This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to decompress gzipped contents

2

In HTTP request and response, content-encoding is 'gzip' and content is gzipped. Is there a way to decompress the gzipped content so we can see what the contents are.

asked 27 Sep '11, 09:11

eusjoji's gravatar image

eusjoji
31113
accept rate: 0%


3 Answers:

4

I believe Jaap's answer is not quite correct, because the exported object will already be uncompressed. Since there seems to be some confusion, here are some more explicit steps that should hopefully work for you:

  1. Find the gzipped object of interest and right-click on the corresponding packet in the packet list, selecting, "Follow TCP Stream" to isolate the stream.
  2. Within the "Follow TCP Stream" window, note the name of the gzipped object in the previous GET block.
  3. From the main window, choose File -> Export Objects -> HTTP.
  4. Select the object. The packet number should match the packet number you discovered in step 1, and the Filename should match the name seen in step 2. Note that the content type that appears is the uncompressed content type, so e.g., text/html, and not gzip.
  5. Choose Save As, then Save. This will be the uncompressed object.

Note that you don't necessarily need to do "Follow TCP Stream" as long as you know the packet number and object name of the object of interest, or if you simply want to export all objects.

answered 18 Jun '12, 18:39

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

1

You could export the objects through the file menu and gunzip them offline.

answered 27 Sep '11, 13:58

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks. Could you specify the detailed procedure on how to do it? Ho wdo I export the objects through the file menu?

(03 Oct '11, 11:37) eusjoji

When exporting did you select the HTML object?

Also should the gzip show up in the content type in the HTTP object list?

(17 Jun '12, 15:01) Hig2012

0

I made a quick script to convert the Follow TCP Stream output to what you'd expect: wireshark-http-gunzip

You can use it with a command like this:

ruby http-gunzip.rb < raw.dump | less

answered 01 Aug '14, 09:39

kizzx2's gravatar image

kizzx2
1
accept rate: 0%