Wireshark for TLS 1.3 and QUIC – Decrypting and Troubleshooting Encrypted Traffic

1) Introduction

As of 2025, TLS 1.3 and QUIC (HTTP/3) dominate the Internet. Whether it’s Google, YouTube, Zoom, Office 365, or Cloudflare, most web traffic today is encrypted. This is great for security — but it complicates life for network engineers and troubleshooters.

• With TLS 1.2, you could still see certificates, cipher negotiations, and sometimes even decrypted HTTP with the right tools.
• With TLS 1.3, much of the handshake is encrypted after ServerHello.
• With QUIC (HTTP/3), even the transport is no longer TCP, but UDP with built-in TLS 1.3.

👉 So how do you analyze, decrypt, and troubleshoot these modern encrypted protocols with Wireshark?

This article covers:

• TLS 1.3 handshake structure (vs TLS 1.2)
• QUIC + HTTP/3 architecture (and how it carries TLS)
• Live lab: capturing & decrypting traffic with Wireshark
• Troubleshooting methods (handshake failures, blocked QUIC, fallback cases)
• Best practices and advanced tricks

2) Lab Topology (SG)

[ SG-Client Laptop ]
   Hostname: sg-client
   OS: Ubuntu 24.04 / Windows 11
   Browser: Chrome/Firefox (with QUIC enabled)
   Tools: Wireshark, curl, tcpdump

[ SG-Web VM ]
   Hostname: web.sanchitgurukul.xyz
   Public IP: 203.0.113.27
   Services: NGINX + TLS 1.3 + HTTP/3 (QUIC)
   Certificate: Let's Encrypt

©sanchitgurukul

3) TLS 1.3 Deep Dive

🔹 TLS 1.2 Handshake (Old)

• ClientHello → lists ciphers, extensions, version
• ServerHello → picks cipher, sends cert
• Key Exchange → DH/ECDH
• Finished messages

Multiple round trips → higher latency.

🔹 TLS 1.3 Handshake (Modern)

• ClientHello → already carries key share (X25519, etc.), ALPN (h2, h3), SNI (hostname)
• ServerHello → returns chosen cipher & key share
• EncryptedExtensions → further negotiation (encrypted)
• Certificate & Finished → encrypted

⚡ Faster (1-RTT or even 0-RTT with session resumption).
🔒 Certificates visible only in the first full handshake; resumed handshakes hide them.

4) QUIC & HTTP/3 Overview

• Transport over UDP (port 443)
• TLS 1.3 built-in → handshake is carried inside QUIC Initial/Handshake packets
• Reliable, multiplexed streams without TCP
• Connection migration → survive IP changes (e.g., switching from Wi-Fi → 5G)

Wireshark decodes QUIC like this:

QUIC
  Initial Packet
    TLS ClientHello
  Handshake Packet
    TLS ServerHello
  1-RTT Packet
    HTTP/3 Stream Data

5) Capturing in Wireshark

Capture Filters (reduce noise)

• TLS traffic:

      port 443
    

• QUIC only:

      udp port 443
    

• To specific server:

      host 203.0.113.27 and port 443
    

Display Filters (analyze better)

• TLS handshake packets:

      tls.handshake
    

• QUIC handshake only:

      quic.packet_type == 0x7
    

• HTTP/3 after decryption:

      http3
    

6) Decryption in Wireshark

Method A: SSLKEYLOGFILE (most common)

1. On SG-Client, set env var:
2. export SSLKEYLOGFILE=/home/sanchit/sslkeys.log

Windows (PowerShell):

      setx SSLKEYLOGFILE "C:\Users\Sanchit\sslkeys.log"
    

3. Launch Chrome/Firefox with this environment variable set.
4. In Wireshark → Edit → Preferences → Protocols → TLS → (Pre-Master-Secret log filename) → point to sslkeys.log.
5. Start capture.
6. Visit https://sanchitgurukul.xyz.
7. Wireshark can now decrypt HTTP/2 or HTTP/3 traffic!

Method B: OpenSSL tools

      SSLKEYLOGFILE=sslkeys.log curl -vk https://sanchitgurukul.xyz
    

Method C: QUIC Decryption

• QUIC uses the same SSLKEYLOGFILE.
• Wireshark 3.6+ supports QUIC decryption → shows HTTP/3 requests and responses.
• Filter:

      http3
    

7) Hands-On Lab Example (SG)

1. Setup SG-Web (TLS 1.3 + QUIC)

      sudo apt install nginx certbot python3-certbot-nginx
    

      sudo certbot --nginx -d sanchitgurukul.xyz
    

Enable QUIC + HTTP/3 (with nginx-quic): https://quic.nginx.org/

listen 443 quic reuseport;
ssl_protocols TLSv1.3;
ssl_early_data on;
add_header Alt-Svc 'h3=":443"'; # Advertise HTTP/3

4. On SG-Client
   • Set SSLKEYLOGFILE.
   • Open Chrome → https://sanchitgurukul.xyz.
   • In Wireshark, capture udp.port == 443.
5. Verify
   • Look for QUIC Initial → TLS ClientHello.
   • Decrypt with Wireshark → see HTTP/3 GET /.

8) Troubleshooting with Wireshark

9) Advanced Analysis

• ALPN negotiation (Application-Layer Protocol Negotiation): h2, h3 → check in ClientHello.
• SNI (Server Name Indication) → reveals target hostname unless Encrypted SNI is used.
• QUIC Retry Packets → if server validates client IP before full handshake.
• Resumed Sessions → shorter handshake, no cert → need key log for decryption.

10) Security Insights

• Even without decryption, you can:
  • See which hostnames clients talk to (via SNI).
  • See latency between ClientHello and ServerHello.
  • Detect downgrades/fallbacks (QUIC → TLS 1.3 → TLS 1.2).
• With decryption:
  • Inspect HTTP/2 or HTTP/3 headers.
  • Debug app issues (wrong headers, bad redirects, auth problems).

11) Best Practices

• Always capture from the start of the connection (no retroactive decryption).
• Use latest Wireshark (≥ 4.2) for best QUIC support.
• Save sslkeys.log for offline analysis.
• Use capture filters to keep PCAP small:

      tcpdump -i eth0 -w tls-quic.pcapng host 203.0.113.27 and port 443
    

• Be mindful of privacy → sslkeys.log exposes all decrypted traffic.

12) Summary

• TLS 1.3: More secure, faster, but harder to inspect.
• QUIC/HTTP3: TLS over UDP, multiplexed, encrypted by design.
• Wireshark + SSLKEYLOGFILE: lets you decrypt and analyze both TLS 1.3 and QUIC.
• Even without decryption, Wireshark reveals handshake metadata, latency, and failures.
• Essential for network engineers, security analysts, and developers troubleshooting modern apps.

13) Useful Links

https://www.wireshark.org/docs/relnotes

https://sanchitgurukul.com/basic-networking

https://sanchitgurukul.com/network-security