This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unable to decode SPDY traffic

0

I am having trouble decoding SPDY traffic. Looking at the ssl_debug output the packets are getting decrypted correctly but for some reason they are not being decoded properly in the GUI. They are not even being shown decrypted, just listed as "Encrypted Application Data".

I have managed to get this all working for HTTP over SSL and both the HTTP1 and HTTP2 (SPDY) web servers are using the same cipher suite and certificate.

Useful info

Linux Ubuntu 14.10 (utopic) x86_64

Wireshark 1.12.1 (from Ubuntu packages)

pcaps and ssl_debug logs

server key

asked 11 Jan '15, 13:41

robyoung's gravatar image

robyoung
1112
accept rate: 0%

edited 19 Jan '15, 09:43

can you please add the server key, so we can do our own experiments with the capture files?

(15 Jan '15, 01:04) Kurt Knochner ♦

@kurt-knochner sorry about that, I've added link to it.

(19 Jan '15, 09:43) robyoung

One Answer:

0

The problem is that your capture runs on top of port 443 for which the HTTP dissector has registered. If you expand the SSL record tree, you see "Application Data: http".

Luckily, you can override this protocol via the SSL keys UAT (~/.wireshark/ssl_keys). This line works for me (tested with v1.99.1rc0-232-g5e4e17c and v1.99.3rc0-78-g895b013):

"any","443","spdy","server.key",""

You must use port 443, specifying the wildcard * somehow gives precedence to the HTTP dissector.

Side-note: in your specific capture, the ALPN and NPN TLS extensions are advertised by the client, but the server responds only with NPN. The NPN extension merely gives a hint for the selected protocol, it is up to the client to respond with an appropriate protocol response. ALPN on the other hand requires exactly one value and this hint is implemented in this patch (v1.99.3rc0-69-g3222cd1). As ALPN is the successor of NPN, it was not deemed necessary to implement NPN.

answered 10 Feb '15, 07:50

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%