Topic says it...I've been having a really hard time getting chunked gzip to show correctly. The first issue is that with "Allow subdissector to reassemble TCP streams" check I only see the HTTP GET, not the response. So with "Allow subdissector to reassemble TCP streams" uncheck I at least see: HTTP/1.1 200 OK [Unreassembled Packet] and can follow the stream. But I don't see an option show the de-chunked data. Is there something I'm missing? Thank you.
asked 04 Jan '16, 13:11  DigiAngelXX edited 04 Jan '16, 13:15 showing 5 of 9 show 4 more comments |
%5D.jpg)
One Answer:
@DigiAngelXX Tested with Wireshark 2.0.1 and I can see the uncompressed, chunked response just fine. What version are you using? Can you share the pcap if it still occurs with 2.0.1? Try the http-chunked-gzip.pcap from https://wiki.wireshark.org/SampleCaptures#HyperText_Transport_Protocol_.28HTTP.29 answered 06 Jan '16, 13:16  Lekensteyn Well I'll be...I installed the latest WS in a vm and I got your same results...I'm not sure what I've done to break my config...thanks a bunch for this info. (07 Jan '16, 08:33) DigiAngelXX Once I enabled the TCP preference Allow subdissector to reassemble TCP streams in the configuration profile you sent me, your packet shows just fine. (07 Jan '16, 12:08) Lekensteyn I converted the comment to an answer as it seemed to be the answer so @DigiAngelXX could mark it as so. (07 Jan '16, 15:56) grahamb ♦ |
This is a good workaround for this, but it would be nice to see this built in:
https://github.com/morhekil/wireshark-http-gunzip
Thanks for the response. Some I could see, but the above I could not. wireshark-http-gunzip was what allowed me to see the data, alas though not within wireshark.
It it possible that your stream is incomplete? When the connection is cut short (partial HTTP response), then no response is shown.
Negative...what you see in the screenshot is what I had...packets are fine...I've just started seeing this in the last....like 4 months.
Are you able to isolate a TCP session (Follow TCP Stream) and share the capture? You can mail a link/capture privately if you prefer that.
I can share it privately...just let me know who/where to send to :) Thank you.
You can find my contact details in my profile, but please test it yourself with Wireshark 2.0.1 first and a new configuration profile (because that is the first thing I'll do ;)).
Thanks...I'll send the pcap your way.
In the pcap you send me I can see the OK response in frame 33 (tested with an empty configuration profile in 2.0.1 and the latest development code (master)).