Apparently, Wireshark doesn't decrypt thoroughly HTTP2 traffic

  • retag add tags

I watched a video on the internet, and captured the network trace. Mozilla DevTools tells me it is an HLS stream, comprised by two manifest files .m3u8, a master and an index, and 18 .ts segments.

But Wireshark decrypts only the last segment. in fact, the filter:

http2.request.full_uri contains ".ts" or http2.request.full_uri contains ".m3u8"

displays only one frame, the number 909, containing the segment 0018.ts
I think that something went wrong with the decryption of the preceding packets, that remained undecrypted and compressed, so the filter could not detect them.

pippuzzo's avatar
1
pippuzzo
asked 2023-02-25 17:57:59 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can anyone try to duplicate the problem, in order to understand if it depends on my environment, or if it is a constant of Wireshark?
In the meantime, I upgraded to level 4.0.3, but the problem persists.
Moreover, I verified that the problem shows up also with other videos present in the site (https://www.paessler.com/it/support/v...).
For example, with the video "Distributed_monitoring", with the filter [http2.header.value contains ".ts"] (square brackets not needed), Wireshark displays only the segment 9 of 15 (ef460915b6d34df3bf0be4d2319642db-hls_00009.ts).

pippuzzo's avatar pippuzzo (2023-02-28 14:25:29 +0000) edit
more
  • delete
add a comment see more comments