Wireshark · Wireshark-users: Re: [Wireshark-users] Decoding RFC1950 compressed data?

Wireshark-users: Re: [Wireshark-users] Decoding RFC1950 compressed data?

From: Stephen Fisher <stephentfisher@xxxxxxxxx>

Date: Mon, 21 May 2007 13:07:38 -0700

On Mon, May 21, 2007 at 03:49:17PM +0200, Andreas Weller wrote:

> A friend of mine got a new PC system at his shop. It's a Linux based 
> client/server system. As it is undocumented black box stuff we used 
> wireshark to decode its datastream :-)

:)

> But it also connect to port 1536 using some kind of encrypted or 
> compressed protocol. Wireshark doesn't recognize the protocol.
> 
> I think it might be RFC1950 compressed data (ZLIB).
> 
> How do I force wireshark treating the port 1536 data as RFC1950 
> compressed - may be it can be decoded this way...

There is no zlib dissector right now, but Wireshark is usually compiled 
with zlib and it is used within the HTTP and VNC dissectors.  Would you 
mind sending the first response packet (the one that appears to have the 
compressed data and without the password you x out) to the list (or me 
privately if you prefer)?  I would like to take a closer look at it.  If 
it is just zlib compressed data, a dissector could be written to 
uncompress it and display the uncompressed data for you.

Steve

Follow-Ups:
- Re: [Wireshark-users] Decoding RFC1950 compressed data?
  - From: Andreas Weller

References:
- [Wireshark-users] Decoding RFC1950 compressed data?
  - From: Andreas Weller

Prev by Date: Re: [Wireshark-users] "cut short in the middle of a packet" issue
Next by Date: Re: [Wireshark-users] Help with Output "TCP Dup ACK3#2 1320 > 22 ACK
Previous by thread: [Wireshark-users] Decoding RFC1950 compressed data?
Next by thread: Re: [Wireshark-users] Decoding RFC1950 compressed data?
Index(es):
- Date
- Thread