Do you guys know why WireShark may refuse to decode gzip'ed http traffic on Windows?
My configuration
Option "Uncompressed entity bodies" is checked in Preferences / Protocols / HTTP.
Here is how my "Follow TCP Stream" dialog looks like:
When I first open this dialog radio-button below is set to "Raw", but when I click on "ASCII" nothing changes.
Any ideas ?
Find the gzipped object of interest and right-click on the corresponding packet in the packet list, selecting, "Follow TCP Stream" to isolate the stream. Within the "Follow TCP Stream" window, note the name of the gzipped object in the previous GET block. From the main window, choose File -> Export Objects -> HTTP.
If you look at the protocol tree under the "Line-based text data" entry you will see the uncompressed data. The "Follow TCP Stream" dialog just shows the contents of the TCP payload and doesn't interpret it as HTTP or gzipped data or anything else. The buttons on the dialog allow you to set the display format for the stream bytes.
You can right-click on the uncompressed data(see the red # below) and select 'Export Selected Packet Bytes...' to save to a file
The accepted answer is the correct answer in terms of current Wireshark -- but is pretty clumsy to use IMO.
So I wrote a small script wireshark-http-gunzip (requires Ruby) to convert the whole output to a format you'd expect. Hope anyone that stumbles here find it useful.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With