6

I have a whole bunch of encrypted QUIC UDP packets I've managed to capture and narrow down from an online game. I believe these are the incoming chat messages. enter image description here

I'd like to decrypt these packets to see if I can read the raw data being sent. Is this possible? What information/settings do I need?

Connor Bell
  • 154
  • 1
  • 1
  • 10
  • 1
    Wireshark does not support QUIC decryption at the moment. The drafts at https://tools.ietf.org/wg/quic/ are also not really detailled on the ciphers... Your best chance to understand how it works is probably https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g – Lekensteyn Dec 09 '16 at 20:51
  • @Lekensteyn Cheers, I'll take a look – Connor Bell Dec 09 '16 at 20:53
  • I've read the document and it does not help at all, because it does not give any details.. in Wireshark you just can see CHLO, REJ from server, the second CHLO and the data is encrypted.. (and you aren't able to see the SHLO) :/ – Sericaia Jan 20 '17 at 16:33

2 Answers2

1

For decrypting QUIC packet in latest wireshark (not sure if works in older verison )

  1. Go to Edit->Preferences->Protocols
  2. select QUIC from drop down list
  3. select " Force decode of all QUIC Payload"

In wireshark version 3.2.3 at Edit->Preferences->Protocols->QUIC, add the QUIC UDP port. The wireshark will now decode these UDP packets as QUIC packets. It will decode the non-encrypted plain header fields of QUIC, however the encrypted part of QUIC remains encrypted and is just displayed with label "remaining payload". These steps are for decoding a QUIC UDP packet header fields and not for there decryption.

neutrino
  • 17
  • 10
Prateek Chouhan
  • 27
  • 2
0

  1. In a terminal, type

    export SSLKEYLOGFILE="$HOME/sslkeylogfile.log"

    then restart chromium:

    chromium &

    Chromium will now save the encryption keys to this file.

  2. In wireshark,

    Edit > Preferences > Protocols > TLS > (Pre)-Master-Secret log filename:

    $HOME/sslkeylogfile.log

    Wireshark will use the keys in this file to decrypt entire packets for TLS / QUIC / HTTP3.

Duane
  • 11
  • 2