Wireshark mailing list archives
Re: Dissecting http2 traffic
From: Anders Broman via Wireshark-dev <wireshark-dev () wireshark org>
Date: Fri, 15 May 2020 22:24:13 +0000
Hi, Yes it's related to that bug. And if memory serves the trace would illustrate the problem. I don't see how the compression/decompression could recover as in showing the missing header element. I'm not sure I understand what your objection is. Is it in how to present the non decodable element? Alternative solutions welcome. I have pushed the suggested code upstream but no feedback yet. I think it would be of service to the telco community to have an interim solution in Wireshark until we get something from upstream. If that's not acceptable I will use my own branch. Best regards Anders Skickat från Outlook Mobile<https://aka.ms/blhgte> ________________________________ From: Peter Wu <peter () lekensteyn nl> Sent: Friday, May 15, 2020 10:40:03 PM To: Developer support list for Wireshark <wireshark-dev () wireshark org> Cc: Anders Broman <anders.broman () ericsson com> Subject: Re: [Wireshark-dev] Dissecting http2 traffic On Fri, May 15, 2020 at 06:50:18AM +0000, Anders Broman via Wireshark-dev wrote:
Hi, I think there is a demand to dissect http2 traffic where all packets in a session is not captured. This is currently not possible. As the http2 protocol creates dynamic data for compression/decompression and if the packet adding a new index to the index table is not Present then that header element can not be decoded in the packet(s) where it occurs. Also the nghttp2 library stops processing the Header and is left in an error state(I think). I have modified the nghttp2 code to handle unknown indexes https://protect2.fireeye.com/v1/url?k=d2592c57-8cf9ccc9-d2596ccc-86ee86bd5107-f102bcce985b9905&q=1&e=3d077b47-0100-4f28-aa79-f193cfe770be&u=https%3A%2F%2Fgithub.com%2Fnghttp2%2Fnghttp2%2Fpull%2F1467 and modified Wireshark to use it https://code.wireshark.org/review/#/c/37203/ as this pull request is not yet accepted and of course no nghttp2 release including it exists, there is a problem to get this functionality. Could we roll our own windows version of nghttp2 as a start? I have built a modified library for my tests.
I'd suggest to work with upstream nghttp2 to get the patches reviewed first. The suggested approach of generating a dummy ":Failed deflate" header seems wrong to me. Depending on the lost data, it might not be possible to completely recover. What kind of errors would you like to recover from? Do you have an example trace? Is it related to https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16496? Kind regards, Peter
Suggestions on how to proceed? For 5G who is a heavy user of http2 I think the ability to decode payloads are essential and this is a first step to fix that. Regards Anders
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Dissecting http2 traffic Anders Broman via Wireshark-dev (May 14)
- Re: Dissecting http2 traffic Peter Wu (May 15)
- Re: Dissecting http2 traffic Anders Broman via Wireshark-dev (May 15)
- Re: Dissecting http2 traffic Peter Wu (May 15)