This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

gzip no deccompresion

0

why i can't see the decrypted text that server reply for the first post request? The seccond post is visible :/

alt text

asked 12 Jul '15, 05:43

Vladimir21's gravatar image

Vladimir21
1111
accept rate: 0%


One Answer:

0

The first POST resulted in a server reply consisting of many TCP segments, many of which arrive out of order, whereas the second post gets only 2 segments that arrive in order.
It looks like wireshark is having trouble to reassemble the first reply.
Under Edit-Preferences-Protocols-TCP you can uncheck the 'Allow dissectors to reassemble TCP streams' and wireshark will show you the segment that contains the HTTP OK message. alt text

answered 12 Jul '15, 22:57

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

But i can't see it decompresed .. if I export the stream to C array how can i know witch order is the right one(for concatenate)?

(13 Jul '15, 06:55) Vladimir21

"Follow TCP Stream", which I believe is what you are trying, does not decompress the content!

(13 Jul '15, 08:38) Kurt Knochner ♦

So this question is about decompressing the gzip-ed http content of the first POST request? As per https://en.wikipedia.org/wiki/HTTP_compression
And the reply to the second post is also Content-Encoding: gzip ?

(13 Jul '15, 10:04) mrEEde

i use "Follow TCP Stream" to export all the reply to hex array for C++ to concatenate all of them to just one(to manual inflate gzip).

Booth of the request are to the same page (diferent post value) .. first reply contain a big text and i'm unable to see it .. seccond reply i can see the un-gziped text

(13 Jul '15, 13:07) Vladimir21