0000

Seen: 2,383 times

Last updated: Jan 03 '20

Related questions

Quic Conversation decipher

QUIC protocol [closed]

which wireshark version would support facebook quic IETF version 0xfaceb000

Can i decrypt intial QUIC payload using libgcrypt. [closed]

how does wireshark support quic decryption

quic malformed packet error

Can't no longer find Quic/Gquic protocol on Wireshark analysis

Quic Decryption fails

Does tshark currently support QUIC packet analysis ?

QUIC-IETF Filter can't display ack_range