analyzer: make http3/quic handling more reliable

analyzer/udp/internal/quic/header.go

@@ -47,9 +47,6 @@ func parseLongHeader(b *bytes.Reader) (*Header, error) {
 		return nil, err
 	}
 	h.Version = ver
-	if h.Version != 0 && typeByte&0x40 == 0 {
-		return nil, errors.New("not a QUIC packet")
-	}
 	destConnIDLen, err := b.ReadByte()
 	if err != nil {
 		return nil, err

analyzer/udp/quic.go

@@ -40,6 +40,7 @@ func (a *QUICAnalyzer) NewUDP(info analyzer.UDPInfo, logger analyzer.Logger) ana
 type quicStream struct {
 	logger       analyzer.Logger
 	invalidCount int
+	debugCount   int
 	frames       map[int64][]byte
 	maxEnd       int64
 }
@@ -55,6 +56,10 @@ func (s *quicStream) Feed(rev bool, data []byte) (u *analyzer.PropUpdate, done b
 		if errors.Is(err, quic.ErrNotInitialPacket) {
 			return nil, false
 		}
+		if s.debugCount < 4 {
+			s.logger.Debugf("failed to read QUIC CRYPTO frames: %v", err)
+			s.debugCount++
+		}
 		s.invalidCount++
 		return nil, s.invalidCount >= quicInvalidCountThreshold
 	}
@@ -73,6 +78,10 @@ func (s *quicStream) Feed(rev bool, data []byte) (u *analyzer.PropUpdate, done b
 
 	if pl[0] != internal.TypeClientHello {
 		// Not a ClientHello (e.g. server-direction CRYPTO); ignore.
+		if s.debugCount < 4 {
+			s.logger.Debugf("CRYPTO payload does not start with ClientHello: type=%d", pl[0])
+			s.debugCount++
+		}
 		return nil, false
 	}
 
@@ -88,6 +97,10 @@ func (s *quicStream) Feed(rev bool, data []byte) (u *analyzer.PropUpdate, done b
 
 	m := internal.ParseTLSClientHelloMsgData(&utils.ByteBuffer{Buf: pl[4 : 4+chLen]})
 	if m == nil {
+		if s.debugCount < 4 {
+			s.logger.Debugf("failed to parse TLS ClientHello from QUIC CRYPTO payload")
+			s.debugCount++
+		}
 		s.invalidCount++
 		return nil, s.invalidCount >= quicInvalidCountThreshold
 	}