This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Chunked gzip woes

0

Topic says it...I've been having a really hard time getting chunked gzip to show correctly. The first issue is that with "Allow subdissector to reassemble TCP streams" check I only see the HTTP GET, not the response. So with "Allow subdissector to reassemble TCP streams" uncheck I at least see:

HTTP/1.1 200 OK [Unreassembled Packet]

and can follow the stream. But I don't see an option show the de-chunked data. Is there something I'm missing? Thank you.

alt text

asked 04 Jan '16, 13:11

DigiAngelXX's gravatar image

DigiAngelXX
216611
accept rate: 0%

edited 04 Jan '16, 13:15

This is a good workaround for this, but it would be nice to see this built in:

https://github.com/morhekil/wireshark-http-gunzip

(04 Jan '16, 13:54) DigiAngelXX

Thanks for the response. Some I could see, but the above I could not. wireshark-http-gunzip was what allowed me to see the data, alas though not within wireshark.

(06 Jan '16, 13:39) DigiAngelXX

It it possible that your stream is incomplete? When the connection is cut short (partial HTTP response), then no response is shown.

(06 Jan '16, 14:21) Lekensteyn

Negative...what you see in the screenshot is what I had...packets are fine...I've just started seeing this in the last....like 4 months.

(06 Jan '16, 14:24) DigiAngelXX

Are you able to isolate a TCP session (Follow TCP Stream) and share the capture? You can mail a link/capture privately if you prefer that.

(06 Jan '16, 14:45) Lekensteyn

I can share it privately...just let me know who/where to send to :) Thank you.

(06 Jan '16, 15:29) DigiAngelXX

You can find my contact details in my profile, but please test it yourself with Wireshark 2.0.1 first and a new configuration profile (because that is the first thing I'll do ;)).

(07 Jan '16, 04:33) Lekensteyn

Thanks...I'll send the pcap your way.

(07 Jan '16, 07:36) DigiAngelXX

In the pcap you send me I can see the OK response in frame 33 (tested with an empty configuration profile in 2.0.1 and the latest development code (master)).

(07 Jan '16, 08:16) Lekensteyn
showing 5 of 9 show 4 more comments

One Answer:

1

@DigiAngelXX Tested with Wireshark 2.0.1 and I can see the uncompressed, chunked response just fine. What version are you using? Can you share the pcap if it still occurs with 2.0.1? Try the http-chunked-gzip.pcap from https://wiki.wireshark.org/SampleCaptures#HyperText_Transport_Protocol_.28HTTP.29

answered 06 Jan '16, 13:16

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Well I'll be...I installed the latest WS in a vm and I got your same results...I'm not sure what I've done to break my config...thanks a bunch for this info.

(07 Jan '16, 08:33) DigiAngelXX

Once I enabled the TCP preference Allow subdissector to reassemble TCP streams in the configuration profile you sent me, your packet shows just fine.

(07 Jan '16, 12:08) Lekensteyn

I converted the comment to an answer as it seemed to be the answer so @DigiAngelXX could mark it as so.

(07 Jan '16, 15:56) grahamb ♦