This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decompress gzip POST frame

0

I have the following HTTP frame: POST /Usage/Upload?compression=gzip HTTP/1.1 How can I show it decompressed? Please note: It is a POST (to the server) not a GET (from the server)

asked 02 Jul '13, 10:46

Hanky's gravatar image

Hanky
11112
accept rate: 0%

One Answer:

0

POST /Usage/Upload?compression=gzip

sounds like your application is doing the compression, so it's (most certainly) not the built in compression available in HTTP. As I don't have a sample capture file, I would say, that it's only possible to show the POST payload uncompressed

  • if you know the exact encoding used for the POST payload. It could be not just gzip compressed, but it could contain it's own data structure (length information, structure information), where only parts are compressed.
  • if you extract the compressed data manually (or via a script) and then use a command line tool to decompress it. To extract the data, you can use the "Follow TCP Stream" feature of Wireshark (right click the POST request and select that option).

BTW: If you are able to provide a sample capture file (google docs, dropbox, etc.) we might be able to give more information/details.

Regards
Kurt

answered 02 Jul '13, 11:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

POST /Usage/Upload?compression=gzip HTTP/1.1

Host: services.robotstudio.com

Content-Length: 1388

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

H4sIAAAAAAAEAOy9B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Iv7Hv/cffFVNqvZ1u54V1VdNdpH/zE/u/sbJNj3fPj1+evoqfXL6+dkL/P0bJ6/zpimq5dnss/Pz3XzvfO98+/4s393ef7CTbx/sne9v39vNHh5k9x7s39slKF9k03mxzNF+crCT55OH2/f3HlD73f2d7cn93U+3s8n+7GC6f29n9nDfwn/dZnX72c6Duzt7d/d2du+luzuP9nYf7d0PW3zVTv1GOwem0Zevz2b5si3Oi7z+7ItiWldNdd6m3y2Ws+qqSV+8ST8d744ffLqzm77O68timqcvs+nbdBev/mReo4fPTJPxp/fv3/sU3zzPlhdrItBn+XL7q9c/c7q8KItmnm59tSzafJYSTm3e3EHLJ0W7JEQ/u7f3Gycnz18ZkPvjnfG9nXu7D8fU0/NqmpU3wjperczb98e798f7Dx/ujfc+pfefrIty9ia7+OxlXc3W05aacPOTarHIlrPnRPfPPjp59PvS1xd1tkifFWXe/L7HT56kZ8vZumnrIivTsze/L09/MW3s78IKKbr7fZ8US//Dcf4u/yjlbvwh0p+3pQ1hM6XXqvqkqvOTar1sP9v1Pn1eXRREFvfF/LrBB1/ki6q+/mx358G9vZ2H9/aJVz4/f3eS1bMX2SJvPvvJL66yOk9f/+Tnx+m9p/zl07q4zOun6Pcz4o+93Z2de94XStXmswfj3X2aampA/b1YL54WzarMrhvBq1hk9bV+9CpvqnINQn+2u3ew8+5gZ+c3Tl7ly1leE589Lep82qLzp9UiK5afPS4xw0c009nyi+OTz3Z2tndOtvcebt+7v/303vZ9YtTv0js0Kw2+frxevl1WV0t6gaZwtW7z+otsuT7Ppu0a8GWII5q96dhrUs3y0gz/ J4u6XdOsviyz9ryqFzSAk9fXTZsv3lyv8s8I2+fE68uGKGJ/fZZngO998jy/JJDP6jwHAfJFsV7oNwzlxTHJdbEkwpRny6bNSmqblQ01fkIyRB9c5CydL8EN9qM32eRFfgW8y6p+M88X9F25zgNFc/riqagZ/Pv8y899zbOz84j+t38wPiDKH9w/+JnTd/mU5mJ5ofz+M+Dv03dF+zPHJAuXNO0z/639e5+6t/JZ9yXXZ4DE6zfHb177aLypaMBvCsLegX6wf0Cg9TvLyV4j0iFg2d094tqXefb2u1X9lhB/nbefPTy4v7Pz6c6BfKHz97r4Qf7ZPfr03r0dvOMwscj9PwEAAP//WtE9aLcFAAA= HTTP/1.1 200 OK

Cache-Control: private

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jul 2013 08:34:40 GMT

Content-Length: 0

(02 Jul '13, 11:24) Hanky

that's not only compressed but also MIME encoded.

You can decode it on Linux with this command:

base64 -d input.txt | gunzip -d

Result (part of it):

RobotStudioUsage|V1
----HEADER BEGIN----
SessionId=ff1e2f2f-5de1-470e-82f4-31a98a374311
MachineId=fb80eeb9-5271-4140-b516-ab4d8c430d94
SessionStart=07/02/2013 10:21:25
SessionStartUtc=07/02/2013 08:21:25
OSIdentifier=Microsoft Windows NT 6.1.7601 Service Pack 1
OSVersion=6.1.7601.65536
OSLanguage=en-US|English (United States)
OSBitness=32
CLRVersion=4.0.30319.1
Locale=en-US|English (United States)
AppVersion=5.15.4992.261
BuildTag=Production
AppCommandLine="C:\Program Files\ABB Industrial IT\Robotics IT\RobotStudio 5.15\Bin\RobotStudio.exe" 
AppBitness=32
AppLanguage=en-US|English (United States)
ProcessorCoreCount=1
ProcessorLogicalCount=1
PhysicalMemory=1073209344
GfxCardNames=VMware SVGA 3D
GfxDriverDates=20121003
GfxDriverVersions=7.14.1.1211
NumDisplays=1
PrimaryDisplayResolution=1280x800
Renderer=Direct3D
Domain=<local>
LanMAC=00-0C-29-35-D3-55
WirelessMAC=<unknown>
ComputerManufacturer=VMware, Inc.
ComputerModel=VMware
(02 Jul '13, 11:38) Kurt Knochner ♦

As @Kurt suspected, the compression is done at the (web)application layer, not at the HTTP layer. This means wireshark has no knowledge on how to interpret the data and is therefor not able to decompress it for you.

(02 Jul '13, 13:04) SYN-bit ♦♦