Wireshark-users: [Wireshark-users] Problem with XML Dissector
From: Alexandre Vieira <nullpt@xxxxxxxxx>
Date: Wed, 13 Oct 2010 16:26:30 +0100
Hi list,
I'm having trouble dissecting an HTTP POST that comes with "Content-encoded entity body (gzip)" from the client side.
I'm using TShark 1.0.13
Compiled with GLib 2.4.1, with libpcap 1.1.1, with libz 1.2.3, without POSIX
capabilities, with libpcre 8.2, without SMI, with ADNS, without Lua, without
GnuTLS, without Gcrypt, without Kerberos.
Running on SunOS 5.10, with libpcap version 1.1.1.
Built using gcc 3.4.3 (csl-sol210-3_4-branch+sol_rpath).
All requests that are submited without gzip compression are dissected correctly.
I'm using tshark like:
$ /usr/local/bin/tshark -o tcp.check_checksum:false -r /tmp/mycap_test.cap -V -d tcp.port==10010,http
The requests that are dissected correctly:
Hypertext Transfer Protocol
POST /App HTTP/1.1\r\n
Request Method: POST
Request URI: /App
Request Version: HTTP/1.1
Content-Type: text/xml\r\n
User-Agent: CLIENT1/3.0/1.0\r\n
Authorization: Basic XXXXXXXXXXXXXXXXXXXX\r\n
Credentials: xxxxxx:xxxxxx
Content-Length: 561\r\n
[Content length: 561]
Cache-Control: no-cache\r\n
Pragma: no-cache\r\n
Host: 192.168.87.8:10010\r\n
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n
Connection: keep-alive\r\n
\r\n
eXtensible Markup Language
<?xml
version="1.0"
encoding="UTF-8"
?>
(....................................................)
The requests that don't work:
Hypertext Transfer Protocol
POST /App HTTP/1.1\r\n
Request Method: POST
Request URI: /App
Request Version: HTTP/1.1
Content-Type: text/xml\r\n
User-Agent: CLIENT2/3.0/1.0\r\n
Authorization: Basic XXXXXXXXXXXXXXXXXXXX\r\n
Credentials: xxxxxx:xxxxxx
Content-Encoding: gzip\r\n
Accept-Encoding: gzip\r\n
Content-Length: 566\r\n
[Content length: 566]
Cache-Control: no-cache\r\n
Pragma: no-cache\r\n
Host: 192.168.87.8:10010\r\n
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n
Connection: keep-alive\r\n
\r\n
Content-encoded entity body (gzip): 566 bytes
Data (566 bytes)
0000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 <?xml version="1
0010 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 69 73 .0" encoding="is
0020 6f 2d 38 38 35 39 2d 31 22 3f 3e 3c 6d 65 74 68 o-8859-1"?><meth
(.......................................)
Anyone can shed a light on this?
Thanks in advance!
BR
--
Alexandre Vieira - nullpt@xxxxxxxxx
I'm having trouble dissecting an HTTP POST that comes with "Content-encoded entity body (gzip)" from the client side.
I'm using TShark 1.0.13
Compiled with GLib 2.4.1, with libpcap 1.1.1, with libz 1.2.3, without POSIX
capabilities, with libpcre 8.2, without SMI, with ADNS, without Lua, without
GnuTLS, without Gcrypt, without Kerberos.
Running on SunOS 5.10, with libpcap version 1.1.1.
Built using gcc 3.4.3 (csl-sol210-3_4-branch+sol_rpath).
All requests that are submited without gzip compression are dissected correctly.
I'm using tshark like:
$ /usr/local/bin/tshark -o tcp.check_checksum:false -r /tmp/mycap_test.cap -V -d tcp.port==10010,http
The requests that are dissected correctly:
Hypertext Transfer Protocol
POST /App HTTP/1.1\r\n
Request Method: POST
Request URI: /App
Request Version: HTTP/1.1
Content-Type: text/xml\r\n
User-Agent: CLIENT1/3.0/1.0\r\n
Authorization: Basic XXXXXXXXXXXXXXXXXXXX\r\n
Credentials: xxxxxx:xxxxxx
Content-Length: 561\r\n
[Content length: 561]
Cache-Control: no-cache\r\n
Pragma: no-cache\r\n
Host: 192.168.87.8:10010\r\n
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n
Connection: keep-alive\r\n
\r\n
eXtensible Markup Language
<?xml
version="1.0"
encoding="UTF-8"
?>
(....................................................)
The requests that don't work:
Hypertext Transfer Protocol
POST /App HTTP/1.1\r\n
Request Method: POST
Request URI: /App
Request Version: HTTP/1.1
Content-Type: text/xml\r\n
User-Agent: CLIENT2/3.0/1.0\r\n
Authorization: Basic XXXXXXXXXXXXXXXXXXXX\r\n
Credentials: xxxxxx:xxxxxx
Content-Encoding: gzip\r\n
Accept-Encoding: gzip\r\n
Content-Length: 566\r\n
[Content length: 566]
Cache-Control: no-cache\r\n
Pragma: no-cache\r\n
Host: 192.168.87.8:10010\r\n
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n
Connection: keep-alive\r\n
\r\n
Content-encoded entity body (gzip): 566 bytes
Data (566 bytes)
0000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 <?xml version="1
0010 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 69 73 .0" encoding="is
0020 6f 2d 38 38 35 39 2d 31 22 3f 3e 3c 6d 65 74 68 o-8859-1"?><meth
(.......................................)
Anyone can shed a light on this?
Thanks in advance!
BR
--
Alexandre Vieira - nullpt@xxxxxxxxx
- Prev by Date: Re: [Wireshark-users] tshark filter
- Next by Date: Re: [Wireshark-users] tshark filter
- Previous by thread: Re: [Wireshark-users] tshark filter
- Next by thread: [Wireshark-users] Tshark smb query
- Index(es):