Home > English, work > How to capture and decode HTTP/2 traffic with Wireshark

How to capture and decode HTTP/2 traffic with Wireshark

Last JavaOne I attended ‘HTTP 2.0 – What do I need to know?’, an excellent talk by Hadi Hariri. Many of the solutions of HTTP/2 are solutions to problems I face daily. Since I’m a curious guy I wanted to know what was happening at packet level in this awesomeness. Soon I faced SSL-decoded-packet-problems (in practice all HTTP/2 traffic is encrypted). Hadi mentioned Wireshark had support to solve this problem. He made it sound very easy, but since I wrote this article it was a bit harder.
The method I’ll explain to decode HTTP/2 can also be applied to HTTP/1.1

A little warning : my network/security knowledge is a bit rusty since I’m a Java programmer and don’t do this stuff on a daily basis.

This article is written for Mac (Yosemite) and Firefox (42). But with a but of tuning it should work on other Mac version, Linux and Chrome too.

I won’t introduce HTTP/2. There are plenty of good explanations and when you follow all the links at the Sources-section of this article you should have enough information to understand this article.

Make sure you get HTTP/2

Http/2 should be enabled by default, but when you want to disable it (to show the HTTP/1.1 SSL traffic for example) or have to troubleshoot you might have to change things.

Go to about:config in your location bar and search for ‘spdy.enabled’. In my version of Firefox there are 4 settings, which should all be set to true. When you changed a setting you should restart the browser for the settings to become active.


Now enable the network inspector in Firefox ( alt-command-Q ) and enter https://twitter.com in the location bar.
When you click the first entry (something like ‘200 GET / ‘) you should see HTTP/2.0 at the Version field on the right.


This inspector is of course a great way to analyze your traffic, since it’s in the browser you don’t need to worry about ssl decoding. But I wanted more, the raw decoded HTTP/2 packets. And since Hadi Hariri made it sound very easy I gave it a shot.

Capture the traffic

Wireshark can, of course, be used to capture traffic but I used tcpdump. I had some problems with wireshark. A lot of packets were captured, but I couldn’t find the right ones. I think it should be possible with wireshark, but with tcpdump it was a lot easier for me to direct the output to a file and do some pre-filtering on port 443 (the SSL port).

My starting point was the article ‘Debugging HTTPS or SSL Connections to a Third Party‘ . In theory this method should work for both HTTP/2 and HTTP/1.1, but I think I found an easier method for my purpose.

Run the following commands in a terminal

# let your browser (Chrome and Firefox) know you want to save the keys to disk
export SSLKEYLOGFILE=/tmp/keylog.txt

# start your browser
/Applications/Firefox.app/Contents/MacOS/firefox &
#/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome &

# start the capture (change the interface)
$(which tcpdump) -i ${INTERFACE} -s0 -XX -w /tmp/tcpdump.out port 443 &

The SSLKEYLOGFILE is an environment variable used by both Chrome and Firefox to write the used keys to disk. These keys are used in Wireshark to decode the traffic (it’s called the NSS Key Log Format)

Make sure the INTERFACE variable is right (run ifconfig and look voor the various devices). If your on both a wire and wifi disable one of them since you’re never sure which device is getting the packets. lo0 can be used for local traffic.

When you’re done close your browser. I’m not exactly sure if this is needed, but it gave me more consistent results.

Now kill the capture process :

kill capture :

Load your data in Wireshark

There should be a file at /tmp/keylog.txt and /tmp/tcpdump.out. With these two files you can anlyze the traffic.

Now fire up Wireshark (as of version 2.0.0 XQuartz is gone! So make sure you update Wireshark if you already had it installed).

Load the /tmp/tcpdump.out file. All you will see isn’t very understandable. This is because everything is SSL-encrypted. To decrypt this data go to Preferences > Protocols > SSL and browse for the (Pre)-Master-Secret log filename (/tmp/keylog.txt)


When you click OK the traffic should be decoded immediately. Filter on ‘http2’ and you will see all HTTP/2 packets :


When you click on a packet with HEADERS in the info you will be able to view the HTTP/2 headers.

That’s it, this is how you decode HTTP/2 traffic. This method also applies for HTTP/1.1


Note that if you don’t see all traffic this might be due to the fact that a lot of traffic is QUIC-traffic, to see all HTTP/2 traffic you should disable QUIC. In Google Chrome this can be done at chrome://flags and search for QUIC.


Debugging HTTPS or SSL Connections to a Third Party
NSS Key Log Format
‘HTTP 2.0 – What do I need to know?’ – talk by Hadi Hariri
Wireshark SSL wiki page

Categories: English, work Tags: , , , ,
  1. Octavian
    14 May 2020 at 06:49

    do you know how to have tshark decode http2 traffic (HEADERS and DATA) without the connection setup packets?

    • Jeroen van Wilgenburg
      25 August 2020 at 12:27

      Sorry for the late reply, but I don’t think that’s possible because some security info is exchanged earlier.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: