Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2025-02-20 02:32:25 +0000

Linxiao Yu gravatar image

Dissect decrypted QUIC packets from Google

Hi, everyone. I'm learning QUIC protocol with Wireshark. When I capture traffic from www.google.com (or www.youtube.com), after using TLS keylog.txt, Wireshark shows the decrypted QUIC panel. However, these decrypted payloads seem not to be dissected properly as a higher layer protocol (maybe HTTP3?). So, I could not export any useful objects from the decrypted traffic.

Google traffic dissection

However, when I request other websites, e.g., www.xiaohongshu.com, which also uses QUIC, after importing keylog.txt, I could see the HTTP3 packets. So I wonder why this would happen.

www.xiaohongshu dissection

I learned that Google may use its own QUIC version, i.e., GQUIC, but Wireshark seems to display my capture as the normal QUIC traffic. I wonder if it is possible to dissect these decrypted Google/YouTube traffic, or am I doing some wrong in decryption?

Dissect decrypted QUIC packets from Google

Hi, everyone. I'm learning QUIC protocol with Wireshark. When I capture traffic from www.google.com (or www.youtube.com), after using TLS keylog.txt, Wireshark shows the decrypted QUIC panel. However, these decrypted payloads seem not to be dissected properly as a higher layer protocol (maybe HTTP3?). So, I could not export any useful objects from the decrypted traffic.

Google traffic dissection

However, when I request other websites, e.g., www.xiaohongshu.com, which also uses QUIC, after importing keylog.txt, I could see the HTTP3 packets. So I wonder why this would happen.

www.xiaohongshu dissection

I learned that Google may use its own QUIC version, i.e., GQUIC, but Wireshark seems to display my capture as the normal QUIC traffic. I wonder if it is possible to dissect these decrypted Google/YouTube traffic, or am I doing some wrong in decryption? decryption?

Dissect decrypted QUIC packets from Google

Hi, everyone. I'm learning QUIC protocol with Wireshark. When I capture traffic from www.google.com (or www.youtube.com), after using TLS keylog.txt, Wireshark shows the decrypted QUIC panel. However, these decrypted payloads seem not to be dissected properly as a higher layer protocol (maybe HTTP3?). So, I could not export any useful objects from the decrypted traffic.

Google traffic dissection

However, when I request other websites, e.g., www.xiaohongshu.com, which also uses QUIC, after importing keylog.txt, I could see the HTTP3 packets. So I wonder why this would happen.

www.xiaohongshu dissection

I learned that Google may use its own QUIC version, i.e., GQUIC, but Wireshark seems to display my capture as the normal QUIC traffic. I wonder if it is possible to dissect these decrypted Google/YouTube traffic, or am I doing some wrong in decryption?decryption? Any help is appreciated. :)

Sorry that I don't have enough points to post images, I upload the images, .pcap along with keylog.txt files for www.google.com, www.youtube.com and www.xiaohongshu.com separately. Sorry for that inconvenience. :)

The Wireshark version is: Version 4.4.3 (v4.4.3-0-g66d7a52feb06).