Wireshark fails to capture TLS packets for IPFS

Hello, I have the following questions while analyzing IPFS data packets: According to the official configuration documentation, IPFS by default uses the TLS encryption protocol for transmission. However, I am unable to capture TLS data packets using Wireshark, whether it is during the initial establishment of connections or while transferring files. My kubo version is v0.22.0, and I attempted to configure it in the configuration file, but it doesn’t seem to be effective.

"Swarm": {
    "Transports": {
      "Multiplexers": {},
      "Network": {
        "TLS": true
      "Security": {
        "Noise": 300,
        "TLS": 100

Here’s the packet I captured.

Swarm.Network.TLS is not a key btw, Swarm.Security.TLS is the only TLS config there.

You can find the list here:

The reason wireshark can’t parse the TLS is because we have a custom plaintext handshake before TLS.

So there is an extra prefix before doing TLS or noise:


The point is that the other peer does not support tls it can answer you something that means no and then you propose /noise or fail (in your case the connection would error with a negociation failure because you disabled noise).

You need to write some wireshark decoder that understand the multistream protocol and then switch wireshark’s decoder state to TLS or Noise depending on what has been negociated.
We used to have one a while ago but it has been written in C and wireshark don’t like merging C code since it’s an unsafe language.
New decoders are written in lua and I don’t know if we then rewrote it in lua and it never got merged, or if we didn’t do it, or if it has been merged and you are running an older version of wireshark

Thanks. But I still have some questions that I need your guidance on.I have updated wireshark to v4.0.6 and modified the config file to its original state. My current experimental environment is with two IPFS nodes under a private network.
Based on what you said, my understanding is that when two nodes establish a connection, they first establish a TCP connection and then negotiate the protocol via custom plaintext handshake. However, from the packets I have captured, the payload of packets after the three handshakes seems to be encrypted and I am unable to see the protocol negotiation process.
My questions are as follows.

  1. For the timing of the TLS protocol negotiation, is it done when the node starts establishing the connection or when the file is transferred?
  2. How can I make sure that my node supports TLS protocol, I am not sure whether my node supports TLS protocol or wireshark is not able to resolve it.
  3. For the lua decoder, do I need to write my own, or can I find it on github?
  4. I have seen some discussions about this in the forums.Sane Security Defaults

According to him, wireshark only seems to see encrypted TCP streams.
I am very grateful for your tuition.

I missed that you were using PNET.
PNET is a symetric cypher on top of everything.
That means the custom plaintext handshake is encrypted using your PNET key first.

1 Like