Troubleshooting¶
Common issues and solutions for pqc-flow.
No Output from PCAP File¶
Symptoms: ./pqc-flow file.pcap produces no output.
Check for Handshakes¶
# Verify capture contains TCP SYN packets (connection starts)
tcpdump -r file.pcap 'tcp[tcpflags] & tcp-syn != 0' | head
Check Capture Timing¶
Handshakes occur at connection start. If capture started after connections were established, no handshakes will be present.
Solution: Restart capture before establishing connections.
Check Port Filter¶
pqc-flow only processes traffic on specific ports:
Supported ports: TCP 22, 443; UDP 443, 500, 4500, 51820
Live Capture Permission Denied¶
Symptoms: Operation not permitted when running --live.
Solution 1: Use sudo¶
Solution 2: Grant Capabilities¶
Solution 3: Verify Interface¶
PQC Flags Always Zero¶
Symptoms: All flows show pqc_flags: 0 despite expecting PQC.
Cause 1: Server Doesn't Support PQC¶
Not all servers support PQC yet. Test with a known PQC endpoint:
Cause 2: Client Doesn't Support PQC¶
Standard tools don't support TLS PQC:
| Tool | PQC Support |
|---|---|
| curl | No |
| wget | No |
| Chrome | Yes (with flag) |
| OpenSSH 9.0+ | Yes (sntrup) |
TLS testing:
SSH testing:
Cause 3: Session Resumption¶
Browser reused an existing TLS session (no handshake).
Solution: Clear browser cache and retry:
# Chrome: clear cache or use incognito
google-chrome --incognito --enable-features=PostQuantumKyber https://example.com/
Cause 4: SSH Not Offering PQC KEX¶
Force PQC key exchange:
Check supported KEX algorithms:
Missing Protocol Fields¶
Symptoms: ssh_kex_negotiated or tls_negotiated_group is empty.
Cause 1: Incomplete Handshake Capture¶
Ensure capture includes the full handshake.
Solution: Increase snaplen:
Cause 2: TLS 1.2 Encrypted Extensions¶
TLS 1.3 ClientHello/ServerHello are cleartext. TLS 1.2 may encrypt some extensions.
Solution: Ensure TLS 1.3 is used.
Verification with ndpiReader¶
High Memory Usage¶
Symptoms: pqc-flow memory grows over time in live mode.
Cause¶
Flow table accumulates (no cleanup in current version).
Solution 1: RuntimeMaxSec¶
Use systemd to restart periodically:
Solution 2: Manual Restart¶
Solution 3: Monitor Memory¶
Interface Not Found¶
Symptoms: Error about interface not existing.
Find Correct Interface Name¶
# List all interfaces
ip link show
# Common interface names:
# - eth0, eth1 (legacy naming)
# - enp0s31f6, ens192 (predictable naming)
# - wlan0, wlp2s0 (wireless)
Verify Interface is Up¶
No Traffic Captured¶
Symptoms: Live mode runs but no output.
Check Traffic Exists¶
Check Port Filter¶
pqc-flow only captures on specific ports. Verify traffic on those ports:
Check Promiscuous Mode¶
Verifying PQC Support¶
Test SSH PQC¶
# Check if client supports sntrup
ssh -Q kex | grep sntrup
# Expected output:
# sntrup761x25519-sha512@openssh.com
# Test connection with verbose output
ssh -v -oKexAlgorithms=sntrup761x25519-sha512@openssh.com user@host 2>&1 | grep 'kex:'
Test TLS PQC¶
# Cloudflare test endpoint
curl -I https://pq.cloudflareresearch.com/
# View in Chrome DevTools > Security tab
google-chrome --enable-features=PostQuantumKyber https://pq.cloudflareresearch.com/
Debug Checklist¶
When troubleshooting, verify each step:
| Step | Check | Command |
|---|---|---|
| 1 | Binary works | ./pqc-flow --mock |
| 2 | Interface exists | ip link show eth0 |
| 3 | Traffic present | sudo tcpdump -i eth0 -c 10 |
| 4 | Permissions | getcap ./pqc-flow |
| 5 | Handshakes in PCAP | tcpdump -r file.pcap 'tcp[tcpflags] & tcp-syn != 0' |
| 6 | Correct ports | tcpdump -r file.pcap 'port 22 or port 443' |
| 7 | PQC-capable client | ssh -Q kex \| grep sntrup |
| 8 | PQC-capable server | Test against pq.cloudflareresearch.com |
Getting Help¶
If these solutions don't resolve your issue:
- Check the output of
./pqc-flow --mockworks correctly - Verify with
ndpiReaderthat nDPI sees the expected metadata - Capture a small PCAP and test offline before live capture
- Check system logs:
journalctl -u pqc-flow
See Also¶
- Command-Line Reference - All options
- Protocol Coverage - Supported protocols