Wireshark question

Discussion in 'other software & services' started by Overkill, Oct 28, 2016.

  1. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I have been researching how to tell if my browser traffic is truly encrypted, so I installed wireshark to view my traffic but I don't see DNS anywhere, but I do see QUIC protocol traffic is encrypted and it's using OPENDNS, so is that my browser traffic? Forgive me if it's a dumb question, I am not very good with networking :doubt:
    EDIT: I installed wireshark on my Son's laptop which doesn't have DNSCrypt, and I can see the DNS protocol and it also shows opendns which is weird cause I am using Yandex DNS for him since it has parental control capabilities...I hope i'm not confusing anyone, I would simply like to visually see/confirm that DNSCrypt is working properly.

    2016-10-28_043543.png
     
    Last edited: Oct 28, 2016
  2. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Thinking out loud while looking over your shoulder... you say you are using DNSCrypt and don't see DNS traffic in the clear (good). OpenDNS supports DNSCrypt, and resolver2.opendns.com [208.67.220.220] looks OK. The DNSCrypt protocol can use UDP on port 443 and that matches. The curious aspect, to me at least, is the protocol being reported as QUIC. Which is a somewhat newish Google proposition and not something I associate with DNSCrypt or find mentioned in https://github.com/jedisct1/dnscrypt-proxy/blob/master/DNSCRYPT-V2-PROTOCOL.txt.

    Wireshark has to classify traffic and choose how it present it. Sometimes having to distinguish two different protocols which are known to use the same ports and may have other similarities. QUIC is a protocol that uses UDP 443. So my question would be: Is Wireshark misclassifying DNSCrypt protocol as QUIC protocol?

    A quick search turned up a few others mentioning that their DNSCrypt traffic was reported as QUIC in Wireshark.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Anything where the source address is 192.168.1.13 is traffic originating from your machine. As to whether it's from your browser, I can't say for sure. If you captured immediately after launching your browser, then it probably is your browser's traffic.
     
  4. M3gatron

    M3gatron Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    41
    Location:
    ::1
    Wireshark recognizes UDP traffic to or from port 80 or 443 as being QUIC traffic. QUIC runs over UDP, so QUIC packets are normal UDP packets.

    http://networkengineering.stackexch...-quic-and-not-udp-during-capture-in-wireshark
     
  5. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Here's some new screens...it shows wilders is encrypted
    EDIT: I'm thinking the TLS means I'm running in SSL? (which is true) and the QUIC is my browser traffic maybe?
    2016-10-29_190926.png 2016-10-29_191056.png
     
    Last edited: Oct 29, 2016
  6. guest

    guest Guest

    If you're browsing to wilders with https, yes:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.