I cannot seem to decrypt every HTTP/2 packet in a given session using my pre shared keys. Setup
Problem It seems that sometimes all the HTTP/2 packets are decrypted, and then other times only ~half of them are. If I open the Statistics -> HTTP2 dialogue the number of packets sent/received can fluctuate from ~350 to ~1050 when loading the same page. Occasionally several "Ignored Unknown Record" packets will appear too. I'm assuming these are sometimes being decrypted as HTTP/2 packets, and sometimes they're not for some unknown reason. Link to PCAP File & Key https://mega.nz/#!yBk2xaQQ!NYeRXY6vHqOrh0wzndMje5dSf0x6cUTCy75ewJvQ5xc asked 29 Feb '16, 11:22  r0sscon |
One Answer:
The problem is that wireshark fails to detect all TLS records that start in the middle of a TCP segment when segments are lost or arrive out of order or are re-transmitted. The following filter shows all TLS records with a record length of 1424 bytes including those that are not recognized. It might be worth filing a bug at https://bugs.wireshark.org/bugzilla/ answered 07 Mar '16, 09:07  mrEEde |
Thanks for this, I'd never have guessed that was the problem. I'll raise a bug report for it.
WOuld you please accept the answer if it satisfies your question by clicking on the checkmark icon. Thanks