As QUIC has emerged to begin its takeover of the Transport Layer (OK – we will never see TCP totally disappear), I have written multiple articles on QUIC. You can look them over here. In the early days Google made this really easy right within the Chrome web browser. As time has gone on and the IETF has now specified QUIC under their umbrella, troubleshooting QUIC has become quite difficult.
To start, you will need to capture traffic – that means Wireshark, of course. You will also need my QUIC profiles (one has decryption enabled and the other assumes no decryption) – you can find them here. Now we won’t dive into the Wireshark process per se – you can find that information right here. The key will be to capture on one of the endpoints as they will have the necessary decryption keys, or those keys must be provided to you. You can read about this key decryption process in Wireshark right here.
When troubleshooting QUIC traffic, you should approach it differently than traditional TCP/UDP-based protocols due to QUIC’s unique properties:
Key Things to Look for When Troubleshooting QUIC Traffic
1. QUIC Detection and Filtering
- Port Check: QUIC typically runs over UDP port 443, but may use others.
- Protocol ID: In Wireshark, use filter:
quicorudp.port == 443. - Note: ALL QUIC traffic is encrypted, even the handshake is partially encrypted (post v1).
2. Handshake & Version Negotiation
- Look for initial QUIC handshake packets:
Initial,Handshake,0-RTT,1-RTTpackets.
- Version Negotiation:
- Ensure both client and server agree on a supported version.
- Wireshark shows
Version Negotiationif mismatch.
If handshake fails: suspect version mismatch, bad TLS cert, firewall/NAT interference.
3. TLS 1.3 Handshake Within QUIC
- QUIC integrates TLS 1.3 inside the transport.
- Look for
ClientHelloandServerHelloembedded insideInitialpackets. - Validate:
- Cipher suite selection
- Certificate presentation
- Server Name Indication (SNI)
4. Connection IDs & Packet Numbering
- QUIC uses Connection IDs (CID) to allow client/server IP/port changes (mobility).
- Validate:
- CID Consistency: packets in a session should have consistent CID pairs.
- Packet Number Increases: check for gaps or repeats indicating loss or reordering.
5. Stream-Level Behavior
- QUIC multiplexes multiple streams over one connection (like HTTP/2).
- Look for:
- Stream open/close events
- Stream resets (
RESET_STREAM) - Flow control issues (blocked streams)
6. QUIC-Specific Errors
- Look for:
CONNECTION_CLOSEframes (indicate why a connection ended)- Error codes (e.g.,
0x10: INTERNAL_ERROR) - Transport errors vs. Application-layer errors
7. Performance Metrics
- Packet Loss / Retransmissions:
- QUIC uses custom recovery, so no TCP-style retransmits.
- Watch for retransmit behavior, packet pacing, RTT spikes.
- Throughput/Latency:
- QUIC includes its own congestion control (CUBIC or BBR).
- Compare performance against TCP for same flow type.
8. Firewall and NAT Compatibility
- Since it uses UDP, QUIC is more sensitive to middleboxes:
- Firewalls may drop or delay packets.
- NAT timeouts may kill idle connections.
- Check for dropped UDP packets or lack of return traffic.
Tools & Techniques
| Tool | Use |
|---|---|
| Wireshark | Capture and dissect QUIC handshakes and errors |
| Chrome://net-export | Logs QUIC connection state in Chrome |
| qlog/qvis | Visualization and analysis of QUIC logs |
| tcpdump | udp port 443 to isolate QUIC traffic |
| Browser Dev Tools | Use for Alt-Svc header (QUIC indication) |
Common QUIC Troubleshooting Filters (Wireshark)
quic
udp.port == 443
quic.packet_type == 0x0 # Initial
quic.packet_type == 0x1 # 0-RTT
quic.packet_type == 0x2 # Handshake
quic.frame_type == 0x1c # CONNECTION_CLOSE
You will find those in the QUIC profiles I mentioned earlier.
Comments are welcomed below from registered users. You can also leave comments at our Discord server.
If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!