2026-06-02

QUIC and HTTP/3 Packet Capture Troubleshooting: What You Can Still Learn from UDP

How to troubleshoot QUIC and HTTP/3 with packet captures by inspecting UDP flows, handshake timing, connection IDs, loss, fallback, and encrypted traffic boundaries.

PCAP, QUIC, HTTP3, UDP, troubleshooting

QUIC and HTTP/3 make packet capture analysis feel harder because the transport runs over UDP and most application data is encrypted. Engineers who are comfortable with TCP sequence numbers may open a QUIC capture and feel like the useful evidence disappeared.

It did not disappear. The evidence changed.

What a QUIC Capture Can Show

Even without decrypting application data, a PCAP can often show:

  • client UDP packets to port 443
  • server UDP response
  • connection IDs
  • packet sizes
  • handshake timing
  • retransmission-like behavior at UDP packet level
  • path changes
  • fallback to TCP/TLS
  • ICMP errors
  • firewall or NAT drops

If the client sends QUIC Initial packets and the server never responds, the problem may be UDP blocking, server policy, routing, or middlebox behavior. If QUIC fails and the client falls back to TCP/TLS, that fallback is important evidence.

UDP 443 Is Often Blocked Differently from TCP 443

Many networks allow TCP 443 but restrict UDP 443. A site may work over HTTP/2 but fail or degrade over HTTP/3. From the user side, this can look like random browser slowness or connection failure.

Capture questions:

  • did the client attempt UDP 443?
  • did the server reply?
  • did ICMP report unreachable?
  • did the client retry?
  • did the client fall back to TCP 443?
  • how much time was lost before fallback?

This is how a packet capture can prove that "HTTPS works" is not the same as "HTTP/3 works."

QUIC Timing Still Matters

Because QUIC handles reliability inside encrypted UDP packets, classic TCP analysis labels do not apply directly. But packet timing still matters:

  • repeated similar-sized packets
  • gaps before server response
  • bursts after loss
  • changes in packet size
  • migration between paths
  • long delay before fallback

These patterns can support a network diagnosis even without decrypting the stream.

Where PCAP Surgery Fits

PCAP Surgery should help engineers isolate the relevant UDP flow, preserve timing, and prepare a shareable capture. QUIC cases often need context around fallback:

  • DNS query
  • UDP 443 attempt
  • server response or absence
  • TCP 443 fallback
  • TLS handshake after fallback
  • timing impact

If a capture is sanitized, connection IDs and packet sizes may still be useful. Remove them only if privacy policy requires it, and record what changed.

For searches like "QUIC packet capture," "HTTP/3 UDP 443 blocked," or "QUIC fallback to TCP," the answer is not to give up because payload is encrypted. The transport timing and fallback path still tell a useful story.