Now lets dive into the hands-on using Wireshark with the help of the below exercise files.
LAB-1.rar
LAB-2&3.rar
- Open the LAB-1 PCAP file in the Wireshark.
- As we can see in the first and second packet , the client tries to resolve the YouTube DNS.
- In the packet no.4 we can see the client sends the TCP SYN to the YouTube server.
- Now you might be thinking , QUIC is over UDP , so why are we looking at a TCP SYN because the browser first checks the web server to see if that is able to support QUIC in the first place. Essentially that’s what the client is doing here.
- It goes ahead and sends its TCP SYN, and little bit down you can see the SYN ACK and then the TLS 1.3 Client Hello to start that TLS handshake. Then little below we can see the Server Hello , and finally when you check the packet no.33 you will see the first QUIC protocol packet.
- Now lets go to the display filter and type QUIC , hit enter which brings up only QUIC protocol packets as shown below. Note that all these QUIC packets are encrypted.
- But if this was decrypted , you would see QUIC along with HTTP/3.
- Now if we click on the first QUIC packet , below we can see the entire packet information for QUIC protocol. As shown in the below screenshot it is placed under UDP. Expand everything and understand the process of how QUIC works over web.
- Now lets analyse further by selecting the second QUIC packet. By selecting second packet , right click on the first packet , select set/unset time reference which brings the time differences between each packets as shown below.
- Similarly like the first packet , we can also analyse the next handshake as shown below.
- Also here since the decryption key is not loaded in Wireshark all the information's are encrypted. If you see after the 3 packet that is acknowledge , from the 4th packet onwards everything is completely in cipher text. That is till the connection is established we can able to understand something from the initial packets but once established everything is encrypted and we need the session keys to decrypt it.
