Try to capture http3/quic packet but failed #702

yinghli · 2024-12-23T14:15:26Z

yinghli
Dec 23, 2024

I am trying to use ecapture to decrypt http3 packet but failed.
Using below "sudo ecapture tls -m pcap -i ens3 --pcapfile=ecapture.pcapng port 443" command. when I looked at ecapture.pcapng, http2 packet is captured and decrypted, but http3 packet only show as quic header but remaining payload decryption failed.
Anyone have http3 successful packet captured example can be shared?

2024-12-23T14:07:21Z INF AppName="eCapture(旁观者)"
2024-12-23T14:07:21Z INF HomePage=https://ecapture.cc
2024-12-23T14:07:21Z INF Repository=https://github.com/gojue/ecapture
2024-12-23T14:07:21Z INF Author="CFC4N [email protected]"
2024-12-23T14:07:21Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-23T14:07:21Z INF Version=linux_amd64:v0.9.1:6.5.0-1025-azure
2024-12-23T14:07:21Z INF Listen=localhost:28256
2024-12-23T14:07:21Z INF eCapture running logs logger=
2024-12-23T14:07:21Z INF the file handler that receives the captured event eventCollector=
2024-12-23T14:07:21Z INF listen=localhost:28256
2024-12-23T14:07:21Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-23T14:07:21Z INF Kernel Info=6.1.0 Pid=2724
2024-12-23T14:07:21Z INF BTF bytecode mode: CORE. btfMode=0
2024-12-23T14:07:21Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-23T14:07:21Z INF Module.Run()
2024-12-23T14:07:21Z WRN OpenSSL/BoringSSL version not found. error="OpenSSL/BoringSSL version not found" soPath=/usr/lib/x86_64-linux-gnu/libssl.so.3
2024-12-23T14:07:21Z WRN Try to detect libcrypto.so.3. If you have doubts, See #675 for more information.
2024-12-23T14:07:21Z INF Try to detect imported libcrypto.so imported=libcrypto.so.3 soPath=/usr/lib/x86_64-linux-gnu/libcrypto.so.3
2024-12-23T14:07:21Z INF origin versionKey="openssl 3.0.15" versionKeyLower="openssl 3.0.15"
2024-12-23T14:07:21Z INF OpenSSL/BoringSSL version found Android=false library version="openssl 3.0.15"
2024-12-23T14:07:21Z INF HOOK type:Openssl elf ElfType=2 IFindex=2 IFname=ens3 PcapFilter="port 443" binrayPath=/usr/lib/x86_64-linux-gnu/libssl.so.3
2024-12-23T14:07:21Z INF Hook masterKey function Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"]
2024-12-23T14:07:21Z INF target all process.
2024-12-23T14:07:21Z INF target all users.
2024-12-23T14:07:21Z INF setupManagers eBPFProgramType=PcapNG
2024-12-23T14:07:21Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_3_0_0_kern_core.o
2024-12-23T14:07:21Z INF packets saved into pcapng file. pcapng path=/home/yinghli/ecapture.pcapng
2024-12-23T14:07:22Z INF perfEventReader created mapSize(MB)=4
2024-12-23T14:07:22Z INF perfEventReader created mapSize(MB)=4
2024-12-23T14:07:22Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

cfc4n · 2024-12-23T15:35:23Z

cfc4n
Dec 23, 2024
Maintainer

Please provide complete logs, complete run parameters you removed. Secondly, the picture is incomplete.
You need to first check whether the target domain name supports quic. Use https://http3check.net/ to check it.

3 replies

yinghli Dec 25, 2024
Author

#703 follow this step. using sample http3 client and access https://quic.tech:8443.

Client show HTTP3 connection successfully.

ecapture sudo ./ecapture tls -m pcap -i ens4 port 8443

Consoe log:
2024-12-25T05:56:18Z INF AppName="eCapture(旁观者)"
2024-12-25T05:56:18Z INF HomePage=https://ecapture.cc
2024-12-25T05:56:18Z INF Repository=https://github.com/gojue/ecapture
2024-12-25T05:56:18Z INF Author="CFC4N [email protected]"
2024-12-25T05:56:18Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-25T05:56:18Z INF Version=linux_amd64:v0.9.1:6.5.0-1025-azure
2024-12-25T05:56:18Z INF Listen=localhost:28256
2024-12-25T05:56:18Z INF eCapture running logs logger=
2024-12-25T05:56:18Z INF the file handler that receives the captured event eventCollector=
2024-12-25T05:56:18Z INF listen=localhost:28256
2024-12-25T05:56:18Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-25T05:56:18Z INF Kernel Info=5.10.223 Pid=1784
2024-12-25T05:56:18Z INF BTF bytecode mode: CORE. btfMode=0
2024-12-25T05:56:18Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-25T05:56:18Z INF Module.Run()
2024-12-25T05:56:18Z INF origin versionKey="openssl 1.1.1w" versionKeyLower="openssl 1.1.1w"
2024-12-25T05:56:18Z INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.1.1w"
2024-12-25T05:56:18Z INF HOOK type:Openssl elf ElfType=2 IFindex=2 IFname=ens4 PcapFilter="port 443" binrayPath=/usr/lib/x86_64-linux-gnu/libssl.so.1.1
2024-12-25T05:56:18Z INF Hook masterKey function Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"]
2024-12-25T05:56:18Z INF target all process.
2024-12-25T05:56:18Z INF target all users.
2024-12-25T05:56:18Z INF setupManagers eBPFProgramType=PcapNG
2024-12-25T05:56:18Z INF packets saved into pcapng file. pcapng path=/home/ext_yinghli_google_com/ecapture-v0.9.1-linux-amd64/save.pcapng
2024-12-25T05:56:18Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1j_kern_core.o
2024-12-25T05:56:18Z INF perfEventReader created mapSize(MB)=4
2024-12-25T05:56:18Z INF perfEventReader created mapSize(MB)=4
2024-12-25T05:56:18Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-25T05:56:22Z INF packets saved into pcapng file. count=2
2024-12-25T05:56:36Z INF packets saved into pcapng file. count=9
^C2024-12-25T05:56:43Z INF module close.
2024-12-25T05:56:43Z INF packets saved into pcapng file. count=11
2024-12-25T05:56:43Z INF Module closed,message recived from Context
2024-12-25T05:56:43Z INF iModule module close
2024-12-25T05:56:43Z INF bye bye.
ext_yinghli_google_com@instance-1:~/ecapture-v0.9.1-linux-amd64$ sudo ./ecapture tls -m pcap -i ens4 port 8443
2024-12-25T05:56:48Z INF AppName="eCapture(旁观者)"
2024-12-25T05:56:48Z INF HomePage=https://ecapture.cc
2024-12-25T05:56:48Z INF Repository=https://github.com/gojue/ecapture
2024-12-25T05:56:48Z INF Author="CFC4N [email protected]"
2024-12-25T05:56:48Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-25T05:56:48Z INF Version=linux_amd64:v0.9.1:6.5.0-1025-azure
2024-12-25T05:56:48Z INF Listen=localhost:28256
2024-12-25T05:56:48Z INF eCapture running logs logger=
2024-12-25T05:56:48Z INF the file handler that receives the captured event eventCollector=
2024-12-25T05:56:48Z INF listen=localhost:28256
2024-12-25T05:56:48Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-25T05:56:48Z INF Kernel Info=5.10.223 Pid=1888
2024-12-25T05:56:48Z INF BTF bytecode mode: CORE. btfMode=0
2024-12-25T05:56:48Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-25T05:56:48Z INF Module.Run()
2024-12-25T05:56:48Z INF origin versionKey="openssl 1.1.1w" versionKeyLower="openssl 1.1.1w"
2024-12-25T05:56:48Z INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.1.1w"
2024-12-25T05:56:48Z INF HOOK type:Openssl elf ElfType=2 IFindex=2 IFname=ens4 PcapFilter="port 8443" binrayPath=/usr/lib/x86_64-linux-gnu/libssl.so.1.1
2024-12-25T05:56:48Z INF Hook masterKey function Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"]
2024-12-25T05:56:48Z INF target all process.
2024-12-25T05:56:48Z INF target all users.
2024-12-25T05:56:48Z INF setupManagers eBPFProgramType=PcapNG
2024-12-25T05:56:48Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1j_kern_core.o
2024-12-25T05:56:48Z INF packets saved into pcapng file. pcapng path=/home/ext_yinghli_google_com/ecapture-v0.9.1-linux-amd64/save.pcapng
2024-12-25T05:56:48Z INF perfEventReader created mapSize(MB)=4
2024-12-25T05:56:48Z INF perfEventReader created mapSize(MB)=4
2024-12-25T05:56:48Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-25T05:56:54Z INF packets saved into pcapng file. count=22
^C2024-12-25T05:56:58Z INF module close.
2024-12-25T05:56:58Z INF packets saved into pcapng file. count=22
2024-12-25T05:56:58Z INF Module closed,message recived from Context
2024-12-25T05:56:58Z INF iModule module close
2024-12-25T05:56:58Z INF bye bye.

yinghli Dec 25, 2024
Author

save (1).pcapng.zip

attachment is pcapng file.

yinghli Dec 25, 2024
Author

if I run sudo ./ecapture tls, curl --http2 -svo /dev/null https://quic.tech:8443 will show decryption packet in console as below. go run http3-client.go -url=https://quic.tech:8443 -verbose show nothing on the console.

2024-12-25T06:14:24Z ??? UUID:2099_2099_curl_5_1_10.148.0.6:34052-45.77.96.66:8443, Name:HTTP2Request, Type:2, Length:308

Frame Type => SETTINGS

Frame Type => WINDOW_UPDATE

Frame Type => HEADERS
header field ":method" = "GET"
header field ":path" = "/"
header field ":scheme" = "https"
header field ":authority" = "quic.tech:8443"
header field "user-agent" = "curl/7.74.0"
header field "accept" = "/"

Frame Type => SETTINGS

2024-12-25T06:14:24Z ??? UUID:2099_2099_curl_5_0_10.148.0.6:34052-45.77.96.66:8443, Name:HTTP2Response, Type:4, Length:1276

Frame Type => SETTINGS

Frame Type => WINDOW_UPDATE

Frame Type => SETTINGS

Frame Type => HEADERS
header field ":status" = "200"
header field "server" = "nginx"
header field "date" = "Wed, 25 Dec 2024 06:14:23 GMT"
header field "content-type" = "text/html"
header field "content-length" = "462"
header field "last-modified" = "Fri, 17 Nov 2023 18:43:17 GMT"
header field "etag" = ""6557b445-1ce""
header field "strict-transport-security" = "max-age=31536000; includeSubdomains; preload"
header field "x-content-type-options" = "nosniff"
header field "x-frame-options" = "DENY"
header field "x-xss-protection" = "1; mode=block"
header field "referrer-policy" = "no-referrer"
header field "alt-svc" = "h3=":8443"; ma=86400, h3-29=":8443"; ma=86400"
header field "accept-ranges" = "bytes"

Frame Type => DATA

<link rel="shortcut icon" href="/quic.ico" type="image/x-icon">

<style>
img {
    position: absolute;
    margin: auto;
    top: 0;
    left: 0;
    right: 0;
    bottom: 0;
}
</style>

<title>quic.tech</title>

cfc4n · 2024-12-25T14:23:32Z

cfc4n
Dec 25, 2024
Maintainer

Will the --http2 parameter in this command curl --http2 -svo /dev/null https://quic.tech:8443 establish an http3 quic network link?

Why on the official website of curl, the parameters displayed are indeed --http3 or --http3-only Can you seriously confirm this?

In addition, #703 demonstrates a client written in Golang, which uses goang's own TLS module, and the demonstrated command is ecapture gotls.

However, you started the ecapture tls module, which is used to test the golang client. Isn't it too serious?

1 reply

yinghli Dec 26, 2024
Author

thanks for your patience and explanation.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Try to capture http3/quic packet but failed #702

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 4 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Try to capture http3/quic packet but failed #702

yinghli Dec 23, 2024

Replies: 2 comments · 4 replies

cfc4n Dec 23, 2024 Maintainer

yinghli Dec 25, 2024 Author

yinghli Dec 25, 2024 Author

yinghli Dec 25, 2024 Author

cfc4n Dec 25, 2024 Maintainer

yinghli Dec 26, 2024 Author

yinghli
Dec 23, 2024

Replies: 2 comments 4 replies

cfc4n
Dec 23, 2024
Maintainer

yinghli Dec 25, 2024
Author

yinghli Dec 25, 2024
Author

yinghli Dec 25, 2024
Author

cfc4n
Dec 25, 2024
Maintainer

yinghli Dec 26, 2024
Author