Skip to content
Christian Huitema edited this page Jan 10, 2022 · 120 revisions

This is a listing of tools for analysing, debugging and visualising QUIC (and potentially the HTTP mapping). See also the Implementations listing.

Wireshark

Wireshark has a GQUIC decoder1 and IETF-QUIC decoder. HTTP analysis is possible via integration with the HTTP/2 decoder. http3 is in development. To enable handshake/payload decryption, use a Wireshark version that matches the QUIC version:

# First Wireshark version Last WS version notes
-33 v3.5.0rc0-411-g01e64f996bfb Quic v1 final constants. Back-ported to 3.4.x
-32 v3.3.2rc0-159-ge6adc940ac5c Done (no packet changes)
-31 v3.3.1rc0-81-gec7c5699a711 Done (no packet changes)
-30 v3.3.0rc0-2026-g889dd0cbfbc7 Done (no packet changes)
-29 v3.3.0rc0-1373-g9d24072 Done
-28 v3.3.0rc0-1246-g2b9796adc6 Done
-27 v3.3.0rc0-572-ge4138a3b98 / 3.2.2 Done
-26 v3.3.0rc0-572-ge4138a3b98 / 3.2.2 No wire changes.
-25 v3.3.0rc0-452-gddc03b8c87 / 3.2.2 Done
-24 v3.1.2rc0-16-g71e03ef042 Done
-23 v3.1.1rc0-323-gf95d3a6 Done
-22 v3.1.0rc0-1289-g3967f60 Done
-21 v3.1.0rc0-1288-gbafe354 Done
-20 v3.1.0rc0-615-g28773689e0 / 3.0.2 3.0.x / v3.1.0rc0-1286-gb2a437e Done.
-19 v3.1.0rc0-520-ga65f7f5838 / 3.0.2 3.0.x / v3.1.0rc0-1286-gb2a437e Done.
-18 v2.9.1rc0-487-gd486593ce3 3.0.x / v3.1.0rc0-1285-g954b958aa1 Done since v2.9.1rc0-500-g064a5c90ca
-17 v2.9.1rc0-332-ga0b9e8b652 3.0.x / v3.1.0rc0-1285-g954b958aa1 Done since v2.9.1rc0-456-g19630453bf
-16 v2.9.1rc0-100-g0964b04ee3 v2.9.1rc0-331-gf1fa8df324 Compatible with -15 (no packet change)
-15 v2.9.0rc0-2528-g9bd1c8f155 v2.9.1rc0-331-gf1fa8df324 Available on 2.9.0
-14 v2.9.0rc0-1858-g0aaaa49af3 v2.9.1rc0-108-g075785bd20 Done.
-13 v2.9.0rc0-1850-g2fd42045f5 v2.9.1rc0-100-g0964b04ee3 Decryption updated.
-12 v2.9.0rc0-1816-g81710c7d3c v2.9.0rc0-1863-g7b65208ef3 Last draft to use TLS Exporter Secret.
-11 v2.9.0rc0-291-gee3bc52192 v2.9.0rc0-1829-g1d2fd4f411 +Connection migration (untested)
-10 v2.9.0rc0-200-g88435354c0 v2.9.0rc0-1779-g351ea5940e
-09 v2.5.2rc0-68-geea63ae2a7 2.6.x / v2.9.0rc0-173-g71ddbb69f5 Supports payload decryption (-09)
-08 ? v2.9.0rc0-173-g71ddbb69f5

Automated builds (macOS and Windows): https://www.wireshark.org/download/automated/
Upstream bug (with sample captures/keys): https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13881 (QUIC) / https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16761 (HTTP/3)
Patches under review: https://code.wireshark.org/review/#/q/status:open+branch:master+topic:QUIC

Payload decryption (>= draft -13) requires QUIC/TLS 1.3 traffic secrets following the SSLKEYLOGFILE key log file format. OpenSSL supports this via its keylog callback.

If your QUIC traffic is not properly detected by Wireshark, note that:

  • Wireshark uses a heuristics approach to detect QUIC based on the version number. If you use an experimental version number, it might not be detected as QUIC traffic.
  • Dissectors using a standard port (such as 44818 for EtherNet-IP-2) usually takes precedence.
  • To solve this, explicitly use Decode As QUIC via the GUI or via the command line option -dudp.port==443,quic.
  • If you use non-standard draft version numbers in the version field, Wireshark will assume the latest draft version.

1Wireshark is not capable of decrypting GQUIC packets itself, even if NSS Keylogging has been configured. However, if a decrypted trace is supplied to Wireshark it will correctly dissect GQUIC if the "Force decrypt" option is enabled in the Settings.

Wireshark draft support

General issues
To-do items for draft -30 completion (completed)

https://gitlab.com/wireshark/wireshark/-/merge_requests/211

To-do items for draft -29 completion (completed)
  • Rename SERVER_BUSY (0x2) -> CONNECTION_REFUSED_ERROR transport error code
  • Update initial Salt

https://code.wireshark.org/review/37262

To-do items for draft -28 completion (completed)
To-do items for draft -27 completion (completed)
To-do items for draft -25 completion (completed)
To-do items for draft -24 completion (completed)
To-do items for draft -23 completion (completed)
To-do items for draft -22 completion (completed)
To-do items for draft -21 completion (completed)
To-do items for draft -20 completion (completed)
To-do items for draft -19 completion (completed)
  • Removal of VERSION_NEGOTIATION_ERROR (0x9) error code.
  • Removal of QuicVersion fields in TransportParameters. https://code.wireshark.org/review/32833
  • idle_timeout (0x0001) was changed from seconds to milliseconds.
To-do items for draft -18 completion (completed)
To-do items for draft -17 completion (completed)
To-do items for draft -16 completion (completed)
To-do items for draft -15 completion (completed)
To-do items for draft -14 completion (completed)
To-do items for draft -13 completion (more or less complete)
To-do items for draft -12 completion (completed and obsolete)
To-do items for draft -11 completion (completed and obsolete)

QUIC Tracker is a test suite for IETF-QUIC. It exchanges packets with IETF-QUIC implementations to verify whether an implementation conforms with the IETF specification. The test suite is consisting of several test scenarii. Each of them tests a particular feature of the QUIC protocol. The test suite runs daily, and its results are available on its website.

It currently supports QUIC draft-28.

qvalve

qvalve can predictably impair QUIC flows, by dropping, reordering or duplicating individual packets and sequences of packets. It is a non-transparent UDP proxy that should be interposed between a QUIC client and a QUIC server. The behavior of qvalve is configured with rules specified in a simple language.

The "Spindump" tool is a Unix command-line utility that can be used for latency monitoring in traffic passing through an interface. The tool performs passive, in-network monitoring. It is not a tool to monitor traffic content or metadata of individual connections, and indeed that is not possible in the Internet as most connections are encrypted. The tool looks at the characteristics of transport protocols, such as the QUIC Spin Bit, and attempts to derive information about round-trip times for individual connections or for the aggregate or average values. The tool supports TCP, QUIC, COAP, DNS, and ICMP traffic, as well as both IPv4 and IPv6.

  • Language: C
  • Version: google QUIC, draft-16, draft-17, draft-18, draft-19, draft-20, draft-21, draft-22, draft-23, draft-24, draft-25
  • Roles: in-network tool
  • Handshake: QUIC only, does not peek into TLS or HTTP messaging inside
  • Protocol IDs: 0x00000001 0xff000010, 0xff000011, 0xff000012, 0xff000013, 0xff000014, 0xff000015, 0xff000016, 0xff000017, 0xff000018,0xff000019,0x50435131, etc.
  • Public server: n.a.

h2load is load testing tool and now experimentally supports HTTP/3.

  • Language: C++
  • Version: v1
  • Roles: client
  • Handshake: TLS 1.3
  • Protocol IDs: 0x00000001
  • ALPN: h3

qlog is a standard logging format for QUIC and HTTP/3. It is based on JSON to be both human and machine-readable. It is currently supported by over half of current QUIC implementations.

Toolsuite for visualizing QUIC+HTTP/3 qlog and pcap files. Includes a sequence diagram, congestion graph, multiplexing diagram and packetization visualization.

Simulation framework for automated benchmarking of QUIC implementations. Allows extensive network simulations using ns-3.

Source code: https://github.com/marten-seemann/quic-network-simulator/

Interoperability testing framework. Allows running automated tests between different QUIC implementations.

Over the net fuzzing of QUIC servers or clients. Fuzi_q can be used as a client to test a QUIC server, or as a server to test a QUIC client.

Fuzi_q started from the testsuite of picoquic. Fuzi_q hooks into the Picoquic stack, catching messages just before they would be encrypted and fuzzing them. It tries to do that intelligently. For each connection, Fuzi_q determines an encryption point, such as "the initial messages ave been processed", or "the handshake is confirmed", or "the connection is closing". The connection progresses up to that state, and then packets are fuzzed. The fuzzing itself is based on knowledge of the QUIC protocol. The fuzzer might modify QUIC frames, or insert randomly chosen QUIC frames in the packets. The procedures implemented in the initial version are simple, there is clearly room for more sophistication. Suggestions are welcome.

Clone this wiki locally