Last Updated: 2022-08-27 02:06:54 UTC
by Guy Bruneau (Version: 1)
I have been getting these queries in my honeypot logs since end of December 2021 and decided to a diary on some of these packets using some basic analysis with Wireshark. Handlers have published a few diaries over the years  regarding this protocol. These packets are from censys.io which is a site that provides internet discovery and inventory like Shodan. In my logs, the activity looked like this:
20220822-014547: 192.168.25.9:3389-18.104.22.168:59430 data
PRI * HTTP/2.0
Before I update my Wireshark filter, select HTTP2 and add port TCP/3389, the data looked like some kind of HTTP traffic. The payload appears to indicate it is HTTP/2.0 and the protocol need to be updated with port TCP/3389 in order to parse the packet properly.
Lets update the configuration preferences to view the activity as HTTP/2. To change the preferences select Edit, Preferences, Protocols, HTTP2 and add port 3389 and apply the change:
According to RFC 7540, "All frames begin with a fixed 9-octet header followed by a variable- length payload."
After applying the http2 change to Wireshark, we can now see HTTP2 header corretly decoded as per RFC7540:
This last picture shows the HTTP2 payload decoded as per RFC 7540 above picture with a Stream length of 24 and its 31 bits (all 0) identifier: