Hello list,
I'm seeing undissected QUIC data while watching YouTube in the latest
Chrome version 126, using Wireshark 4.2.6 (also tried git master).
First goes regular QUIC session which is detected, dissected and
decrypted by Wireshark, but after some time "unknown" UDP traffic
follows to the same destination IP and also port 443 UDP, but from
another source port.
The previous connection has DCID=f00edb746f767f8a, and the first packet
of new connection begins with "xx f1 0e db 74 6f 76 7f 8a", f0 -> f1,
which definitely looks like QUIC.
I thought this may be some kind of 0-RTT connection with third-party key
exchange (as in DNS SVCB/HTTPS), but I don't see any DNS queries other
than A/AAAA.
I guess this is "connection migration" on the same network.
The same issue happens with full QUIC traffic decryption
(SSLKEYLOGFILE). No such behavior in Firefox.
Anyone has any information, any ideas?
PCAP (126 MB):
https://valdikss.org.ru/chrome-youtube-quic-not-dissected.pcapng.gz
Check udp.stream eq 42
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature