HTTP2 traffic in Wireshark

Since HTTP/2 is supported in Firefox 36 and there is a partially functional http2 dissector in Wireshark I thought I’d take a look at what HTTP/2 packets look like in Wireshark. I’m using Kali where I needed to grab the following;

  • Wireshark dev – 1.99.2
  • Firefox 36

Firefox 36 by default uses TLS 1.2 when communicating over HTTP/2 you can view HTTP/2 traffic in the ‘Network’ tab in Firefox’s developer tools (f12).

firefox_twitter_http2

To see these packets in Wireshark you need to point Wireshark at the SSLKEYLOGFILE that is written by NSS. This enables you to see the http2 packets and decrypt any encrypted data over SSL, TLS etc. Here’s a quick set up to get that up and running;

Wireshark

  • wget https://1.eu.dl.wireshark.org/src/wireshark-1.99.2.tar.bz2 -O /opt/
  • tar -jxf wireshark-1.99.2.tar.bz2

Install dependencies

  • apt-get install libpcap-dev

Configure and install

  • cd wireshark-1.99.2
  • ./configure --with-gtk2
  • make && make install

Edit /etc/ld.so.conf

Add the line > include /usr/local/lib

Then run the command ldconfig

Run Wireshark > ./wireshark

Firefox

  • wget firefox -O /opt
  • tar -jxf firefox-36.0.tar.bz2

Make a file on the file system and set an environment variable enabling NSS to write key logs so that Wireshark can decrypt any TLS traffic.

  • mkdir ~/tls && touch ~/tls/sslkeylog.log
  • export SSLKEYLOGFILE=~/tls/sslkeylog.log

Run Firefox (within the same terminal you set the environment variable or add the env. variable to your .bashrc) > ./firefox

Wireshark

Point Wireshark to the sslkeylog.log so that it can decrypt TLS traffic.

  • Edit -> Preferences -> Protocols -> SSL
  • (Pre)-Master-Secret log filename -> /root/tls/sslkeylog.log

wireshark_premaster_secret

Start a new live capture in Wireshark and in Firefox navigate to an HTTP/2 enabled website e.g. https://twitter.com and view the HTTP/2 packets.

wireshark_http2

References:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s