I cannot seem to decrypt every HTTP/2 packet in a given session using my pre shared keys.
It seems that sometimes all the HTTP/2 packets are decrypted, and then other times only ~half of them are. If I open the Statistics -> HTTP2 dialogue the number of packets sent/received can fluctuate from ~350 to ~1050 when loading the same page.
Occasionally several "Ignored Unknown Record" packets will appear too. I'm assuming these are sometimes being decrypted as HTTP/2 packets, and sometimes they're not for some unknown reason.
Link to PCAP File & Key
asked 29 Feb '16, 11:22
The problem is that wireshark fails to detect all TLS records that start in the middle of a TCP segment when segments are lost or arrive out of order or are re-transmitted. The following filter shows all TLS records with a record length of 1424 bytes including those that are not recognized.
It might be worth filing a bug at https://bugs.wireshark.org/bugzilla/
answered 07 Mar '16, 09:07