I have a PCAP file with a number of Google QUIC (GQUIC) packets. However, all of these packets arrived at UDP ports 56285 and 56046. Yet both wireshark and nDPI were able to properly parse these packets.
It is my understanding that only UDP packets arriving at port 80 or 443 can be considered to be QUIC/GQUIC packets.
My question is: how did wireshark and nDPI know that these UDP payloads were GQUIC packets?
The actual QUIC standard doesn't limit the ports that can be used for QUIC, and much like HTTPS, there are plenty of examples in the real world already using them (for example, any Cloudflare endpoint has QUIC on 443, plus a handful of high-ports).
As far as how Wireshark detects QUIC, the packets have a clearly defined header format, so all that is required is to check the packets on arrival, then run through the decryption process. You'll probably notice that Wireshark lets you expand the detail on the initial packets, but not on the rest of the handshake and beyond. This is because the initial packets are just obfuscated with encryption, as the working keys have yet to be derived. Once dervived in the handshake, then Wireshark can no longer decrypt the stream (without providing it the keys).
The standard (https://datatracker.ietf.org/doc/html/rfc9000) is the usual RFC chaff, so not particularly clear, but all the information you need is there, if you feel like putting the effort in to translating it from comittee speak to English ;)
