This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

In HTTP request and response, content-encoding is 'gzip' and content is gzipped. Is there a way to decompress the gzipped content so we can see what the contents are.

asked 27 Sep '11, 09:11

eusjoji's gravatar image

eusjoji
31113
accept rate: 0%


I believe Jaap's answer is not quite correct, because the exported object will already be uncompressed. Since there seems to be some confusion, here are some more explicit steps that should hopefully work for you:

  1. Find the gzipped object of interest and right-click on the corresponding packet in the packet list, selecting, "Follow TCP Stream" to isolate the stream.
  2. Within the "Follow TCP Stream" window, note the name of the gzipped object in the previous GET block.
  3. From the main window, choose File -> Export Objects -> HTTP.
  4. Select the object. The packet number should match the packet number you discovered in step 1, and the Filename should match the name seen in step 2. Note that the content type that appears is the uncompressed content type, so e.g., text/html, and not gzip.
  5. Choose Save As, then Save. This will be the uncompressed object.

Note that you don't necessarily need to do "Follow TCP Stream" as long as you know the packet number and object name of the object of interest, or if you simply want to export all objects.

permanent link

answered 18 Jun '12, 18:39

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

You could export the objects through the file menu and gunzip them offline.

permanent link

answered 27 Sep '11, 13:58

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks. Could you specify the detailed procedure on how to do it? Ho wdo I export the objects through the file menu?

(03 Oct '11, 11:37) eusjoji

When exporting did you select the HTML object?

Also should the gzip show up in the content type in the HTTP object list?

(17 Jun '12, 15:01) Hig2012

I made a quick script to convert the Follow TCP Stream output to what you'd expect: wireshark-http-gunzip

You can use it with a command like this:

ruby http-gunzip.rb < raw.dump | less
permanent link

answered 01 Aug '14, 09:39

kizzx2's gravatar image

kizzx2
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×9
×6
×4

question asked: 27 Sep '11, 09:11

question was seen: 73,565 times

last updated: 01 Aug '14, 09:39

p​o​w​e​r​e​d by O​S​Q​A