This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decompressing websocket payload

0

I have a pcap of websocket traffic . how can i see clear payload meaning after deflat masking .... actually i have a couple of question but first a bit of info i can see that both client and server agree on the flag premessage-deflate in addition the client sent client_max_window_bits without number (i assume by default its 32k window right???) another info : some of the packets are masked

additional question : do you do the decompression after unmasking the payload or after ? what octets do you decompress (i assume everything after the websocket header)? before decompressing do i need to add decompressing headers like 0x78 0x01 ? do you know any python library that can do it for me ?

thanks

asked 18 May '17, 13:57

saeedh's gravatar image

saeedh
26337
accept rate: 0%


One Answer:

1

Support for this is currently missing in the Websocket dissector. Until it gets implemented, you could try to manually decompress it. Here is an example for Python 3, the websocket_payload_packet_X variables contain the unmasked binary websocket.payload data (replace it accordingly):

#!/usr/bin/env python3
import zlib

websocket_payload_packet_1 = bytes.fromhex(""" aabbccddeeff… """.replace("\n", ""))

websocket_payload_packet_2 = bytes.fromhex(""" aabbccddeeff… """.replace("\n", ""))

websocket_payload_packet_3 = bytes.fromhex(""" aabbccddeeff… """.replace("\n", ""))

Data from frame 1

data = websocket_payload_packet_1

Needed per spec (https://tools.ietf.org/html/rfc7692#section-7.2.2)

data += b'\0\0\xff\xff' data += websocket_payload_packet_2 data += b'\0\0\xff\xff' data += websocket_payload_packet_3 data += b'\0\0\xff\xff'

z = zlib.decompressobj(wbits=-15) out = z.decompress(data) print(out)

A variant of this (with actual valid data) was successfully tested (I just stripped it here because it could be sensitive data).

If you want to help, you could open an enhancement request and provide a small capture sample in the issue tracker at: https://bugs.wireshark.org/bugzilla/

answered 23 May ‘17, 09:45

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

edited 23 May ‘17, 09:46

thanks a lot this worked

(23 May ‘17, 11:21) saeedh

FYi and all other people who have the same issue. I created a LUA Plugin that does more or less what you described in here and has all the necessary glue code around it. You can find it incl. documentation here: https://github.com/stefanLeo/wireshark_websocket_deflate

(23 Aug ‘17, 00:06) stefanLeo

Native support for deflate (without LZ77 sliding window) is under review here: https://code.wireshark.org/review/23515 Any capture for LZ77 testing would be appreciated.

(12 Sep ‘17, 12:52) Pascal Quantin

Full support is now part of Wireshark 2.5 development tree.

(19 Sep ‘17, 11:49) Pascal Quantin