I have a pcap of websocket traffic . how can i see clear payload meaning after deflat masking .... actually i have a couple of question but first a bit of info i can see that both client and server agree on the flag premessage-deflate in addition the client sent client_max_window_bits without number (i assume by default its 32k window right???) another info : some of the packets are masked
additional question : do you do the decompression after unmasking the payload or after ? what octets do you decompress (i assume everything after the websocket header)? before decompressing do i need to add decompressing headers like 0x78 0x01 ? do you know any python library that can do it for me ?
asked 18 May '17, 13:57
Support for this is currently missing in the Websocket dissector. Until it gets implemented, you could try to manually decompress it. Here is an example for Python 3, the
A variant of this (with actual valid data) was successfully tested (I just stripped it here because it could be sensitive data).
If you want to help, you could open an enhancement request and provide a small capture sample in the issue tracker at: https://bugs.wireshark.org/bugzilla/
answered 23 May ‘17, 09:45
edited 23 May ‘17, 09:46