This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Not Decrypting all HTTP/2 traffic in session.

0

I cannot seem to decrypt every HTTP/2 packet in a given session using my pre shared keys.

Setup

  1. Set SSLKEYLOGFILE environent variable.
  2. Open Wireshark + Chrome from terminal.
  3. Open desired site in Chrome and watch trace in Wireshark.

Problem

It seems that sometimes all the HTTP/2 packets are decrypted, and then other times only ~half of them are. If I open the Statistics -> HTTP2 dialogue the number of packets sent/received can fluctuate from ~350 to ~1050 when loading the same page.

Occasionally several "Ignored Unknown Record" packets will appear too. I'm assuming these are sometimes being decrypted as HTTP/2 packets, and sometimes they're not for some unknown reason.

Link to PCAP File & Key

https://mega.nz/#!yBk2xaQQ!NYeRXY6vHqOrh0wzndMje5dSf0x6cUTCy75ewJvQ5xc

asked 29 Feb '16, 11:22

r0sscon's gravatar image

r0sscon
6113
accept rate: 0%


One Answer:

1

The problem is that wireshark fails to detect all TLS records that start in the middle of a TCP segment when segments are lost or arrive out of order or are re-transmitted. The following filter shows all TLS records with a record length of 1424 bytes including those that are not recognized. alt text

It might be worth filing a bug at https://bugs.wireshark.org/bugzilla/
Regards Matthias

answered 07 Mar '16, 09:07

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Thanks for this, I'd never have guessed that was the problem. I'll raise a bug report for it.

(07 Mar '16, 09:11) r0sscon

WOuld you please accept the answer if it satisfies your question by clicking on the checkmark icon. Thanks

(07 Mar '16, 12:02) mrEEde