First time here? Check out the FAQ!

Ask Your Question
0

[ws 3.2.0] quic handshake is decrypted but subsequent packets are not
 
  
 
  
 
 
 
 
 
 
    
        
        asked Dec 25 '19  
 
 magesh gravatar image  
 
 
 
 
    
        
        updated Dec 25 '19  
 
 
 
 
 
I'm trying to get an understanding of the QUIC protocol using wireshark (and other material from various sources).
 
Steps that I followed:
 
     
  1. captured (using tshark) QUIC traffic between a local client server (generated using mozilla/neqo, with SSLKEYLOGFILE env to store traffic secrets).
    2.  
  2. set the captured traffic secrets path in wireshark preferences (Protocols -> TLS [(Pre)-Master-Secret log filename])
    3.  
  3. open the pcap file
    4.  
 
Expected:
 
     
  1. decrypted payloads for QUIC handshakes
    2.  
  2. decrypted payloads for subsequent QUIC packets
    3.  
 
Observed:
 
     
  1. [PASS] decrypted payloads for QUIC handshakes
    2.  
  2. [FAIL] decrypted payloads for subsequent QUIC packets
    3.  
 
Are there any additional steps that I need to follow to decrypt all QUIC packets?
 
screenshot showing the issue: wireshark-quic-screenshot
 
Preview: (hide)
 
 
 
 
          
 
Comments
(This question was cross-posted at https://www.wireshark.org/lists/wireshark-users/201912/msg00009.html)
Lekensteyn gravatar imageLekensteyn (
    
        Jan 3 '0
    )
add a comment
 
 
 
 
 
 2 Answers
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Jan 3 '0  
 
 Lekensteyn gravatar image  
 
 
 
 
 
From my reply at https://www.wireshark.org/lists/wireshark-users/202001/msg00000.html:
 
In your screenshot, the visible frames are:
 
1. C->S Protected Payload
2. S->C Handshake, PKN:0, CRYPTO
3. C->S Handshake, PKN:0, ACK, CRYPTO
4. S->C Handshake, PKN:1, ACK
5. C->S Protected Payload
...
11. S->C Protected Payload
 
The selected packet (frame 4) shows that draft 24 is in use. I would
have expected an Initial Packet message to be present. Perhaps frame 1
has additional data.
 
Do frames 5-11 actually mention that decryption failed? If so, it should
describe the reason. If you were expecting HTTP/3, note that it is still
work in progress, and not supported in the current Wireshark 3.2 release
nor the development version, v3.3.0rc0-225-g76dfe6004b.
 
For better analysis, please attach the original packet capture and the
SSLKEYLOGFILE file. For the current state of QUIC support in Wireshark,
please refer to
https://github.com/quicwg/base-drafts/wiki/Tools#wireshark
and find capture samples at
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13881
 
Preview: (hide)
 
 
 
 
         
        link
        
 
add a comment
 
 
 
 
   
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Jan 2 '0  
 
 Alexis La Goutte gravatar image  
 
 
 
 
 
Hi,
 
Please open a issue on bugtracker and attach pcap and SSLKEYLOGFILE
 
Preview: (hide)
 
 
 
 
         
        link
        
 
add a comment
 
 
 
 
 
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 

        
        
            1 follower
        
    
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Dec 25 '19  
 
 
        Seen: 2,472 times 
 

        Last updated: Jan 03 '20 
 
 
 
Related questions
 
 
 Quic Conversation decipher 
 
 QUIC protocol [closed] 
 
 which wireshark version would support facebook quic IETF version 0xfaceb000 
 
 Can i decrypt intial QUIC payload using libgcrypt. [closed] 
 
 how does wireshark support quic decryption 
 
 quic malformed packet error 
 
 Can't no longer find Quic/Gquic protocol on Wireshark analysis 
 
 Quic Decryption fails 
 
 Does tshark currently support QUIC packet analysis ? 
 
 QUIC-IETF Filter can't display ack_range