How can you determine if a capture contains HTTP/2 frames?

Prepare for the Wireshark Traffic Analysis Exam. Study with flashcards and multiple choice questions, each question includes hints and explanations. Ace your exam!

Multiple Choice

How can you determine if a capture contains HTTP/2 frames?

Explanation:
The signal you’re looking for is HTTP/2 activity either in the frames themselves or in the TLS handshake that negotiates HTTP/2. HTTP/2 uses a binary framing layer, so when the traffic is readable you’ll see HTTP/2 frames (like HEADERS, DATA, PRIORITY) instead of plain text HTTP/1.1 messages. If the traffic is encrypted, you can still infer HTTP/2 by checking the TLS handshake for an ALPN extension that advertises h2 (and Wireshark will show HTTP/2 when it can identify the frames or has the ALPN hint). DNS A records aren’t related to the protocol used for the session, HTTP/1.1 status codes belong to negotiations of HTTP/1.1 traffic and aren’t present in HTTP/2 frames, and TLS version 1.3 only tells you about the encryption layer, not which application protocol is being used.

The signal you’re looking for is HTTP/2 activity either in the frames themselves or in the TLS handshake that negotiates HTTP/2. HTTP/2 uses a binary framing layer, so when the traffic is readable you’ll see HTTP/2 frames (like HEADERS, DATA, PRIORITY) instead of plain text HTTP/1.1 messages. If the traffic is encrypted, you can still infer HTTP/2 by checking the TLS handshake for an ALPN extension that advertises h2 (and Wireshark will show HTTP/2 when it can identify the frames or has the ALPN hint).

DNS A records aren’t related to the protocol used for the session, HTTP/1.1 status codes belong to negotiations of HTTP/1.1 traffic and aren’t present in HTTP/2 frames, and TLS version 1.3 only tells you about the encryption layer, not which application protocol is being used.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy