This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Search for string in compressed/gzipped HTTP content

0

Let's say I want to find the point at which a site sends a particular string to my machine. However, even if the connection is not encrypted, it's still likely to be gzipped, so I can't just use http contains MYSTRING.

asked 02 May '14, 01:47

sashoalm's gravatar image

sashoalm
1112
accept rate: 0%


One Answer:

2

You can do it this way:

You need to enable the following option (enabled by default):

Edit -> Preferences -> Protocols -> HTTP -> Uncompress Entity Bodies

and then use the following display filter:

http.response and data-text-lines contains "xxxxx"

where "xxxxx" is your search string.

Regards
Kurt

answered 02 May '14, 03:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 02 May '14, 03:31