WireShark doesn't decode gzip'ed http traffic on Windows

Z

4

16

Do you guys know why WireShark may refuse to decode gzip'ed http traffic on Windows?

My configuration

WireShark 1.8.3
Windows 7 Ultimate x64
WinPcap 4.1.2

Option "Uncompressed entity bodies" is checked in Preferences / Protocols / HTTP.

Here is how my "Follow TCP Stream" dialog looks like:

enter image description here

When I first open this dialog radio-button below is set to "Raw", but when I click on "ASCII" nothing changes.

Any ideas ?

Zachar answered 17/10, 2012 at 1:18 Comment(0)

D

5

There is support within Wireshark now. Just right click on top of a packet identified as HTTP (Protocol column = HTTP), then "Follow" and "HTTP Stream". This should decode compressed responses into plain text.

Debera answered 18/10, 2019 at 16:56 Comment(1)

It looks like gzip is only decoded if the website is using HTTP 1. If a website is using HTTP 2 (for example a website using Cloudflare), gzip is not decoded and the option to follow "HTTP steam" is greyed. Any idea how to make it work? – Hixon 24/4, 2020 at 15:43

J

24

If you look at the protocol tree under the "Line-based text data" entry you will see the uncompressed data. The "Follow TCP Stream" dialog just shows the contents of the TCP payload and doesn't interpret it as HTTP or gzipped data or anything else. The buttons on the dialog allow you to set the display format for the stream bytes.

You can right-click on the uncompressed data(see the red # below) and select 'Export Selected Packet Bytes...' to save to a file

enter image description here

Jann answered 17/10, 2012 at 8:46 Comment(5)

Thank you! Unfortunately I'm not sure I understand what you're referring to. I can't find "Line-based text data" in the UI. Could you please elaborate or/and perhaps add screenshot ? – Zachar 17/10, 2012 at 9:3

In the packet details pane that lists all the protocols in order, there will be an item at the bottom under the entry for "HyperText Transfer Protocol" called "Line-based text Data". There will also be a complete hex and ASCII dump of the data in the "Uncompressed entity body" in the hex bytes pane. There is also a long-standing enhancement request at bugs.wireshark.org/bugzilla/show_bug.cgi?id=3528 to make the Follow TCP stream dialog show the uncompressed data. – Jann 17/10, 2012 at 13:53

This is damn unfortunate. I'll take a look at the source code. Perhaps I can implement it. – Zachar 17/10, 2012 at 17:8

added a screencap to the answer – Swing 17/10, 2012 at 18:37

@GrahamBloice Bug 3528 is RESOLVED FIXED – Dampier 1/4, 2018 at 11:40

D

5

There is support within Wireshark now. Just right click on top of a packet identified as HTTP (Protocol column = HTTP), then "Follow" and "HTTP Stream". This should decode compressed responses into plain text.

Debera answered 18/10, 2019 at 16:56 Comment(1)

It looks like gzip is only decoded if the website is using HTTP 1. If a website is using HTTP 2 (for example a website using Cloudflare), gzip is not decoded and the option to follow "HTTP steam" is greyed. Any idea how to make it work? – Hixon 24/4, 2020 at 15:43

B

4

The accepted answer is the correct answer in terms of current Wireshark -- but is pretty clumsy to use IMO.

So I wrote a small script wireshark-http-gunzip (requires Ruby) to convert the whole output to a format you'd expect. Hope anyone that stumbles here find it useful.

Birdbath answered 1/8, 2014 at 16:38 Comment(0)

G

0

We had an issue that the Line-based text was not visible, make sure to check "Reassemble out-of-order segments" in the TCP configuration.

Georgeanngeorgeanna answered 20/12, 2023 at 8:22 Comment(0)

Recommended topics

Hot tags