This docker image contains a version of wireshark built to also properly display quantum-safe crypto (QSC) TLS operations.
To this end, it contains references to algorithms supported by liboqs and OQS-OpenSSL from the OpenQuantumSafe project.
The image is based on Ubuntu and requires the host to run the Unix X-Window system.
Execute this command to open the wireshark window on your host:
docker run --net=host --privileged --env="DISPLAY" --volume="$HOME/.Xauthority:/root/.Xauthority:rw" openquantumsafe/wireshark
Then proceed using wireshark as usual, e.g., by selecting a network interface to monitor/dissect.
Note: You may need to grant permissions for Docker to access the X display:
xhost +si:localuser:$USER
At https://test.openquantumsafe.org most quantum-safe algorithms that are still part of the NIST PQC competition are available for TLS interoperability testing.
As a client, we recommend using an OQS-enabled curl docker image that may be executed for a quick initial test as follows:
docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6001 --curves frodo640aes"
For more details regarding the client-side options, we recommend reviewing https://hub.docker.com/repository/docker/openquantumsafe/curl
In order to focus wireshark on the quantum safe TLS traffic generated by the above curl command, we recommend setting a wireshark display filter as follows
ip.addr == 149.81.106.123 && tls
which is the current IP address of the OQS interop test server at https://test.openquantumsafe.org.
Other algorithms can be configured for use as per the documentation for OQS-curl and the OQS test server.
When digging into the TLS traffic, the actual quantum-safe KEM algorithm requested can be seen within the Client and/or Server Hello messages (check "TLS->TLSv1.3 Record Layer->Handshake protocol->Extension: key share").
Note: wireshark might not recognize the TLS traffic as such due to the ports used at the OQS interoperability test server. In such case, enable the port of interest within the wireshark UI by adding it to the "SSL/TLS Ports" list (Edit->Preferences->Protocols->HTTP).