Mraoul
commented
3 years ago So, I took a look at the pcap and they're using an http upgrade -- have you seen something similar in the wild? I was under the impression that none of the mainstream browsers (chrome, firefox, safari) would negotiate http2 in the clear.
Also, this is a partial connection that only contains the data payload and not the tcp connection -- bro/zeek doesn't even seem to detect this as http 1.x afaict, so I think this would fall under the PIA architecture (embedded protocols within protocols) in Zeek, so not sure how to address this if Zeek isn't picking it up as an http 1.x connection ... do you have any pcaps that look similar that I could take a look at?
I was looking at one of the sample pcaps from WireShark, http2-h2c.pcap. Would you be able to update this plugin to support h2c also?
https://wiki.wireshark.org/HTTP2?action=AttachFile&do=get&target=http2-h2c.pcap