I have been noticing that when I sniff traffic from blogs, that I cannot seem to be able to read the text on the main blog page as it shows up as all garbled when you follow the tcp stream in Wireshark. For instance, you would see something like. 14949 ...............W.%.>.}[email protected])\M...w..-....0%2]#Y.=.-#sy....._./......Qs...dd0:Y.A....=.}.}....{......x...u.......'..d..........'..g.....N...uZ6y.WeZ..?.jo...Vm.y...qq1..9....... Instead of text on the blog. I cannot search any of the text on the blog via ASCII/Unicode or Hex within this garbled mess. When I export the file out via HTTP Objects and look at it in a text editor it looks just like you would expect it to be with the HTML source code. Is there a way to make Wireshark show me the HTML source code of blog sites without having to extract out the main page every time? asked 24 Jul '12, 05:26  WSHKNeezy |
2 Answers:
Most certainly the webserver used gzip compression for the content (HTTP response header: Regards answered 24 Jul '12, 05:44  Kurt Knochner ♦ edited 24 Jul '12, 12:15 |
Sadly, wireshark's capabilities in working with compressed TCP streams are quite limited. I recommend using tcpflow, which will reassemble all of the TCP streams and decompressed those that are compressed. answered 01 May '13, 11:25  bhh |
