This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

According to this and this, Wireshark should have a HTTP2 dissector. Since I couldn't found "HTTP2" option under "Protocols", is there a way to install HTTP2 dissector?

I'm using Version 2.2.0 (v2.2.0-0-g5368c50 from master-2.2) on Mac. BTW why don't I have http2 option by default?

Edit

alt text

You can download pcapng file here

The issue is that many HTTP/2 packets are not recognized as HTTP/2, I'd expect to see something like this, which is the output visiting from browser and decrypting using SSLKEYLOG:
alt text

asked 21 Sep '16, 10:12

laike9m's gravatar image

laike9m
11237
accept rate: 0%

edited 24 Sep '16, 04:45

  1. do you use profiles?

  2. if you go to Analyze->Enabled Protocols and fill http into the search field at the bottom, is the HTTP2 above ticked?

(21 Sep '16, 10:20) sindy

If you looked under Preferences for the HTTP2 dissector, you won't find it there because the HTTP2 dissector has no configurable preferences.

You can find protocols at Analyze -> Enabled Protocols..., there I certainly see the HTTP2 dissector. It was already added in Wireshark version 1.12.

permanent link

answered 21 Sep '16, 14:01

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Thx Lekensteyn, you're right. Do you know how WIreShark recognize HTTP/2 packet? Some of my packets are recognized as HTTP/2 packets, but "TLSv1.2".

(23 Sep '16, 16:41) laike9m

@laike9m You have encrypted HTTP/2 traffic without keys, so Wireshark cannot decrypt it. Look for the "SSLKEYLOGFILE" method to learn more about decrypting such traffic.

(24 Sep '16, 02:30) Lekensteyn

@Lekensteyn Well in fact WireShark can decrypt it(I can see the decrypted data), but just won't dissect it as HTTP/2. I'm going to read some source code to find out.

(24 Sep '16, 02:34) laike9m

Normally, Wireshark indicates the highest layer protocol which it could dissect in the frame. Therefore, if a single http2 pdu is split into several frames, only the last one of them is marked as containing http2, and all the ones before are only marked as containing the transport protocol, which is TLSv1.2 in this case. If this is true, you should see a second tab in the "packet bytes" pane of the frame marked as http2, which has more bytes than the frame, because it contains the http2 payload reassembled from all the frames into which it was split.

(24 Sep '16, 02:44) sindy

@laike9m Wireshark recognizes that some traffic is HTTP/2 based on the indication in the ALPN/NPN TLS Hello Extension (identifier "h2") or using heuristics (a magic string before the body).

(24 Sep '16, 02:47) Lekensteyn

@Lekensteyn ALPN is h2, you can see in the screenshot above.

(24 Sep '16, 02:56) laike9m

@laike9m Could you also upload a capture file? Maybe you have a situation like Sindy described, or you have encountered a bug in the SSL/HTTP2 dissectors.

(24 Sep '16, 03:00) Lekensteyn

@Lekensteyn uploaded.

(24 Sep '16, 03:26) laike9m

@laike9m Do you happen to have the SSL keys (premaster is sufficient, via File -> Export SSL session keys) for this session as well?

(24 Sep '16, 03:38) Lekensteyn

This is the self-gen cert and key that I used, http://www.filedropper.com/certkey. I didn't (and don't want to) visit the server using browser but using a h2 command line tool. Not sure what premaster is but these are all I have, BTW cipher algorithm is AES256-SHA, which I know is not suitable for h2 communication, but I since I don't want to use SSLKEYLOG and browser, I have to use non-DH cipher. But I've also tested the browser&SSLKEYLOG way, WireShark works in this case.

(24 Sep '16, 03:54) laike9m

premaster was the wrong terminology, I meant SSL session keys. With your provided sample pcap and keys I can successfully decrypt and see the HTTP2 packets (tested with Wireshark 2.0.5 and the one from git master). What is exactly the issue you are observing?

(24 Sep '16, 04:07) Lekensteyn

@Lekensteyn In the screenshot I post, HTTP/2 packets are not recognized as HTTP/2, or do you think that's the expected output? See updated question.

(24 Sep '16, 04:41) laike9m

Found a similar issue here: https://ask.wireshark.org/questions/41458/unable-to-decode-http2-traffic, but in version 2.2.0 there's no Enable HTTP2 heuristic option.

(24 Sep '16, 05:42) laike9m

@laike9m The previous heuristics was very weak and got removed in 2.0. It looks like there are issues when you specify "http" as protocol in the RSA keys dialog. Try specifying "http2" instead. Note the "Application Data Protocol" in the SSL tree, if it says "http-over-tls" (or something like that), it seems to have the issue of not invoking the http2 dissector.

(24 Sep '16, 05:53) Lekensteyn

There was a bug that broke ALPN matching, it will be fixed by https://code.wireshark.org/review/17907 (will probably be backported to the next versions, 2.2.1 and maybe 2.0.7).

(24 Sep '16, 06:20) Lekensteyn

@Lekensteyn Yeah specifying http2 works well.

(24 Sep '16, 13:01) laike9m
showing 5 of 16 show 11 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×6

question asked: 21 Sep '16, 10:12

question was seen: 3,738 times

last updated: 24 Sep '16, 13:01

p​o​w​e​r​e​d by O​S​Q​A