Ethereal-users: Re: [Ethereal-users] Is there a procedure to decode packet content
James Busse wrote:
I need to examine some of the content of packets, and
Ethereal seems to not decode either gzip or gif89
content.
The current version of Ethereal, 0.10.12, does handle gzipped data in
HTTP traffic if
1) the version of Ethereal you're using is linked with zlib;
2) the "Reassemble HTTP headers spanning multiple TCP segments",
"Reassemble HTTP bodies spanning multiple TCP segments", and "Uncompress
entity bodies" preferences are enabled for HTTP;
3) the "Allow subdissector to reassemble TCP streams" preference is
enabled for TCP;
4) if the gzipped data was sent by the machine running Ethereal, and it
was sent on an interface that's doing TCP checksum offloading, the
"Validate the TCP checksum if possible" option is *disabled* for TCP (as
packets being sent by the machine running Ethereal, on an interface that
does TCP checksum offloading, probably will *NOT* show up in Ethereal
with valid checksums, as the "capturing" is done by the networking code
in the OS wrapping the packet around internally, but the copy in the
host hasn't had a checksum added to it, as it's leaving that to the
adapter).
As for GIF89, if by "decode" you mean "decode the internal structure of
the GIF data" (as opposed to "show the picture in a window"), if you
enable the reassembly options mentioned above, the current version of
Ethereal will do that, at least for traffic atop HTTP.
The more recent versions prior to that also handle gzip and GIF89 data
in HTTP; I don't remember when those features were added.