Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WireShark doesn't decode gzip'ed http traffic on Windows

Do you guys know why WireShark may refuse to decode gzip'ed http traffic on Windows?

My configuration

  • WireShark 1.8.3
  • Windows 7 Ultimate x64
  • WinPcap 4.1.2

Option "Uncompressed entity bodies" is checked in Preferences / Protocols / HTTP.

Here is how my "Follow TCP Stream" dialog looks like:

enter image description here

When I first open this dialog radio-button below is set to "Raw", but when I click on "ASCII" nothing changes.

Any ideas ?

like image 300
expert Avatar asked Oct 17 '12 01:10

expert


People also ask

How do I decode gzip in Wireshark?

Find the gzipped object of interest and right-click on the corresponding packet in the packet list, selecting, "Follow TCP Stream" to isolate the stream. Within the "Follow TCP Stream" window, note the name of the gzipped object in the previous GET block. From the main window, choose File -> Export Objects -> HTTP.


2 Answers

If you look at the protocol tree under the "Line-based text data" entry you will see the uncompressed data. The "Follow TCP Stream" dialog just shows the contents of the TCP payload and doesn't interpret it as HTTP or gzipped data or anything else. The buttons on the dialog allow you to set the display format for the stream bytes.

You can right-click on the uncompressed data(see the red # below) and select 'Export Selected Packet Bytes...' to save to a file

enter image description here

like image 179
Graham Bloice Avatar answered Sep 20 '22 17:09

Graham Bloice


The accepted answer is the correct answer in terms of current Wireshark -- but is pretty clumsy to use IMO.

So I wrote a small script wireshark-http-gunzip (requires Ruby) to convert the whole output to a format you'd expect. Hope anyone that stumbles here find it useful.

like image 29
kizzx2 Avatar answered Sep 21 '22 17:09

kizzx2