UDP packets to port 443 isn't labeled as GQUIC or QUIC

asked 2020-09-04 16:49:46 +0000

Revertigo gravatar image

updated 2020-09-04 16:53:55 +0000

Hi,

I'm recently encountered GQUIC and QUIC protocols while inspecting Wireshark traffics. I have read that these protocols are based on both UDP and TLS encryption. I have also seen a regular UDP traffic to dst port 443 which seemed to be encrypted. My question is:
Why Wireshark doesn't recognize the latter traffic(regular UDP traffic to dst port 443) as QUIC or GQUIC ? is it due to a new version of GQUIC/QUIC or some other reason ?

Thanks, Dekel

edit retag flag offensive close merge delete

Comments

Have you checked the port setting for QUIC in Wireshark preferences?

Chuckc gravatar imageChuckc ( 2020-09-04 16:57:35 +0000 )edit

I tried to do that(long ago before posting this question) and according to what i remember both decoding as QUIC and GQUIC failed(showing a malformed packets, at least for some of the packets). I tried to do it now again, and GQUIC decoding failed, but QUIC decoding succeeded for most of the packets, and for part of them show a yellow field(which means a Warning). I tried to decode different .pcap file as QUIC and this time most of the packets appeared with cyan field(which means a Note). Yet, This is a strange behavior. I wonder why in some cases Wireshark knows automatically to decode as QUIC(i have scenarios where it happens) and in some case it doesn't. Anyway, thanks for the answer !

Revertigo gravatar imageRevertigo ( 2020-09-05 15:31:55 +0000 )edit

The QUIC dissector is evolving as the standard updates and more people have a need to inspect it.
If you can share a capture it may help to enhance the dissector in future versions of Wireshark.

Chuckc gravatar imageChuckc ( 2020-09-05 18:11:57 +0000 )edit
add a comment