Wireshark · Wireshark-users: Re: [Wireshark-users] Decode TCP trame cup into different parts

Wireshark-users: Re: [Wireshark-users] Decode TCP trame cup into different parts

From: Lior Zarfati <lior@xxxxxxxxx>

Date: Thu, 7 Jan 2010 14:17:30 +0200

WireShark is behaving perfectly and showing you the exact traffic that is being transferred over the HTTP protocol.

The part which you are misunderstanding is the one that states “Content-Encoding: gzip”. That means the rest of the content is compressed using gzip compression. What you see as the HTTP packet data is the gzip raw feed.

Your SOAP client is compressing outgoing data using gzip. If you want to see the content itself, get it to not compress the data.

Lior.

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Olivier-externe GERAULT
Sent: Thursday, January 07, 2010 2:03 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Decode TCP trame cup into different parts

Hi,

I would like to analyze paquets sent and received but they are cut into many parts and WireShark seems not able to understand the entire message.
For example, in the "Follow TCP Stream", I get the result:
00000000 50 4f 53 54 20 2f 73 63 36 31 73 65 72 76 65 72 POST /sc 61server
00000010 2f 75 69 20 48 54 54 50 2f 31 2e 31 0d 0a 41 75 /ui HTTP /1.1..Au
00000020 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 thorizat ion: Bas
00000030 69 63 20 54 30 63 77 4d 55 52 47 4d 55 30 36 4d ic T0cwM URGMU06M
00000040 54 52 42 4e 55 4e 43 51 6a 59 34 4e 54 49 34 4d TRBNUNCQ jY4NTI4M
00000050 44 45 35 4d 44 68 47 52 6b 52 45 51 30 4a 43 4e DE5MDhGR kREQ0JCN
00000060 7a 56 43 4d 6a 67 35 4e 6a 51 3d 0d 0a 53 4f 41 zVCMjg5N jQ=..SOA
00000070 50 41 63 74 69 6f 6e 3a 20 22 72 65 63 6f 72 64 PAction: "record
00000080 73 65 74 22 0d 0a 41 63 63 65 70 74 2d 45 6e 63 set"..Ac cept-Enc
00000090 6f 64 69 6e 67 3a 20 67 7a 69 70 0d 0a 43 6f 6e oding: g zip..Con
000000A0 74 65 6e 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 tent-Enc oding: g
000000B0 7a 69 70 0d 0a 50 72 61 67 6d 61 3a 20 72 65 71 zip..Pra gma: req
000000C0 75 65 73 74 6e 75 6d 3d 22 32 32 35 35 22 0d 0a uestnum= "2255"..
000000D0 43 6f 6f 6b 69 65 3a 20 53 65 73 73 69 6f 6e 49 Cookie: SessionI
000000E0 64 3d 31 36 33 2e 38 34 2e 31 34 32 2e 32 32 38 d=163.84 .142.228
000000F0 3a 32 36 36 35 3b 56 65 72 73 69 6f 6e 3d 31 3b :2665;Ve rsion=1;
00000100 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 ..Conten t-Type:
00000110 74 65 78 74 2f 78 6d 6c 3b 20 63 68 61 72 73 65 text/xml ; charse
00000120 74 3d 75 74 66 2d 38 0d 0a 43 61 63 68 65 2d 43 t=utf-8. .Cache-C
00000130 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 ontrol: no-cache
00000140 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4a 61 ..User-A gent: Ja
00000150 76 61 2f 31 2e 34 2e 32 5f 30 39 0d 0a 48 6f 73 va/1.4.2 _09..Hos
00000160 74 3a 20 XX XX XX XX XX XX XX XX XX XX XX XX XX t: ????? ????????
00000170 XX XX XX XX XX XX XX XX XX XX XX XX XX XX 0d 0a ???????? ??????..
00000180 41 63 63 65 70 74 3a 20 74 65 78 74 2f 68 74 6d Accept: text/htm
00000190 6c 2c 20 69 6d 61 67 65 2f 67 69 66 2c 20 69 6d l, image /gif, im
000001A0 61 67 65 2f 6a 70 65 67 2c 20 2a 3b 20 71 3d 2e age/jpeg , *; q=.
000001B0 32 2c 20 2a 2f 2a 3b 20 71 3d 2e 32 0d 0a 43 6f 2, */*; q=.2..Co
000001C0 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 nnection : keep-a
000001D0 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 live..Co ntent-Le
000001E0 6e 67 74 68 3a 20 31 39 30 0d 0a 0d 0a ngth: 19 0....
000001ED 1f 8b 08 00 00 00 00 00 00 00 65 4f 4b 0b c2 30 ........ ..eOK..0
000001FD 0c fe 2b 25 78 b5 d5 9b 8c 75 a2 30 8f 2a f8 b8 ..+%x... .u.0.*..
0000020D 97 2d 6e 83 b5 99 69 37 dc bf b7 be 40 f4 12 be .-n...i7 ....@...
0000021D e4 7b 24 49 97 37 db 8a 01 d9 37 e4 34 cc e5 0c .{$I.7.. ..7.4...
0000022D 04 ba 82 ca c6 55 1a 4e c7 cd 74 01 cb 2c 3d ec .....U.N ..t..,=.
0000023D 56 fb 69 be 3d 27 b9 1b b0 a5 0e 45 b4 39 9f 7c V.i.='.. ...E.9.|
0000024D e6 1a ea 10 ba 44 29 5f d4 68 8d 97 91 f6 64 3a .....D)_ .h....d:
0000025D 49 5c a9 07 50 f8 36 2a f8 4a 5b 53 39 66 29 63 I\..P.6* .J[S9f)c
0000026D 41 5c 7a 0c 22 f2 6c c2 f3 92 08 1d 88 6b 8f 3c A\z.".l. .....k.<
0000027D be 1a 1d b8 47 61 5c 29 88 9b 4a be a4 c4 7a d2 ....Ga\) ..J...z.
0000028D 92 ec 2f ce 58 04 f1 a8 51 5d d8 2b a8 2c 55 3f ../.X... Q].+.,U?
0000029D 7b d4 df 17 d9 1d 8b a5 d4 f7 ff 00 00 00 {....... ......
I can see that it is a SOAP response and the begining of the message in quite clear.
But, the 2nd paquet is not decoded and I don't knwo how to read it.

It there an option in WireShark?

Regards,

Olivier

Follow-Ups:
- Re: [Wireshark-users] Decode TCP trame cup into different parts
  - From: Guy Harris

References:
- [Wireshark-users] Decode TCP trame cup into different parts
  - From: Olivier-externe GERAULT

Prev by Date: [Wireshark-users] Decode TCP trame cup into different parts
Next by Date: Re: [Wireshark-users] Decode TCP trame cup into different parts
Previous by thread: [Wireshark-users] Decode TCP trame cup into different parts
Next by thread: Re: [Wireshark-users] Decode TCP trame cup into different parts
Index(es):
- Date
- Thread