Feature #7446
openadd logic to parse QUIC CRYPTO frames and provide a keyword to access the reassembled data
Description
Apologies if this is a duplicate report, I couldn't find anything else when searching.
Currently, we have no method of writing detection on a TLS record when used in QUIC (problematic for protocols such as HTTP/3). QUIC transmits TLS records via numerous 'CRYPTO' frames over multiple QUIC 'Initial' packets, these CRYPTO frames can also be out of order when initially received. Wireshark has a working and reliable (so far) protocol dissector for QUIC that also includes logic to reassemble these CRYPTO frames and provide the reassembled output (in this case, it would be something like a TLS Client Hello or TLS Server Hello).
Wireshark dissector, case where the CRYPTO frame begins getting parsed - https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-quic.c#L2440
Updated by James Emery-Callcott 18 days ago ยท Edited
semi-relevant https://redmine.openinfosecfoundation.org/issues/4985
Updated by James Emery-Callcott 16 days ago
can probably close this out :) Chris W discovered quic.sni exists, it just wasn't documented