search

the-tcpdump-group / tcpdump

the TCPdump network dissector
https://www.tcpdump.org/
Other
2.67k stars 838 forks source link

Question about quic printer #959

Open fxlb opened 2 years ago

fxlb commented 2 years ago

@rpaulo With the attached pcap, tcpdump prints:

$ ./tcpdump -#nv -r merge-request-268-q46_ack.pcapng
reading from file ../pcap-files/wireshark-menagerie/merge-request-268-q46_ack.pcapng, link-type EN10MB (Ethernet), snapshot length 65535
    1  15:15:25.415546 IP (tos 0x0, ttl 63, id 3862, offset 0, flags [DF], proto UDP (17), length 1378)
    185.217.151.45.27940 > 134.148.213.244.443: quic, initial, v51303436, length 3029401132267995136 [|quic]

length 3029401132267995136, really? tshark shows it as GQUIC, You should have a look.

merge-request-268-q46_ack.pcapng.gz

rpaulo commented 2 years ago

The printer doesn’t support Google QUIC packets, only IETF QUIC.

fxlb commented 2 years ago

Thus, it should display unsupported for such packets.

fxlb commented 2 years ago

Or gquic (unsupported) ...

rpaulo commented 2 years ago

Okay, but I wonder if it's worth the effort since in the near future the Google QUIC packet format will go away.

fxlb commented 2 years ago

We just don't want print incorrect informations.