Wireshark QUIC dissector update !
1,003 views
Skip to first unread message
Alexis La Goutte
Sep 24, 2015, 11:24:44 AM9/24/15
to proto...@chromium.org
Hi QUIC'er !
For your information, i have make a big update of Wireshark QUIC dissector.I have only implement tag found when capturing QUIC traffic.
Because it is no easy to say it is a QUIC Handshake, there is a quicky heuristic to check if there is a CHLO/REJ/SHLO message tag on frame.
It is available on last dev release of Wireshark 1.99.10 (build >= 213)
a example of output :
[Ethernet]
[IP]
QUIC (Quick UDP Internet Connections)
Public Flags: 0x0d
.... ...1 = Version: Yes
.... ..0. = Reset: No
.... 11.. = CID Length: 8 Bytes (0x03)
..00 .... = Sequence Length: 1 Byte (0x00)
00.. .... = Reserved: 0x00
CID: 11414687164953879775
Version: Q025
Sequence: 1
Message Authentication Hash: 68d2ea09b2f2616d95c1b8a7
Private Flags: 0x00
.... ...0 = Entropy: No
.... ..0. = FEC Group: No
.... .0.. = FEC: No
0000 0... = Reserved: 0x00
STREAM (Special Frame Type) Stream ID:1, Type: CHLO (Client Hello)
Frame Type: STREAM (Special Frame Type) (0xa0)
1... .... = Stream: True
.0.. .... = FIN: False
..1. .... = Data Length: 2 Bytes
...0 00.. = Offset Length: 0 Byte (0)
.... ..00 = Stream Length: 1 Byte (0)
Stream ID: 1
Data Length: 1300
Tag: CHLO (Client Hello)
Tag Number: 15
Padding: 0000
Tag/value: PAD (Padding) (l=1063)
Tag Type: PAD (Padding)
Tag offset end: 1063
[Tag length: 1063]
Tag/value: 2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d...
Padding: 2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d...
Tag/value: SNI (Server Name Indication) (l=14): www.google.com
Tag Type: SNI (Server Name Indication)
Tag offset end: 1077
[Tag length: 14]
Tag/value: 7777772e676f6f676c652e636f6d
Server Name Indication: www.google.com
Tag/value: VER (Version) (l=4) Q025
Tag Type: VER (Version)
Tag offset end: 1081
[Tag length: 4]
Tag/value: 51303235
Version: Q025
Tag/value: CCS (Common Certificate Sets) (l=8)
Tag Type: CCS (Common Certificate Sets)
Tag offset end: 1089
[Tag length: 8]
Tag/value: 7b26e9e7e45c71ff
Common certificate sets: 0x7b26e9e7e45c71ff
Tag/value: MSPC (Max streams per connection) (l=4): 100
Tag Type: MSPC (Max streams per connection)
Tag offset end: 1093
[Tag length: 4]
Tag/value: 64000000
Max streams per connection: 100
Tag/value: UAID (Client's User Agent ID) (l=47): canary Chrome/47.0.2517.0 Windows NT 6.2; WOW64
Tag Type: UAID (Client's User Agent ID)
Tag offset end: 1140
[Tag length: 47]
Tag/value: 63616e617279204368726f6d652f34372e302e323531372e...
Client's User Agent ID: canary Chrome/47.0.2517.0 Windows NT 6.2; WOW64
Tag/value: TCID (Connection ID truncation) (l=4)
Tag Type: TCID (Connection ID truncation)
Tag offset end: 1144
[Tag length: 4]
Tag/value: 00000000
Connection ID truncation: 0 (0x00000000)
Tag/value: PDMD (Proof Demand) (l=4): X509
Tag Type: PDMD (Proof Demand)
Tag offset end: 1148
[Tag length: 4]
Tag/value: 58353039
Proof demand: X509
Tag/value: SRBF (Socket receive buffer) (l=4)
Tag Type: SRBF (Socket receive buffer)
Tag offset end: 1152
[Tag length: 4]
Tag/value: 00001000
Socket receive buffer: 1048576 (0x00100000)
Tag/value: ICSL (Idle connection state) (l=4)
Tag Type: ICSL (Idle connection state)
Tag offset end: 1156
[Tag length: 4]
Tag/value: 1e000000
Idle connection state: 30 (0x0000001e)
Tag/value: SCLS (Silently close on timeout) (l=4)
Tag Type: SCLS (Silently close on timeout)
Tag offset end: 1160
[Tag length: 4]
Tag/value: 01000000
Silently close on timeout: 1 (0x00000001)
Tag/value: COPT (Connection options) (l=0)
Tag Type: COPT (Connection options)
Tag offset end: 1160
[Tag length: 0]
Tag/value: <MISSING>
Tag/value: IRTT (Estimated initial RTT) (l=4): 111282
Tag Type: IRTT (Estimated initial RTT)
Tag offset end: 1164
[Tag length: 4]
Tag/value: b2b20100
Estimated initial RTT: 111282
Tag/value: CFCW (Initial session/connection) (l=4): 15728640
Tag Type: CFCW (Initial session/connection)
Tag offset end: 1168
[Tag length: 4]
Tag/value: 0000f000
Initial session/connection: 15728640
Tag/value: SFCW (Initial stream flow control) (l=4): 6291456
Tag Type: SFCW (Initial stream flow control)
Tag offset end: 1172
[Tag length: 4]
Tag/value: 00006000
Initial stream flow control: 6291456
PADDING Length: 18
Frame Type: PADDING (0x00)
[Padding Length: 18]
Padding: 000000000000000000000000000000000000
Public Flags: 0x0d
.... ...1 = Version: Yes
.... ..0. = Reset: No
.... 11.. = CID Length: 8 Bytes (0x03)
..00 .... = Sequence Length: 1 Byte (0x00)
00.. .... = Reserved: 0x00
CID: 11414687164953879775
Version: Q025
Sequence: 1
Message Authentication Hash: 68d2ea09b2f2616d95c1b8a7
Private Flags: 0x00
.... ...0 = Entropy: No
.... ..0. = FEC Group: No
.... .0.. = FEC: No
0000 0... = Reserved: 0x00
STREAM (Special Frame Type) Stream ID:1, Type: CHLO (Client Hello)
Frame Type: STREAM (Special Frame Type) (0xa0)
1... .... = Stream: True
.0.. .... = FIN: False
..1. .... = Data Length: 2 Bytes
...0 00.. = Offset Length: 0 Byte (0)
.... ..00 = Stream Length: 1 Byte (0)
Stream ID: 1
Data Length: 1300
Tag: CHLO (Client Hello)
Tag Number: 15
Padding: 0000
Tag/value: PAD (Padding) (l=1063)
Tag Type: PAD (Padding)
Tag offset end: 1063
[Tag length: 1063]
Tag/value: 2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d...
Padding: 2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d...
Tag/value: SNI (Server Name Indication) (l=14): www.google.com
Tag Type: SNI (Server Name Indication)
Tag offset end: 1077
[Tag length: 14]
Tag/value: 7777772e676f6f676c652e636f6d
Server Name Indication: www.google.com
Tag/value: VER (Version) (l=4) Q025
Tag Type: VER (Version)
Tag offset end: 1081
[Tag length: 4]
Tag/value: 51303235
Version: Q025
Tag/value: CCS (Common Certificate Sets) (l=8)
Tag Type: CCS (Common Certificate Sets)
Tag offset end: 1089
[Tag length: 8]
Tag/value: 7b26e9e7e45c71ff
Common certificate sets: 0x7b26e9e7e45c71ff
Tag/value: MSPC (Max streams per connection) (l=4): 100
Tag Type: MSPC (Max streams per connection)
Tag offset end: 1093
[Tag length: 4]
Tag/value: 64000000
Max streams per connection: 100
Tag/value: UAID (Client's User Agent ID) (l=47): canary Chrome/47.0.2517.0 Windows NT 6.2; WOW64
Tag Type: UAID (Client's User Agent ID)
Tag offset end: 1140
[Tag length: 47]
Tag/value: 63616e617279204368726f6d652f34372e302e323531372e...
Client's User Agent ID: canary Chrome/47.0.2517.0 Windows NT 6.2; WOW64
Tag/value: TCID (Connection ID truncation) (l=4)
Tag Type: TCID (Connection ID truncation)
Tag offset end: 1144
[Tag length: 4]
Tag/value: 00000000
Connection ID truncation: 0 (0x00000000)
Tag/value: PDMD (Proof Demand) (l=4): X509
Tag Type: PDMD (Proof Demand)
Tag offset end: 1148
[Tag length: 4]
Tag/value: 58353039
Proof demand: X509
Tag/value: SRBF (Socket receive buffer) (l=4)
Tag Type: SRBF (Socket receive buffer)
Tag offset end: 1152
[Tag length: 4]
Tag/value: 00001000
Socket receive buffer: 1048576 (0x00100000)
Tag/value: ICSL (Idle connection state) (l=4)
Tag Type: ICSL (Idle connection state)
Tag offset end: 1156
[Tag length: 4]
Tag/value: 1e000000
Idle connection state: 30 (0x0000001e)
Tag/value: SCLS (Silently close on timeout) (l=4)
Tag Type: SCLS (Silently close on timeout)
Tag offset end: 1160
[Tag length: 4]
Tag/value: 01000000
Silently close on timeout: 1 (0x00000001)
Tag/value: COPT (Connection options) (l=0)
Tag Type: COPT (Connection options)
Tag offset end: 1160
[Tag length: 0]
Tag/value: <MISSING>
Tag/value: IRTT (Estimated initial RTT) (l=4): 111282
Tag Type: IRTT (Estimated initial RTT)
Tag offset end: 1164
[Tag length: 4]
Tag/value: b2b20100
Estimated initial RTT: 111282
Tag/value: CFCW (Initial session/connection) (l=4): 15728640
Tag Type: CFCW (Initial session/connection)
Tag offset end: 1168
[Tag length: 4]
Tag/value: 0000f000
Initial session/connection: 15728640
Tag/value: SFCW (Initial stream flow control) (l=4): 6291456
Tag Type: SFCW (Initial stream flow control)
Tag offset end: 1172
[Tag length: 4]
Tag/value: 00006000
Initial stream flow control: 6291456
PADDING Length: 18
Frame Type: PADDING (0x00)
[Padding Length: 18]
Padding: 000000000000000000000000000000000000
Cheers,
Wesley Davison
Sep 24, 2015, 12:07:57 PM9/24/15
to proto-quic
Thank you, Alexis! I am going to use your contribution as soon as possible!
--
Wesley
--
You received this message because you are subscribed to the Google Groups "QUIC Prototype Protocol Discussion group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proto-quic+...@chromium.org.
To post to this group, send email to proto...@chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
Ian Swett
Sep 24, 2015, 12:11:48 PM9/24/15
to proto...@chromium.org
Wow, awesome! Thanks for all your work.
Jana Iyengar
Sep 24, 2015, 12:52:16 PM9/24/15
to proto...@chromium.org
That is fantastic!! Thanks for all your work, Alexis!
--
林清祥
Mar 25, 2016, 1:54:22 AM3/25/16
to QUIC Prototype Protocol Discussion group, alexis....@gmail.com
Hi, Aleis,
I'm not familliar with Wireshark, and I don't know how to clone, build, install the wireshark with QUIC dissctor.
It would be nice if you can guide me to make it?
Thanks!
Alexis La Goutte
Mar 25, 2016, 5:34:29 AM3/25/16
to 林清祥, QUIC Prototype Protocol Discussion group
Hi,
This QUIC dissector enhance is available on Wireshark 2.0.x : https://www.wireshark.org/download.html
if you use the last release (Q29/Q30) of QUIC, it is recommended to use nighty build https://www.wireshark.org/download/automated/
Cheers
Shuangjiang Li
May 19, 2017, 2:59:38 PM5/19/17
to QUIC Prototype Protocol Discussion group, alexis....@gmail.com
Here:
.... 11.. = CID Length: 8 Bytes (0x03)
Is this suppose to be .... 10.. ? Or do we just count the first '1'?
A bit confused here.
Reply all
Reply to author
Forward
0 new messages