This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Searching for Text in a Pcap from a Blog DTD XHTML 1.0

0

I have been noticing that when I sniff traffic from blogs, that I cannot seem to be able to read the text on the main blog page as it shows up as all garbled when you follow the tcp stream in Wireshark. For instance, you would see something like.

14949

...............W.%.>.}[email protected])\M...w..-....0%2]#Y.=.-#sy....._./......Qs...dd0:Y.A....=.}.}....{......x...u.......'..d..........'..g.....N...uZ6y.WeZ..?.jo...Vm.y...qq1..9.......

Instead of text on the blog. I cannot search any of the text on the blog via ASCII/Unicode or Hex within this garbled mess.

When I export the file out via HTTP Objects and look at it in a text editor it looks just like you would expect it to be with the HTML source code. Is there a way to make Wireshark show me the HTML source code of blog sites without having to extract out the main page every time?

asked 24 Jul '12, 05:26

WSHKNeezy's gravatar image

WSHKNeezy
1111
accept rate: 0%


2 Answers:

0

Most certainly the webserver used gzip compression for the content (HTTP response header: Content-Encoding: gzip). "Follow TCP Stream" does NOT uncompress the content, as that is not implemented. If you save the HTTP objects, uncompressing is implemented.

Regards
Kurt

answered 24 Jul '12, 05:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 24 Jul '12, 12:15

0

Sadly, wireshark's capabilities in working with compressed TCP streams are quite limited. I recommend using tcpflow, which will reassemble all of the TCP streams and decompressed those that are compressed.

answered 01 May '13, 11:25

bhh's gravatar image

bhh
1
accept rate: 0%