Decrypting QUIC IETF with Wireshark

[Aleix Boixader Coma]

Hello,

We would like to be able to read the protected payload of QUIC dataframes with Wireshark. We have been looking over the internet but can not seem to find an updated working solution. We have found information stating that SSLKEYLOGFILE should be used but we do not seem to get it right.

For this tests we are using google's implementation h3-29 'quic_server', google-chrome browser and 'certs/out/' output.

Thanks,

Aleix Boixader Coma.

[David Schinazi]

Hi Aleix,

Unfortunately, Chrome doesn't yet have support for SSLKEYLOGFILE with IETF QUIC.

The bug tracking this feature is https://crbug.com/1101691

Cheers,

David

--
You received this message because you are subscribed to the Google Groups "QUIC Prototype Protocol Discussion group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proto-quic+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/proto-quic/40486f1f-e495-4c1e-9341-b4a47f52acb9n%40chromium.org.

[Robin MARX]

Hello Aleix,

There might be alternatives for now depending on your use case:

1) You might get the TLS keys from the server-side if you're in control of that yourself. Many QUIC implementations have options for that or even use SSLKEYLOGFILE 

2) You can take a look at chrome://net-export to get a netlog trace. This contains a lot of QUIC-related events that might be sufficient. 

You can also load both a decrypted pcap and netlog traces into https://qvis.edm.uhasselt.be/ to get it visualized if that makes things easier to interpret.

With best regards,

Robin

[Aleix Boixader Coma]

Hello,

Sorry for the late reply, things got busier and we forgot to give feedback.

Giving a little update on the issue, we were able to decrypt the QUIC traces using SSLKKEYLOGFILE once this issue was resolved: https://bugs.chromium.org/p/chromium/issues/detail?id=1101691 Thanks for your kind help.

Once we have the decrypted traces we would like to analyse and visualise them, but we have not been successful with https://qvis.edm.uhasselt.be/. Trying to use pcapng2qlog program we obtain the following output: "Top level error TypeError: capt.qlog.traces is not iterable", even with different NodeJS versions. We are trying to convert a wireshark file which had its secrets (key log file) injected with editcap. We have also tried to convert the same file pre-converted to JSON by wireshark, which produces different errors (we don't exactly know which kind of JSON conversion would be the appropriate).

Do you know if there is any "right procedure" to capture, decrypt, convert to qlog and visualize QUIC traces that we could use as a reference?

Thank you very much,

Aleix

[Robin MARX]

Hello Aleix,

Normally, qvis should support you uploading the .pcap and .keys file separately without errors. .pcapng (keys injected with editpcap) should work as well, but is less tested.

However, if you're also getting errors with pcap2qlog, that might indicate a (recent) update to Wireshark broke that tool in a way that we are not yet aware of... 

It would really help me if I could get an example of a pcap file that is giving you problems. Could you maybe share one or more of such files?

If you'd rather not share them publicly, you could send them to me personally at robin...@uhasselt.be

Thanks!

Robin

[Aleix Boixader Coma]

Hello Robin,

On qvis it will not allow you to upload a pcapng file. It might however, allow you to fetch one from a URL, maybe in this way we could be able to "upload" our files. Unfortunately at the moment I ignore which is the easiest way to do that. Do you have further indications to try that option?

Okay! I have just sent you the file to your email, I hope you can get something out of it. If there's any way I can be helpful let me know.

Thanks!

Aleix

[Robin MARX]

Hello Aleix,

I indeed misspoke: in qvis you cannot upload a pcapng directly, only load it from a URL after you upload it yourself somewhere.

This mainly has to do with me being too lazy to write a proper upload service. .json and .qlog files are never sent to the server but can be transformed all client-side, but that's not the case for pcaps that need server-side wireshark.

With a URL, the server can perform the download itself, removing the client from the equation. 

Anyways, as we've discussed out-of-band via email, I was unable to reproduce your problems when using pcap2qlog directly. All example files transform to qlog correctly here.

For future reference and others though, it is important to run pcap2qlog with the correct version of wireshark, as it needs a relatively up-to-date version with proper QUIC support.

The setup used by qvis including proper versions can be found in the dockerfiles at: https://github.com/quiclog/qvis-server/tree/master/system/docker_setup

If anyone down the line has issues with this, please let me know and provide an example pcap(ng) file along with the commands you used and versions of wireshark/nodejs you're running to make support easier.