Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Decode TCP trame cup into different parts

From: Lior Zarfati <lior@xxxxxxxxx>
Date: Thu, 7 Jan 2010 14:17:30 +0200

WireShark is behaving perfectly and showing you the exact traffic that is being transferred over the HTTP protocol.

The part which you are misunderstanding is the one that states “Content-Encoding: gzip”. That means the rest of the content is compressed using gzip compression. What you see as the HTTP packet data is the gzip raw feed.

Your SOAP client is compressing outgoing data using gzip. If you want to see the content itself, get it to not compress the data.

 

 

Lior.

 

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Olivier-externe GERAULT
Sent: Thursday, January 07, 2010 2:03 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Decode TCP trame cup into different parts

 


Hi,

I would like to analyze paquets sent and received but they are cut into many parts and WireShark seems not able to understand the entire message.
For example, in the "Follow TCP Stream", I get the result:
00000000  50 4f 53 54 20 2f 73 63  36 31 73 65 72 76 65 72 POST /sc 61server
00000010  2f 75 69 20 48 54 54 50  2f 31 2e 31 0d 0a 41 75 /ui HTTP /1.1..Au
00000020  74 68 6f 72 69 7a 61 74  69 6f 6e 3a 20 42 61 73 thorizat ion: Bas
00000030  69 63 20 54 30 63 77 4d  55 52 47 4d 55 30 36 4d ic T0cwM URGMU06M
00000040  54 52 42 4e 55 4e 43 51  6a 59 34 4e 54 49 34 4d TRBNUNCQ jY4NTI4M
00000050  44 45 35 4d 44 68 47 52  6b 52 45 51 30 4a 43 4e DE5MDhGR kREQ0JCN
00000060  7a 56 43 4d 6a 67 35 4e  6a 51 3d 0d 0a 53 4f 41 zVCMjg5N jQ=..SOA
00000070  50 41 63 74 69 6f 6e 3a  20 22 72 65 63 6f 72 64 PAction:  "record
00000080  73 65 74 22 0d 0a 41 63  63 65 70 74 2d 45 6e 63 set"..Ac cept-Enc
00000090  6f 64 69 6e 67 3a 20 67  7a 69 70 0d 0a 43 6f 6e oding: g zip..Con
000000A0  74 65 6e 74 2d 45 6e 63  6f 64 69 6e 67 3a 20 67 tent-Enc oding: g
000000B0  7a 69 70 0d 0a 50 72 61  67 6d 61 3a 20 72 65 71 zip..Pra gma: req
000000C0  75 65 73 74 6e 75 6d 3d  22 32 32 35 35 22 0d 0a uestnum= "2255"..
000000D0  43 6f 6f 6b 69 65 3a 20  53 65 73 73 69 6f 6e 49 Cookie:  SessionI
000000E0  64 3d 31 36 33 2e 38 34  2e 31 34 32 2e 32 32 38 d=163.84 .142.228
000000F0  3a 32 36 36 35 3b 56 65  72 73 69 6f 6e 3d 31 3b :2665;Ve rsion=1;
00000100  0d 0a 43 6f 6e 74 65 6e  74 2d 54 79 70 65 3a 20 ..Conten t-Type:
00000110  74 65 78 74 2f 78 6d 6c  3b 20 63 68 61 72 73 65 text/xml ; charse
00000120  74 3d 75 74 66 2d 38 0d  0a 43 61 63 68 65 2d 43 t=utf-8. .Cache-C
00000130  6f 6e 74 72 6f 6c 3a 20  6e 6f 2d 63 61 63 68 65 ontrol:  no-cache
00000140  0d 0a 55 73 65 72 2d 41  67 65 6e 74 3a 20 4a 61 ..User-A gent: Ja
00000150  76 61 2f 31 2e 34 2e 32  5f 30 39 0d 0a 48 6f 73 va/1.4.2 _09..Hos
00000160  74 3a 20 XX XX XX XX XX  XX XX XX XX XX XX XX XX t: ????? ????????
00000170  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX 0d 0a ???????? ??????..
00000180  41 63 63 65 70 74 3a 20  74 65 78 74 2f 68 74 6d Accept:  text/htm
00000190  6c 2c 20 69 6d 61 67 65  2f 67 69 66 2c 20 69 6d l, image /gif, im
000001A0  61 67 65 2f 6a 70 65 67  2c 20 2a 3b 20 71 3d 2e age/jpeg , *; q=.
000001B0  32 2c 20 2a 2f 2a 3b 20  71 3d 2e 32 0d 0a 43 6f 2, */*;  q=.2..Co
000001C0  6e 6e 65 63 74 69 6f 6e  3a 20 6b 65 65 70 2d 61 nnection : keep-a
000001D0  6c 69 76 65 0d 0a 43 6f  6e 74 65 6e 74 2d 4c 65 live..Co ntent-Le
000001E0  6e 67 74 68 3a 20 31 39  30 0d 0a 0d 0a          ngth: 19 0....
000001ED  1f 8b 08 00 00 00 00 00  00 00 65 4f 4b 0b c2 30 ........ ..eOK..0
000001FD  0c fe 2b 25 78 b5 d5 9b  8c 75 a2 30 8f 2a f8 b8 ..+%x... .u.0.*..
0000020D  97 2d 6e 83 b5 99 69 37  dc bf b7 be 40 f4 12 be .-n...i7 ....@...
0000021D  e4 7b 24 49 97 37 db 8a  01 d9 37 e4 34 cc e5 0c .{$I.7.. ..7.4...
0000022D  04 ba 82 ca c6 55 1a 4e  c7 cd 74 01 cb 2c 3d ec .....U.N ..t..,=.
0000023D  56 fb 69 be 3d 27 b9 1b  b0 a5 0e 45 b4 39 9f 7c V.i.='.. ...E.9.|
0000024D  e6 1a ea 10 ba 44 29 5f  d4 68 8d 97 91 f6 64 3a .....D)_ .h....d:
0000025D  49 5c a9 07 50 f8 36 2a  f8 4a 5b 53 39 66 29 63 I\..P.6* .J[S9f)c
0000026D  41 5c 7a 0c 22 f2 6c c2  f3 92 08 1d 88 6b 8f 3c A\z.".l. .....k.<
0000027D  be 1a 1d b8 47 61 5c 29  88 9b 4a be a4 c4 7a d2 ....Ga\) ..J...z.
0000028D  92 ec 2f ce 58 04 f1 a8  51 5d d8 2b a8 2c 55 3f ../.X... Q].+.,U?
0000029D  7b d4 df 17 d9 1d 8b a5  d4 f7 ff 00 00 00       {....... ......
I can see that it is a SOAP response and the begining of the message in quite clear.
But, the 2nd paquet is not decoded and I don't knwo how to read it.

It there an option in WireShark?

Regards,

Olivier