Wireshark-dev: Re: [Wireshark-dev] Dissecting http2 traffic
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Fri, 15 May 2020 22:40:03 +0200
On Fri, May 15, 2020 at 06:50:18AM +0000, Anders Broman via Wireshark-dev wrote:
> Hi,
> 
> I think there is a demand to dissect http2 traffic where all packets in a
> session is not captured. This is currently not possible.
> 
> As the http2 protocol creates dynamic data for compression/decompression and
> if the packet adding a new index to the index table is not
> 
> Present then that header element can not be decoded in the packet(s) where
> it occurs. Also the nghttp2 library stops processing the
> 
> Header and is left in an error state(I think).
> 
>  
> 
> I have modified the nghttp2 code to handle unknown indexes
> https://github.com/nghttp2/nghttp2/pull/1467 and modified Wireshark to use
> it
> 
> https://code.wireshark.org/review/#/c/37203/ as this pull request is not yet
> accepted and of course no nghttp2 release including it exists, there is
> 
> a problem to get this functionality. Could we roll our own windows version
> of nghttp2 as a start? I have built a modified library for my tests.

I'd suggest to work with upstream nghttp2 to get the patches reviewed
first. The suggested approach of generating a dummy ":Failed deflate"
header seems wrong to me.

Depending on the lost data, it might not be possible to completely
recover. What kind of errors would you like to recover from? Do you have
an example trace? Is it related to
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16496?

Kind regards,
Peter

> Suggestions on how to proceed? For 5G who is a heavy user of http2 I think
> the ability to decode payloads are essential and this is a first step to fix
> that.
> 
> Regards
> 
> Anders