Ask Your Question
0

QUIC-IETF Filter can't display ack_range

asked 2020-04-23 07:27:20 +0000

tinker gravatar image

updated 2020-04-23 07:28:14 +0000

Hi, I have found that wireshark has supported QUIC-IETF analyse. So, I made a test to see if it worked.

And I use ngtcp2 to do quic traffic, the quic-version is quic-draft-27, and record sslkeylogfile, dump flow into pcap file. You can look up to ngtcp2 by refering https://github.com/ngtcp2/ngtcp2

Finally, with wireshark-3.2.3, and configure TLS decrypt pre-master key,I have displayed quic field successfully, for example, it show ack_delay, but it can't print ack_range filed where I find is supported in https://www.wireshark.org/docs/dfref/...

so, my question is why the wireshark can't display ack_range field.

Hope for your reply.

edit retag flag offensive close merge delete

Comments

Is quic.ack.ack_range_count > 0 ?

Chuckc gravatar imageChuckc ( 2020-04-23 13:01:18 +0000 )edit

sorry but I can't upload an image, there is the text copy from wireshark below.

It is really strange that both the largest_ack and first_ack_range > 0 , but there is no ack_range

Frame 19: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1 User Datagram Protocol, Src Port: 60867, Dst Port: 443 Source Port: 60867 Destination Port: 443 Length: 60 Checksum: 0xfe4f [unverified] [Checksum Status: Unverified] [Stream index: 0] [Timestamps] QUIC IETF QUIC Connection information [Connection Number: 0] [Packet Length: 52] QUIC Short Header DCID=9af84a6705b6b5b4ebb7bd46724255ead4b2 PKN=1 0... .... = Header Form: Short Header (0) .1.. .... = Fixed Bit: True ..0. .... = Spin Bit: False ...0 0... = Reserved: 0 .... .0 ...(more)

tinker gravatar imagetinker ( 2020-04-24 01:39:45 +0000 )edit

Have you looked through the quic 27 draft?

"The First ACK Range is encoded as an ACK Range"

ACK Range Count: 0 
First ACK Range: 11
Chuckc gravatar imageChuckc ( 2020-04-24 03:28:03 +0000 )edit

fine, It my confuse with IETF QUIC, thank you for your reply.

tinker gravatar imagetinker ( 2020-04-24 08:32:26 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-04-23 13:10:46 +0000

Chuckc gravatar image

ack_range only added when ack_range_count > 0: (epan/dissectors/packet-quic.c)

   /* ACK Ranges - Repeated "Ack Range Count" */
    while (ack_range_count) {

        /* Gap To Next Block */
        proto_tree_add_item_ret_varint(ft_tree, hf_quic_ack_gap, tvb, offset, -1, ENC_VARINT_QUIC, NULL, &lenvar);
        offset += lenvar;

        proto_tree_add_item_ret_varint(ft_tree, hf_quic_ack_ack_range, tvb, offset, -1, ENC_VARINT_QUIC, NULL, &lenvar);
        offset += lenvar;

        ack_range_count--;
    }

Sample captures here

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-04-23 07:27:20 +0000

Seen: 274 times

Last updated: Apr 23 '20

Related questions

Quic Conversation decipher

QUIC protocol [closed]

which wireshark version would support facebook quic IETF version 0xfaceb000

Can i decrypt intial QUIC payload using libgcrypt. [closed]

how does wireshark support quic decryption

quic malformed packet error

Can't no longer find Quic/Gquic protocol on Wireshark analysis

[ws 3.2.0] quic handshake is decrypted but subsequent packets are not

Quic Decryption fails

Does tshark currently support QUIC packet analysis ?