ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online

Wireshark-users: Re: [Wireshark-users] [re-post of my Q on] [ws 3.2.0] QUIC han

Date Prev · Date Next · Thread Prev · Thread Next
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Fri, 3 Jan 2020 14:50:32 +0100
Hi Magesh,

On Wed, Dec 25, 2019 at 01:43:48PM +0530, Magesh Dhasayyan wrote:
> Hi,
> I'm trying to get an understanding of the QUIC protocol using wireshark
> (and other material from various sources).
> Steps that I followed:
>  1. captured (using tshark) QUIC traffic between a local client server
> (generated using mozilla/neqo, with SSLKEYLOGFILE env to store traffic
> secrets).
>  2. set the captured traffic secrets path in wireshark preferences
> (Protocols -> TLS [(Pre)-Master-Secret log filename])
>  3. opened the pcap file
> Expected:
>  1. decrypted payloads for QUIC handshakes
>  2. decrypted payloads for subsequent QUIC packets
> Observed:
>  1. [PASS] decrypted payloads for QUIC handshakes
>  2. [FAIL] decrypted payloads for subsequent QUIC packets
> Are there any additional steps that I need to follow to decrypt all QUIC
> packets?
> screenshot showing the issue:

In your screenshot, the visible frames are:

 1. C->S Protected Payload
 2. S->C Handshake, PKN:0, CRYPTO
 3. C->S Handshake, PKN:0, ACK, CRYPTO
 4. S->C Handshake, PKN:1, ACK
 5. C->S Protected Payload
 11. S->C Protected Payload

The selected packet (frame 4) shows that draft 24 is in use. I would
have expected an Initial Packet message to be present. Perhaps frame 1
has additional data.

Do frames 5-11 actually mention that decryption failed? If so, it should
describe the reason. If you were expecting HTTP/3, note that it is still
work in progress, and not supported in the current Wireshark 3.2 release
nor the development version, v3.3.0rc0-225-g76dfe6004b.

For better analysis, please attach the original packet capture and the
SSLKEYLOGFILE file. For the current state of QUIC support in Wireshark,
please refer to
and find capture samples at

For future reference, this is a repost of
Kind regards,
Peter Wu