OSQA is unmaintained. Help us figure out where to go from here.

I cannot seem to decrypt every HTTP/2 packet in a given session using my pre shared keys.


  1. Set SSLKEYLOGFILE environent variable.
  2. Open Wireshark + Chrome from terminal.
  3. Open desired site in Chrome and watch trace in Wireshark.


It seems that sometimes all the HTTP/2 packets are decrypted, and then other times only ~half of them are. If I open the Statistics -> HTTP2 dialogue the number of packets sent/received can fluctuate from ~350 to ~1050 when loading the same page.

Occasionally several "Ignored Unknown Record" packets will appear too. I'm assuming these are sometimes being decrypted as HTTP/2 packets, and sometimes they're not for some unknown reason.

Link to PCAP File & Key


asked 29 Feb '16, 11:22

r0sscon's gravatar image

accept rate: 0%

The problem is that wireshark fails to detect all TLS records that start in the middle of a TCP segment when segments are lost or arrive out of order or are re-transmitted. The following filter shows all TLS records with a record length of 1424 bytes including those that are not recognized. alt text

It might be worth filing a bug at https://bugs.wireshark.org/bugzilla/
Regards Matthias

permanent link

answered 07 Mar '16, 09:07

mrEEde's gravatar image

accept rate: 20%

Thanks for this, I'd never have guessed that was the problem. I'll raise a bug report for it.

(07 Mar '16, 09:11) r0sscon

WOuld you please accept the answer if it satisfies your question by clicking on the checkmark icon. Thanks

(07 Mar '16, 12:02) mrEEde
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 29 Feb '16, 11:22

question was seen: 957 times

last updated: 07 Mar '16, 12:02

p​o​w​e​r​e​d by O​S​Q​A