tcpdump icon indicating copy to clipboard operation
tcpdump copied to clipboard

Published 20 hours ago verified publisher icon the-tcpdump-group

Question about quic printer

Open fxlb opened this issue 4 years ago • 5 comments

@rpaulo With the attached pcap, tcpdump prints:

$ ./tcpdump -#nv -r merge-request-268-q46_ack.pcapng
reading from file ../pcap-files/wireshark-menagerie/merge-request-268-q46_ack.pcapng, link-type EN10MB (Ethernet), snapshot length 65535
    1  15:15:25.415546 IP (tos 0x0, ttl 63, id 3862, offset 0, flags [DF], proto UDP (17), length 1378)
    185.217.151.45.27940 > 134.148.213.244.443: quic, initial, v51303436, length 3029401132267995136 [|quic]

length 3029401132267995136, really? tshark shows it as GQUIC, You should have a look.

merge-request-268-q46_ack.pcapng.gz

fxlb avatar Nov 17 '21 19:11 fxlb

The printer doesn’t support Google QUIC packets, only IETF QUIC.

rpaulo avatar Nov 17 '21 19:11 rpaulo

Thus, it should display unsupported for such packets.

fxlb avatar Nov 17 '21 19:11 fxlb

Or gquic (unsupported) ...

fxlb avatar Nov 17 '21 19:11 fxlb

Okay, but I wonder if it's worth the effort since in the near future the Google QUIC packet format will go away.

rpaulo avatar Nov 17 '21 19:11 rpaulo

We just don't want print incorrect informations.

fxlb avatar Nov 17 '21 20:11 fxlb