Search code examples
wiresharkhttp2

Wireshark HTTP2 Prior Knowledge HTTP Request not showing

I ran into a problem and after trying a lot of different things, I didn't know where to turn and just decided to ask the problem here.

I am experimenting with API Injection for a Cybersecurity Project and ran into a problem which I can not manage to fix on my own.

As already mentioned in the topic, I am trying to capture traffic with wireshark and I was testing it out on a Python HTTP Server which I simply launched with python3 -m http.server.

When I try requesting this HTTP Server, with curl (curl http://localhost:8000 (yes, the port is correct)), I get the request and the response in wireshark. (See picture 1 below).

However when I try to request it with giving the flag --http2-prior-knowledge I can only see the response, and never the request. I am aware that the python server does not use http2 and that this causes an 50x error, however its weird that I see the response and not the request enter image description here (Response is packet 21.) (Dont mind the port 7777 traffic that comes from a 5g service that I am hosting over this VM).

This is the response: enter image description here

I dont get it. I see the request but not the response. I think that the reason is the http2 prior knowledge, but I want to know howI can actually see the request in the wireshark capture. I only see the 7777 Port activity (which is NRF for 5G), but not the request to 8000, which is where my http server is located. Help is very much appreciated and I hope the situation is understandable even though my frustration.

EDIT:

The original reason why I want to capture traffic is so that I can query an API Endpoint to get 5G Network Functions. The code I run in the cli is: curl -H "Accept: application/json" -X GET --http2-prior-knowledge 'http://127.0.0.10:7777/nnrf-nfm/v1/nf-instances' and I get back a response like: {"_links":{"items":[{"href":"http://127.0.0.10:7777/nnrf-nfm/v1/nf-instances/d39729b0-fd9f-41ee-aea6-e94a977477e0"},{"h...

I know its working fine, because that is the response I am expecting. However back in wireshark it is the same story again.wireshark overview response

I have the response from Packet 1-20. And this is a specific endpoint out of multiple ones, which I tested and got back different responses, with again not capturing the get request.

Do you maybe have any Idea what the reason could be?

Solution 
  • PRI * HTTP/2.0

SM

    The block above is the client preface that the client sends to the server.

    It looks like an HTTP/1.1 request, but with a special method PRI, no headers and some content (but no Content-Length). It has been designed in this way for the reasons explained in the specification, see here.

    Without the actual details of the Wireshark capture, it is difficult to say, but my guess is that you get back a 500 response because the server does not support HTTP/2, before the client has a chance to actually send the HTTP/2 request.
    Or perhaps the HTTP/2 request is sent, but it's not decoded properly by Wireshark -- apparently the client does not send the required SETTINGS frame after the client preface (a guess from the last line of the capture).

    Bottom line, the capture shows the preface bytes sent by the client, and it may be that you don't see the request because the client waits for the server to acknowledge that it can speak HTTP/2; however, it receives an HTTP/1.1 response instead, so the client does not even bother sending the HTTP/2 request.

    This looks to me a legit behavior for a client.

    You are trying to make a prior knowledge HTTP/2 request to a server that does not speak HTTP/2, so you must expect errors, including the fact that the request is not sent because the client figures the server does not speak HTTP/2, or the fact that the Wireshark decoder is not able to decode the request because perhaps the requires SETTINGS frame is missing, etc.